There are three basic principles to consider when deciding how to provide access to sensitive data in a secure manner, namely: Confidentiality, Integrity, and Availability. These principals are collectively known as the CIA triad.
Confidentiality
The level of confidentiality will naturally determine the level of availability for certain data. Confidentiality is a question of how, and where, the data can be accessed. To ensure confidentiality, one must safeguard the data using encryption as well as protect the physical network and storage devices. However, it’s not only attackers monitoring the network for sensitive information that we need to be concerned about, we also need to watch out for ‘social engineering attacks. Social engineering attacks are when a user is deceived and manipulated in a way that encourages them to hand over certain sensitive information. Such attacks are becoming increasingly more common, and increasingly more sophisticated. Since such attacks are based on erroneous human actions, they are not easy to monitor and prevent. Training must be provided which ensures that staff members are vigilant and able to identify such attacks.
Integrity
Data has integrity if it is accurate and reliable. To maintain the integrity of the data, we need to focus on both the ‘contamination’ and ‘interference’ of the data – or in other words – the data that is stored on disk, and the data that is transmitted. While we are often made aware of the existence of certain viruses circulating the web, it is often the case whereby a disgruntled or troublesome employee – such as a programmer – installs a back door, leaving the data open to attack. Network monitoring, encryption, and strict access controls can be used to protect against these kinds of attacks. The integrity of the data can also be compromised in various non-malicious ways, such as incorrectly entering data or using the wrong applications to edit the data. The system should be set up to check against such eventualities and alert the users accordingly. Encryption techniques can also be used to ensure that information isn’t being tampered with during transit.
Availability
There are many factors that may affect the availability of your system, such as faulty or mismanaged network devices, network congestion, configuration changes, power outages, denial of service (DoS), as well as various environmental factors such as fires, hurricanes, etc. According to the University of Michigan, 23 percent of total network downtime is attributed to router failure, which is often the result of configuration changes. Availability of information doesn’t necessarily imply that all information must be available on request. If you are frequently storing large amounts of data, you may not have sufficient storage space and may be required to utilize an offline storage unit.
Since the CIA triad is used to define which data is confidential, how that data can be accessed without compromising its integrity, and whether the data is available to those who are permitted to access the data, it is obviously important to ensure that a well-considered privacy policy is put in place.