Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 29

What does it mean to “keep information secure?” What is a good or adequate “security posture?” Let's take questions like these and operationalize them by looking for characteristics or attributes that measure, assess, or reveal the overall security state or condition of our information.

 Confidentiality: Limits are placed on who is allowed to view the information, including copying it to another form.

 Integrity: The information stays complete and correct when retrieved, displayed, or acted upon.

 Availability: The information is presented to the user in a timely manner when required and in a form and format that meets the user's needs.

 Authenticity: Only previously approved, known, and trusted users or processes have been able to create, modify, move, or copy the information.

 Utility: The content of the information, its form and content, and its presentation or delivery to the user meet the user's needs.

 Possession or control: The information is legally owned or held by a known, authorized user, such that the user has authority to exert control over its use, access, modification, or movement.

 Safety: The system and its information, by design, do not cause unauthorized harm or damage to others, their property, or their lives.

 Privacy: Information that attests to or relates to the identity of a person, or links specific activities to that identity, must be protected from being accessed, viewed, copied, modified, or otherwise used by unauthorized persons or systems.

 Nonrepudiation: Users who created, used, viewed, or accessed the information, or shared it with others, cannot later deny that they did so.

 Transparency: The information can be reviewed, audited, and made visible or shared with competent authorities for regulatory, legal, or other processes that serve the public good.

Note that these are characteristics of the information itself. Keeping information authentic, for example, levies requirements on all of the business processes and systems that could be used in creating or changing that information or changing anything about the information.

All of these attributes boil down to one thing: decision assurance. How much can we trust that the decisions we're about to make are based on reliable, trustworthy information? How confident can we be that the competitive advantage of our trade secrets or the decisions we made in private are still unknown to our competitors or our adversaries? How much can we count on that decision being the right decision, in the legal, moral, or ethical sense of its being correct and in conformance with accepted standards?

Another way to look at attributes like these is to ask about the quality of the information. Bad data—data that is incomplete, incorrect, not available, or otherwise untrustworthy—causes monumental losses to businesses around the world; an IBM study reported that in 2017 those losses exceeded $3.1 trillion, which may be more than the total losses to business and society due to information security failures. Paying better attention to a number of those attributes would dramatically improve the reliability and integrity of information used by any organization; as a result, a growing number of information security practitioners are focusing on data quality as something they can contribute to.