The increasing use of the internet has presented an abundance of new challenges for companies. Cybercriminals are constantly devising new methods to exploit vulnerabilities, putting a significant strain on IT departments. In response, companies call for increased vigilance, as despite these challenges, they have a responsibility to protect their data from unauthorized access, which can result from outdated systems, human error, or cybercrime. To achieve information security, companies must prioritize confidentiality, integrity, and availability, and ensure that these IT protection goals are always met.
When it comes to information security, responsible parties cannot solely rely on a legal basis like data protection. Instead, they must assess business risk and define necessary measures on their own.
To achieve information security, companies must prioritize the protection goals of confidentiality, integrity, and availability. These objectives are similar to the requirements of ISO 27001, the international standard for setting up an information security management system. The securitized statement of the BSI's ‘IT-Grundschutz’ compendium defines the situation as follows:
"Information security aims to protect information. Information can be stored on paper, in IT systems or in people's heads. The protection goals or basic values of information security are confidentiality, integrity and availability.”
As the important of information security continues to grow, companies are expanding the basic values beyond confidentiality, integrity, and availability to include commitment, authenticity, and accountability. To achieve these goals, organizations are implementing their own rules and guidelines. This is due to the increasing recognition of the serious nature of the issue and the need to protect against threats such as cybercrime.
Confidentiality is a crucial aspect of information security. To achieve confidentiality, only authorized individuals should have access to data while others should be barred from accessing it. IT departments have a major role to play in ensuring that data access is restricted to authorized personnel only. This involves granting specific rights to individual users and carefully controlling their access to data. It is important to ensure that users can only access the data they are authorized to access, and that other data is properly secured. It is not only physical and digital data that need to be secured, but also other forms of data transmission such as emails within the company.
Confidentiality can be achieved with these measures:
• Data and information must be encrypted
• Proper access control must be ensured
• The environmental safety and physical security must be observed
• Operational safety must be checked and ensured
• Security of the communication channels
To ensure the protection of data integrity within the IT environment, it is crucial for companies to have proper measures in place. Changes to existing data must be traceable and any unauthorized modifications must be prevented to maintain data accuracy and reliability. Confidentiality also plays a critical role in ensuring data integrity as unauthorized access can compromise the integrity of the data. Companies need to establish strict control mechanisms to guarantee the traceability of all changes made to the data and implement internal processes that reflect these requirements for integrity.
Data integrity can be achieved with these measures:
• An implemented access control
• The value management
• The implementation of reliable systems
• The permanent maintenance of the systems
If a company has confidential data and information that is handled with integrity, an internal problem arises - it must be defined how authorized persons can access the desired data. The IT protection goal of availability starts at this point and therefore companies are required to create a technological basis that guarantees the availability of data. Data availability goes hand in hand with protection against system failures, and for this reason a company must prevent system failures. If data and information are lost in a company, those responsible for information security must ensure that the desired operating state is restored as quickly as possible - in this case, the IT department would import a backup of the data.
Availability of data can be achieved with these measures:
• Acquisition and maintenance of secure systems
• System development
• Analysis of the existing risk
• The internal management of incidents affecting information security
• Internal continuity management
How can a company protect itself even more efficiently?
Companies that observe the IT protection goals of confidentiality, availability and integrity often add further protection goals, which can be broken down in terms of authenticity, liability and accountability.
Authenticity is a critical protection goal that ensures the trustworthiness and reliability of data. It refers to the process of verifying that the data is genuine, accurate, and has not been tampered with.
Liability and imputability are two closely related concepts that are essential for ensuring accountability within a company. Liability refers to the responsibility of an individual or entity for their actions or activities. In other words, an agent cannot deny that they carried out a particular activity or action, and they are accountable for any consequences resulting from that activity. Within companies, imputability is often established through access authorizations, which ensure that only authorized individuals have access to sensitive data or perform critical tasks. This way, any action or activity can be traced back to the responsible individual or group, making it easier to assign accountability.
In a company, it is important to establish protection goals to ensure the security and integrity of sensitive data and information. The international standard ISO 27001 is a widely recognized guide that provides best practices for achieving these protection goals. The implementation of an Information Security Management System (ISMS) is a crucial element recommended by the standard to help manage risks, identify vulnerabilities, and implement appropriate controls to protect information assets from threats. By implementing an ISMS, companies can continuously monitor and improve their information security management practices to stay ahead of emerging threats.
If an ISMS is operated, it deals with an approach that maps information security within a company. The ISMS also includes a clear definition of the intended protection goals. Through this approach, the company is sustainably protected against security breaches, as well as internal disturbances.
The implementation of ISO 27001 is a major challenge for companies and for this reason it is advisable to contact the specialists at heyData, who have a great deal of expertise regarding IT protection goals and the field of ISO 27001.
Data security must not only exist in theory in a company - for this reason, but the effectiveness of the objectives must also be regularly reviewed and evaluated. If weaknesses are identified within the ISMS, these risk factors should be eliminated as soon as possible. The continuous development of processes and systems should be a fundamental focus, and all employees must be educated to at least an operational level.
If protection targets are not evaluated positively, there is an increased risk of damage to a company's finances and reputation. IT security is especially important since cybercrime is a high risk. Without necessary patches and updates, ransomware can intercept and steal data for criminal activities or sale. This can result in financial losses and violate data protection regulations. Loss of data can also harm a company's image, leading to loss of customers and suppliers and further financial losses. Therefore, it's crucial for companies to prioritize IT security and protect their data to avoid such negative outcomes.
In today's world, companies have to pay more and more attention to data and information. If data falls into the wrong hands, this can place a heavy burden on a company. Not only a loss of image and financial losses are the result, but also legal consequences can trigger a crisis within a company. For this reason, company assets and, at the same time, the data of those affected should be protected.