Confidentiality, Integrity, and Availability
The primary goal of InfoSec is to protect confidentiality of protected information, the accuracy of mission-critical decision making information, and to ensure that key data and data processing systems are available when required by the institution. InfoSec practitioners maintain confidentiality, integrity, and availability by guarding against disclosure, alteration, and destruction.
The ability to hide information from those people who do not have express permission to view the information. Perhaps the most obvious aspect of the CIA triad with regards to information security assurance, it is statistically the aspect most often attacked. Cryptography and Encryption methods are an example of an attempt to ensure confidentiality of data in storage (on tapes or disk drives) and also data in transit (using SSL/TLS for HTTPs communications). Unauthorized disclosure occurs when persons who do not have express permission to view confidential information access legible, non-encrypted versions of confidential information. We must protect confidential information from cyber-criminals, accidental release (such as a lost laptop that does not have encrypted drives), and even disclosure inside the institution (such as Fiscal Services personnel accidentally accessing Human Resources personnel records).
Ensuring that the data is accurate and unchanged representation of the original secure information. Some methods for protecting data integrity are encryption during transport and at rest, using hash codes to verify data in transport (digitally signing), and using stringent access control to protect against alteration by non-approved entities. Our institution's efforts to maintain data integrity against alteration are important since altered information can negatively affect outcomes for the decision-making efforts of our institution's leaders. Inaccurate forecasting models or general ledger buckets are obvious examples of how inappropriately modified data could negatively affect our institution's ability to operate. Another excellent example of data integrity is the College website. Hacktivists (hackers with political goals) or cyber criminals may attempt to deface our website for their own personal gain, whether it be political agenda or 'hacker notoriety'.
Discounting scheduled downtime, it is important to ensure that information is readily accessible to the authorized viewers at all times. As one can imagine, unscheduled system outages can cause significant disruption to Institutional processes. If a system is taken offline because of a security incident, disabled by a Denial of Service (DoS) attack, or non-redundant hardware fails, there is the potential for large loss of Institutional functionality. Depending upon the time of year, month, or term, various systems play integral roles to student success. Information Technology Services and the information security practitioner take great lengths to guard against destruction of systems and data.