Confidentiality

Confidentiality is ensuring that information is accessible only to those authorized to have access, regardless of where the information is stored or how it is accessed. Each employee within an organization has a responsibility to maintain the confidentiality of the information entrusted to them for job performance and this responsibility should be reinforced through awareness. An awareness training program should address, at a minimum, the following confidentiality issues to ensure that an acceptable level of awareness is imparted to the organization’s employees.

For. Access control

Access control is any mechanism used to control what resources a user can access and the tasks that can be performed with the accessed resources. Passwords and biometrics are two access control methods that can be used individually or in combination for limited access to resources.

B. Passwords

Passwords and their safekeeping are a critical element of system and network security and are of key interest to hackers. An intruder in the physical area of ​​the organization can search under keyboards and in drawers for passwords that have been typed and then use them to gain access to private information. Password protection can be enhanced with additional security measures such as smart cards and biometric identification systems. Employees should be instructed on password creation and best management practices.

vs. Biometrics

Biometric technology can identify people based on the physical characteristics of parts of the human body. The main biometric technologies in use are retinal scanning, facial recognition, voice recognition, and fingerprint scanning. A user requesting access submits a sample and it is compared against a database to match access permissions. Biometric information is difficult to duplicate and, when used in conjunction with other access methods such as passwords and badges, creates a very good defense against unauthorized access to organization resources.

D. Encryption

Encryption is any process that converts readable data (conformance text) into secret code (ciphertext) to prevent unauthorized disclosure of information. It can be used in Internet, email, and wireless network transactions. An encryption algorithm is a mathematical procedure that scrambles information to make it unreadable to unauthorized persons. Encryption has become the foundation for protecting networks, communications systems, and online transactions. Employees should use encryption whenever possible to ensure security.

me. Privacy

Privacy is preventing confidential or personal information from being viewed by unauthorized parties and controlling its collection, use, and distribution. The terms privacy and confidentiality can be used interchangeably. Maintaining privacy is essential to prevent unauthorized disclosure that can lead to identity theft or other problems.

F. Ethics

Employees must receive clear instructions, through policies, on what the organization considers acceptable behavior and must also be informed of the processes established to clarify ethical concerns and disclose unethical activities.

Data integrity

Data integrity is defined as safeguarding the accuracy and integrity of information and processing methods from intentional, unauthorized, or accidental changes. Maintaining data integrity is essential for the privacy, security, and reliability of business data. Data integrity can be compromised by malicious users, hackers, software bugs, computer virus infections, hardware component failures, and human error when entering or transferring data. Mitigating data integrity risks can enable rapid data recovery. Employees can mitigate risk through regular data backups and secure off-site storage of backup media, integrity monitoring tools, and encryption.

For. Configuration management

Configuration or change management is a process for introducing changes to an information technology environment. Changes to an environment can introduce new vulnerabilities and, through the configuration management process, changes can be implemented in a documented, systematic, monitored, and reversible way. Formalized configuration management processes must be implemented by organizations and followed by employees.

B. Audit configuration

The configuration audit involves verifying that only approved changes have been made to the systems. The audit also verifies that employees are complying with configuration management procedures and that all settings are documented. Auditing to actively monitor systems and record changes to reconcile with configuration management documentation can be performed manually or automated using specialized systems.

Availability

Availability ensures that authorized users have access to information and associated assets when required. This can be accomplished using data backup plans, disaster recovery plans, and business continuity / recovery plans. Employees must be trained in their responsibilities when it comes to data backup, disaster recovery, and business continuity.

For. Data backup plan

Data backup is an essential part of information security and an organization must be able to restore data in the event of data corruption or hardware failure. Backups need to be done on a regular basis, and the frequency depends on how much data an organization is willing to lose in the event of loss (recovery point objective). Backup media should be stored in a secure location, possibly off-site, that is not exposed to the same hazards as primary data. Backups should also be periodically restored to test systems to ensure the process is working properly and within the specified time frame (recovery time goal) before the need for backup actually arises.

B. Disaster Recovery Plan (DRP)

A DRP is a plan used to recover quickly after a disaster with minimal impact to the organization. Planning for disaster recovery should be part of the initial stage of IT systems implementation. RD plans are developed in response to risk assessments and are designed to mitigate those risks. Risk assessments determine the frequency and extent of potential disasters; This will allow an organization to decide which technologies to implement to achieve an appropriate level of recovery. External audits can be valuable in uncovering deficiencies, although an organization’s DRP can never be fully tested until disaster actually strikes.

vs. Business continuity plan or business resume plan

The business continuity plan (BCP), sometimes referred to as a business recovery plan (BRP), is an essential part of a disaster recovery plan. This is a plan that outlines, step by step, how to quickly continue or resume normal business activities after a disaster strikes in a methodical manner. The BCP must also identify the employees responsible for implementing the various components of the plan, and these employees must be given clear instructions about their responsibilities in the event of a disaster. The plan should be reviewed periodically to ensure that any changes to business processes are reflected in the BCP.