Abbreviations

Fundamental Security Objectives

The fundamental and core goals of information security domain are to:

1. Ensure confidentiality of information
2. Ensure Integrity of the data always
3. Ensure Availability of information as and when required

All security controls, mechanisms, and safeguards are implemented to provide one or more of these protection types, and all risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles

Confidentiality

It ensures that the required level of secrecy is enforced at each stage of data processing and prevents unauthorized disclosure. This level of secrecy should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination

To ensure confidentiality, application designers and developers has to adopt and implement mechanisms to identify and protect sensitive data in the application data management.

Few ways how confidentiality can be compromised:

1. Network sniffing
2. Breaking encryption
3. Social engineering
4. Gaining unauthorized access to data

Few protection mechanisms include:

1. Encrypting sensitive data during transmission and at rest
2. Hashing and salting the user passwords
3. Enacting access controls
4. Masking the credit card numbers when displaying in a web page.
5. Classifying data and enforcing controls

Integrity

Integrity means that data or information in your system is maintained so that it is not modified or deleted by unauthorized parties.

Software, hardware, and communication mechanisms must work in coordination to maintain and process data correctly and to transfer data to correct destinations without unwanted changes. The data processing systems and communications networks must be shielded against manipulation and outside intervention.

Few ways integrity can be compromised:

1. Malicious modification of data by hackers
2. Logic bombs
3. Backdoors

Ensuring Integrity:

1. Ensuring strict access controls
2. Version controls
3. Checksums
4. Digital signatures
5. Implementing intrusion detection systems
6. Data backups
7. Audit trails

Availability

The final component of the CIA Triad is availability. It means that systems and data are available to authorized individuals when they need it and under any circumstances, including power outages or natural disasters.

Without availability, even if you have met the other two requirements of the CIA Triad, your business can be negatively impacted.

Few ways availability can be compromised:

1. DoS/DDOS attacks
2. Ransomware

Ensuring Availability:

1. Redundant networks, servers and applications for failover
2. Clustering of the servers/services
3. Load Balancing between multiple servers
4. Backups of the servers
5. DDOS detection and prevention firewalls

Data Classification

Data classification, or categorization, is the process of grouping subjects, objects, and so on into groups, categories, or collections with similarities. These similarities are mostly based on various parameters such as value, cost, sensitivity, risk, vulnerability, privilege, possible levels of loss or damage, or need to know basis.

Data classification schemes’ main goal is to categorize and standardize the process of data security based on labels for importance and sensitivity.

Data classification is applied to provide/define security mechanisms for storing, processing, and transferring data.

The criteria by which data is classified is based on the organization performing the classification according to the nature of the business.

Popular common data classification schemes:

1. Government/military classification

High	Top Secret
	Secret
	Confidential
	Sensitive but unclassified
Low	Unclassified

Top Secret Top secret is the highest level of classification for government information. It is used to protect information that could cause exceptionally grave damage to national security if it were disclosed without authorization. Top secret information is compartmentalized, which means that only those who have a specific need to know about it are granted access. Even someone with top secret clearance may not have access to all top secret information.

SecretSecret is the second-highest level of classification for government information. It is used to protect information that could cause serious damage to national security if it were disclosed without authorization. Examples of secret information include plans for military operations, information about foreign intelligence operations, and scientific research that could be used to develop weapons of mass destruction

ConfidentialConfidential is the third-highest level of classification for government information. It is used to protect information that could cause serious damage to national security if it were disclosed without authorization. Examples of confidential information include trade secrets, financial data, and diplomatic communications.

Sensitive But UnclassifiedSensitive but unclassified (SBU) information is information that is not classified but that is still sensitive and should be kept private. It is often used to protect information that could violate the privacy rights of individuals. SBU is not a classification label, but rather a marking or label used to indicate how the information should be used or managed.

UnclassifiedUn-classified information is information that is not sensitive and does not pose a threat to national security. It can be disclosed to the public without any risk of harm. Unclassified is not a classification label, but rather a marking or label used to indicate how the information should be used or managed.

Business/Non-Government

Business/Non-Government sector classification systems can vary widely because they typically do not have to adhere to a standard or regulation.

High	Confidential	Private
	Sensitive
Low	Public

Confidential Confidential information is the most sensitive type of information and should only be shared with authorized individuals. If confidential information is disclosed, it could have a significant negative impact on a company.

PrivatePrivate data is information that is personal or confidential and should only be shared with authorized individuals. If private data is disclosed, it could have a significant negative impact on the company or individuals involved.

SensitiveSensitive data is information that is more confidential than public data. If it is disclosed, it could have a negative impact on the company.
PublicPublic data is information that is not confidential and can be shared with anyone. Its disclosure does not have a serious negative impact on the organization.