Most of the time when we talk about information security, people have varieties of perception. A lot of words about information security may pop up in mind just like anti-virus, malware protection, data encryption, firewall and so on. Are those terms can help your information secure? Maybe or maybe not. Unless you know basic knowledge of information security governance, those may be useless in some ways.
In the information security governance there are three fundamental information security concepts that comprise the C-I-A triad; confidentiality, integrity and availability. When it calls triad, you can imagine those three fundamental come together.
Confidentiality is about how to keep information accessible only for those need to know. If the information is your personal data, confidentiality is also called privacy. Personal data most commonly refers to personally identifiable information, which includes names, addresses, citizen identification (for Thailand), birth date, contact information and financial or medical data. Reveal your personal data to public or persons who should not know may lead you into troubles or in danger.
There was a case that a thief stole the target victim's credit card statement, used the victim's personal data from the Internet then called the credit card call center to change the billing address. After that, the thief called again to reissue the credit card and used the new credit card without notice of the victim. Even though this trick is known and protected by many card issuers, some other tricks did not reveal. So whenever you want to write some of your personal data to the social network, especially Facebook, or the Internet, please carefully think about it.
Integrity is to make your information correct and complete wherever and whenever to be used. The above example of credit card fraud also shows the problem from information alteration, an integrity violation. But not all integrity failure are from malice, they may come by accident or mistake. For the example, “100.00” carelessly typed to “10,000” in the financial transaction will cause a problem.
Availability is readiness of information whenever needed. Many times, it easily becomes the most overlooked aspect of information security. For example, you created a valuable presentation but when the time to present the file is lost or corrupt and you have no backup copy, this shows how the availability is important. The threats of availability also include storage failure, computer viruses, equipment malfunctions, network connection lost, unto business interruption or disaster.
Information need to be stored somewhere and threats are all around. Different information stored in different places may face different threats and cause needs of different controls. For example, anti-virus in your computer may protect your files stored in hard drive but not from drive crash (different threat). You need another control like backup solution in this case.
So, when you want your information secured, consider confidentiality, integrity and availability together, you will find the sufficient controls and make your information truly secured.
ไม่มีความคิดเห็น:
แสดงความคิดเห็น