The CIA Triad of Information Security: Confidentiality

by Daniel Simpson 0 Comments

Your organization’s information security rests on three key concepts: confidentiality, integrity and availability of resources. The CIA triad is a base standard that every organization needs.

These roots ensure resources are original, accessible to the staff and kept in confidence. The CIA triad is essential for planning and implementing good cybersecurity policies. Each point is equally important and they integrate well with each other.

In this first blog in a series of three, we examine the nuances of confidentiality.

The Need for Confidentiality in Information Security

Even children — who use a lock and key on diaries or passwords to keep siblings out of the treehouse — know the importance of keeping things confidential.

It’s literally so easy a baby could do it, and yet we constantly hear about breaches of confidence in the news. Why? Because people lie, cheat and steal.

Organizations that are breached lose confidentiality because their information was removed or copied without permission.

To protect your information, you should limit who you let into the inner circle, both verbally and with access to digital and physical files.

What type of information should be protected? Anything that includes personal information, is protected by the Health Insurance Portability and Accountability Act (HIPAA), and documents related to the functioning of your business:

  • Employee records that include the Social Security number, home address, telephone or IP address
  • Employee records that disclose a disability
  • Medical records
  • Management information or actions, including disciplinary measures
  • Proprietary information and intellectual knowledge
  • Trade secrets
  • Financial gains information
  • Layoff records
  • Customer database
  • Software codes

Misuse of this information could lead to identity theft, stolen finances or disclosure of private medical information.

Protecting Your Organization

Every organization needs a confidentiality policy. You can talk with your lawyer to establish one, or follow the National Institute of Standards. NIST is the government’s recommended starting point to identify confidential items.

A third-party managed security provider, such as Agio, can also help you identify and protect your information.

There are many ways to protect your confidential materials, including physical and digital security measures:

  • Locked document cabinets
  • Stringent password policies
  • Proper firewall configuration
  • Encryption on messages sent and received
  • Blocking file-share websites
  • No camera or video policies
  • Retention of confidential material
  • Proper disposal of confidential information

Having a security policy offers transparency to employees, clients and stakeholders. It shows them how you will protect their information and defines common sense practices. For example, it’s not obvious to every employee that they shouldn’t walk away from their desk with confidential information on the screen.

Once established, this policy should be added to your onboarding and training processes.

Enforcing Confidentiality

Once your policy is written, don’t forget to check for legal ramifications and ensure all state-specific statutes are met. A quick call with your lawyer should do the trick.

With legalities verified, it’s time to enforce the confidentiality policy. All employees, managers and clients should be informed of the policy and consequences if it’s broken.

The severity of the disciplinary measures, should the policy be broken, varies by organization. Regardless of industry, however, the legal ramifications and publicity over lost confidential information can destroy any business.