Information Security Protection Goals

Threats to Information Security

Before we look in detail at the protection goals of information security, let’s address the question of what threats exist to information in companies and their systems. From an ISACA study, the top 10 technology risks were evaluated by experts from large companies. These are shown in the figure below.

Top 10 der Technologie Risiken According to ISACA

Protection Goals according to ISO/IEC 27001

The concept of information security is the subject of the ISO/IEC 27000 series. In the main document of ISO/IEC 27001, information security is defined by the IT protection goals confidentiality, integrity and availability. Other factors that can also be part of information security according to ISO/IEC 27000 are authenticity, accountability, non-repudiation and reliability.

Core Protection Goals of Information Security

i. CONFIDENTIALITY

The protection goal of confidentiality refers to the protection against the leakage of information or confidential data. This includes, for example, turnover or sales figures, key marketing figures, research and development results, etc., which could be of interest to competitors. According to the BSI, confidentiality is breached when confidential information is accessed or disclosed without authorization. Confidentiality is therefore intertwined with the concept of authenticity. The interlocking of confidentiality and authenticity is expressed by the fact that it must be ensured by defining authorizations and controls that unauthorized users are not allowed to obtain knowledge of confidential information.

ii. INTEGRITY

The German Federal Office for Information Security defines the protection goal of integrity in basic IT protection as the functioning of IT systems without exception and the completeness and correctness of data and information. If we relate the protection goal to information security, integrity means preventing unauthorized changes to important information. Manipulative changes, such as inserting or deleting characters, changing an arrangement of data or files, or duplicating information, lead to the violation of this protection goal. Through (additional) attributes, such as author, date of setting, date of the change, etc., changes to the information can be traced. Falsified data leads to errors in the company, which can quickly cause major damage (financial and/or reputational). These manifest themselves, for example, through incorrect bookings, incorrect deliveries, or faulty products.

iii. AVAILABILITY

The protection goal of availability is met when IT systems, IT applications, IT networks or electronic information are available to a user (e.g., employees or customers). Availability is used as a measure to describe the performance that an IT system must deliver at a given time. A breach of availability becomes noticeable when, for example, data or information (e.g. invoices, customer data, marketing data, etc.) is not retrieved from the computer (PC, laptop, smartphone, etc.) or financial transactions are not carried out. A variety of other impact scenarios are conceivable depending on the business process: Online purchases can no longer be processed, machinery or entire production facilities fail. These examples show that a breach of availability can lead to high financial damage for a company as well as damage to its reputation.

CIA Triad

Combining the protection goals of confidentiality, integrity and availability forms the InfoSec CIA triad.

Beyond InfoSec CIA Triad

Beyond the InfoSec CIA triad, people have been extending the basic principles with additional security concepts like: non-repudiation, awareness, privacy, risk, traceability, etc. These concepts are sometimes added as additional attributes. Next, we discuss some of these attributes.

  • Liability/Non-Repudiation: This goal involves ensuring that a message sent must be verifiable and provable. More precisely, this means that communication cannot be subsequently denied to third parties by one of the subjects involved. This goal is particularly important for service providers.
  • Accountability: This refers to protection against intentional or unintentional disruptions, for example, due to attacks or even force majeure. It is associated with control activities securing the architecture, its processes and reducing overall complexity. Regular controls ensure that all security measures (both technical and operational) are working as intended to protect the system and the information processed within it.

Protection Requirement Categories for Classification of Security Requirements

The need for the protection of an asset with regard to a protection goal is based on the extent of the damage in the event of a breach. The extent of the damage cannot be determined exactly in advance. As an alternative, it is often recommended to define protection requirement categories, which allow for classification of the impact of damage in the event of a breach of the respective protection goal. The German Cyber Security Authority for instances names the following three protection requirement categories:

  • high: The damage effects can be considerable.
  • very high: The damage effects can reach an existentially threatening, catastrophic extent.
  • impairment of the right to informational self-determination,
  • impairment of personal integrity,
  • impairments of the performance of tasks,
  • negative internal or external impact, or financial impact.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SRC - Security, Risk, Compliance

SRC - Security, Risk, Compliance

Beratung, um Security, Risk und Compliance bei Ihnen als Enabler für das Business zu etablieren.