The NIST Computer Security Handbook defines computer security as the protection afforded to an automated information system to attain the objectives of preserving the integrity, availability, and confidentiality of information system resources, which include hardware, software, firmware, information, data, and telecommunications.
This definition introduces three key objectives at the heart of computer security:
- Confidentiality: This term covers two related concepts:
- Data confidentiality: Ensures that private or confidential information is not disclosed to unauthorized individuals.
- Privacy: Ensures that individuals control or influence what information related to them is collected, stored, and disclosed, including who has access to such information.
- Integrity: This term covers two related concepts:
- Data integrity: Ensures that information and programs are changed only in specified and authorized ways.
- System integrity: Ensures that a system performs its intended function without being impaired by unauthorized manipulation.
- Availability: Ensures that systems operate promptly and that service is not denied to authorized users.
These three concepts form what is often referred to as the CIA triad. They represent the fundamental security objectives for data and for information and computing services. For example, the NIST Standards for Security Categorization of Federal Information and Information Systems (FIPS 199) lists confidentiality, integrity, and availability as the three security objectives for information and information systems. FIPS 199 provides a useful characterization of these objectives in terms of requirements and definitions of each category's security loss.
- Confidentiality: Preserves authorized restrictions on information access and disclosure. A loss of confidentiality means unauthorized disclosure of information.
- Integrity: Guards against improper information modification or destruction, including ensuring information non-repudiation and authenticity. A loss of integrity represents unauthorized modification or destruction of information.
- Availability: Ensures timely and reliable access to and use of information. A loss of availability means disrupted access to or use of information or an information system.
While the CIA triad is well established in defining security objectives, additional concepts are sometimes needed for a complete picture:
- Authenticity: The quality of being genuine and verifiable. This includes confidence in the validity of a transmission, a message, or a message originator.
- Accountability: Creates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection, and prevention, and after-action recovery and legal action.
Because truly secure systems are not yet achievable, tracing security breaches to a responsible party is crucial. Systems must keep records of their activities to allow forensic analysis to trace breaches or assist in transaction disputes.
Examples
We now provide examples illustrating these security requirements, using three levels of impact on organizations or individuals should a security breach occur (i.e., a loss of confidentiality, integrity, or availability), as defined in FIPS 199:
- Low: The loss could have a limited adverse effect, causing, for example, noticeable degradation in mission capability or minor damage to assets, financial loss, or harm to individuals.
- Moderate: The loss could have a serious adverse effect, causing significant degradation in mission capability, significant damage to assets, or substantial financial loss or harm to individuals without life-threatening injuries.
- High: The loss could have a severe or catastrophic adverse effect, causing a severe degradation in mission capability, major damage to assets, large financial loss, or catastrophic harm to individuals, potentially resulting in loss of life or serious injuries.
- Confidentiality: Student grade information is a highly confidential asset, with the release regulated by the Family Educational Rights and Privacy Act. It should be accessible only to students, their parents, and authorized employees. In contrast, student enrollment information may receive a moderate confidentiality rating since it is less likely to be targeted and its disclosure causes less damage. Directory information is typically public and may have a low or no confidentiality rating.
- Integrity: Consider a hospital patient’s allergy information stored in a database. It must be trusted as correct and current to avoid harm. If an authorized user deliberately falsifies the data, the database must quickly be restored to a trusted state, with the ability to trace the error. This information has a high integrity requirement due to the potential for harm. In contrast, a Web forum for discussion may have a moderate integrity requirement, where falsifications cause less severe damage.
- Availability: Critical components or services demand high availability. For instance, a system providing authentication services for critical applications needs to ensure uninterrupted access to prevent financial loss and maintain productivity. A public university website might have a moderate availability requirement; its unavailability causes embarrassment but not critical dysfunction. An online telephone directory lookup application represents a low availability requirement, as other means to access the data are available.
These examples illustrate the requirements for confidentiality, integrity, and availability and highlight the importance of addressing each aspect to ensure comprehensive information security.
0 Comments