If you’ve ever looked into document or data storage, be it analogue, digital or physical, then chances are you’ll have run into the phrase Information Assurance. But what does the term actually mean to the company to whom you’d be entrusting your valuable files and documents? Here’s the breakdown.
There are three commonly-used models that are used as a sort of checklist, to ensure that all necessary security precautions are being taken. The first, the Information Security model (also known as the CIA triad) adresses Confidentiality, Integrity and Availability. The second is loosely referred to as the Five Pillars of Information Assurance, and is concerned with the same principles as the CIA triad, in addition to Authentication and Non-Repudiation.
The final model, which tends to be used less than the other two, is known as the Parkerian Hexad, and like the Five Pillars, is based on the CIA triad. However, it also addresses Authenticity, Utility and Possession.
These concepts might all sound very similar to one another, but to an Information Assurance firm, each principle is unique and highly important.
Confidentiality is the guarantee that protected information is divulged only to authorised personnel, processes or systems – essentially keeping your data away from potentially prying eyes.
Integrity ensures that data cannot be created, edited or removed without proper authorisation, as well as making sure that electronic or digital systems are likewise protected from any unauthorised access. Integrity is often confused with Authentication, though in reality the two concepts are very different. Where Integrity is primarily concerned with ensuring that your data or files remain unaltered, Authentication is the process of ensuring that messages, data or documents are genuine in the first place, or verifying the identity of a user generating such information.
Non-Repudiation refers to the use of technologies such as digital signatures to ensure that both the sender and receiver of data are each issued proof of the other’s identity – so that neither party can later claim that the exchange or processing of said data never took place. This serves to record all interaction with protected information, to better manage application of the other concepts listed here.
Availability is the practice of guaranteeing that information services and data may be accessed in a timely fashion as needed, and of protecting against unplanned unavailability of information. A stored box of old company receipts is no use, for example, if the box is buried under half a ton of other documents in a cluttered storeroom – such a situation would be a clear breach of Availability.
Often confused with Availability is the principle of Utility – but as with Integrity and Authentication, both concepts are very different. Where Availability is concerned with how accessible the data or documents are, Utility refers to how useful they are. In addition to remaining confidential, integral, available, authentica and non-repudiated, the data must also be usable. Altering the state of data – for instance substituting a table for a graph – is classed as a breach of utility if said changes make the data more difficult to use.
Other examples of utility breaches could include storage of data in an inappropriate format, or losing the decryption key to a set of encrypted data.
These are the concerns that Information Assurance firms take very seriously when it comes to securely storing your information. You never which (if any) of the three models a company operates on, however, so it’s well worth taking the time to ask, so that you can be sure of making the right choice for your needs.
This is a guest post by ECA Limited – experts on information assurance and data security. For more information on securing your data and information assurance, you can visit the ECA website.