IT protection goals – data integrity

The use of the Internet in particular presents companies with ever new challenges. Criminal activities and cybercrime are putting a strain on IT departments and increased vigilance is required. Experts have to deal with home office regulations, and at the same time there are growing data streams and incessant technical development. However, companies have an obligation to protect information and data from unauthorized access. Misuse of data can result from outdated and insecure systems, but human error and cybercrime must also be named. If a company wants to achieve information security, the mandatory IT protection goals of confidentiality, integrity and availability must be guaranteed at all times.

The three protection goals – an overview 

If the area of information security is considered, a responsible party cannot refer to a legal basis, as is the case with data protection. For this reason, the responsible party must assess the business risk himself and define the necessary measures independently. If the aforementioned protection goals are considered, they result from a recommendation of the German Federal Office for Information Technology (BSI). The objectives are comparable with the requirements from ISO 27001, which is the international standard for setting up an information security management system. The securitized statement of the BSI's IT-Grundschutz compendium defines the situation as follows: "Information security has the protection of information as its goal. Information can be stored on paper, in IT systems or in heads. The protection goals or basic values of information security are confidentiality, integrity and availability. Many users include other basic values in their considerations. Since companies have recognized the explosive nature of the issue, the objectives are being extended independently with regard to the areas of bindingness, authenticity and accountability and supplemented by their own rules.

Confidentiality 

An important component of the protection goals of information security is the area of confidentiality. The IT protection goals of confidentiality can only be met if only an authorized group of people can gain access to the existing data - data access must remain inaccessible to other people. In this case, IT departments in particular must ensure that rights are assigned properly within the company. It must be defined which rights an individual user receives and how this access is granted. In this context, a responsible person must ensure that only access to the desired data is enabled and that other data remains secured. In the area of confidentiality, it is not only a matter of securing physical and digital data, but other means of data transmission must also be taken into account. In particular, e-mail traffic within the company must be evaluated in terms of confidentiality. If measures are considered to meet the IT protection goals of confidentiality, these points must be considered:

• Data and information must be encrypted
• Proper access control must be ensured
• Environmental and physical security must be considered
• Operational security must be verified and ensured
• Security of the communication channels 

Integrity 

If the area of integrity is considered within the IT protection goals, it becomes clear that existing data may only be changed if this is traceable and an unwanted change to the data is ruled out. If a company allows data to be changed, integrity is only guaranteed if the change is traceable and the person responsible can be named. This area coincides with the goal of confidentiality since unauthorized access should also be ruled out in the case of integrity. If data integrity is to be ensured, care must be taken to ensure that unnoticed changes to the information are ruled out, so that the data always remains traceable. Companies must pay particular attention to the systems and internal processes used in order to meet the integrity requirements. Measures that companies can implement with regard to integrity include the following:

• An implemented access control
• Value management
• The implementation of reliable systems
• The permanent maintenance of the systems

Availability 

If a company has confidential data and information that is handled with integrity, an internal problem arises - it must be defined how authorized persons can access the desired data. The IT protection goal of availability starts at this point and therefore companies are required to create a technological basis that guarantees the availability of data. Data availability always goes hand in hand with protection against system failures, and for this reason a company must prevent system failures. If data and information are lost in a company, those responsible for information security must ensure that the desired operating state is restored as quickly as possible - in this case, the IT department would import a backup of the data. Data availability can be achieved with these measures:

• Acquisition of secure systems
• Development of systems
• Maintenance of systems
• Analysis of the existing risk
• The internal management of incidents that affect information security
• An internal continuity management

Authenticity 

If the protection goal of authenticity is described, it is about ensuring the authenticity of data. Every company must verify this data in terms of the properties it possesses. The bindingness and the imputability The concepts of bindingness and imputability are closely related. The concept of liability defines that an actor cannot deny an activity. Thus, an act or activity can be easily attributed to the agent. This assignment of an activity is assigned to the concept of imputability. In companies, imputability is often mapped via access authorizations. These authorizations enable a company to assign actions to a person without any doubt. What advice should a company follow - ISO 27001 If the topic of protection goals is discussed in a company, many responsible persons study the instructions for action and case studies which are named in the international standard ISO 27001. The best-known instrument recommended in ISO 27001 is the operation of a central element defined by an information security management system (ISMS).

If an ISMS is operated, it deals with an approach that maps information security within a company. The ISMS also includes a clear definition of the protection goals to be achieved. Through this approach, the company is sustainably protected against security breaches, which also includes the area of internal disturbances. The implementation of ISO 27001 is a great challenge for companies and for this reason it is advisable to contact the experts of heydata, who have a great expertise in IT protection goals and the area of ISO 27001.

The evaluation of protection goals 

Data security must not only exist in theory in a company - for this reason, the effectiveness of the objectives must be regularly reviewed and evaluated. If weaknesses are identified within the ISMS, it is necessary to eliminate these risk factors promptly. Continuous further development of processes and systems must be a fundamental focus, and all employees must be sensitized at an operational level. If a negative result is identified in the evaluation of the protection goals, the risk of damage is increased. This damage can mean financial losses, but also a loss of image. Especially in the area of IT security, it is imperative to perform all necessary patches and updates, as cybercrime in particular represents a high risk. Unwanted ransomware can specifically intercept data, which can then be used for criminal activities. If data is sold, this will mean immediate damage, but a DSGVO violation could also be reported. If a loss of data is picked up by the media, this can reveal to customers and suppliers that the company is not managing data and information securely - this means a loss of image, a loss of customers and suppliers, and a loss of image that comes with financial losses.

Bottom line 

Companies need to pay more and more attention to data and information in today's world. If data falls into the wrong hands, this can put a heavy strain on a company. Not only a loss of image and financial losses are the consequence, but also legal consequences can trigger a crisis within a company. For this reason, company assets and, at the same time, the data of those affected should be protected.