Principles of Information Security

Information Security has three basic principles commonly referred to as the CIA Triad of Information Security (i.e. Confidentiality, Integrity and Availability). These principles include standards, conventions and mechanisms that form the basis for defining and implementing security controls and practices.

In addition to the base principles (i.e. confidentiality, availability and integrity), there are the few additional principles which are more related to the technological and process controls that could be deployed to achieve the desired level of Information Security. Following paragraphs detail the base as well as additional principles which assist in effective management of Information Security:

Confidentiality

Providing the framework to restrict data/information access, Confidentiality refers to protection of information from disclosure to or interception by unauthorized individuals. The concept of Data / Information Privacy stems out from the Confidentiality Principle.

Simple question to be answered for Confidentiality Part is – “Is the Person Accessing Data/Information the right person to do so?”

Integrity

Providing the framework for Data / Information accuracy and completeness, Integrity refers to the Quality of Data / Information. Integrity ensures that information once recorded and approved cannot be modified in an unauthorized manner through improper channels.

The focus is more so on the accuracy and completeness a the consequences of using inaccurate information could result in inaccurate / inadequate inputs for decision making purpose.

Availability

Providing the framework to the timeliness and extent of Data /Information availability to the users, Availability refers to the continuity of services and controls for the reachability of the users to the required Data / Information.

Availability also encompasses the technical deployment i.e. – networked machines and other aspects of the technology infrastructure.

Authentication

Authentication refers to the mechanism deployed to ensure that the person trying to access the Data / Information is the right person to do so. It involves the Identification step and can be called as the Gate Keeper Stage for Data / Information Access.

Authorization

Authorization refers to the mechanism deployed to control the kind of access a user gets on the Data / Information and the systems as deployed to store, process and transmit the Data / Information.Its a usual practice to define the Authorization levels as per the roles and responsibilities of the authenticated user.

Accountability

Accountability refers to the mechanism deployed to ensure that the ownership of actions carried out by a user while dealing with Data / Information could be ascertained and that the users are made responsible for the overall Security of the Data / Information.

Auditability

Auditability refers to the system controls that would ensure that the System has a mechanism to record the user actions and assist in establishing the accountability of the user. The Auditability feature is vital during troubleshooting exercises.

Assurance

Assurance highlights the need of ensuring that the interest of the various parties involved in the are safeguarded. Assurance of Data / Information Security is required from the perspective of the various stack holds including Governmental / Law enforcement Agencies, Investors, Management, Employees etc.

Awareness

Last but not the least, Awareness is still not a much stressed principle. Awareness about the Policies/Procedures/Process/Guidelines/Organizational Operating Procedures etc, provides for the mechanism of trained and efficient users, to support the Effective Processes and Procedures.