Common misconceptions about information security compliance
There is much confusion and many misconceptions when it comes to information security and compliance with regard to big data. The two biggest misconceptions are that "it's all about the data" and "it's all about confidentiality." While data and confidentiality are certainly of critical importance, a more holistic approach is required. A business must be concerned about its data, but it must be equally concerned about the systems on which the data resides. In addition, confidentiality is only one of three key protections required for true security. Those three protections are frequently referred to by the well-known acronym "CIA," standing for Confidentiality, Integrity, and Availability. For data to be truly secure, each of these three elements must be satisfied.
"Confidentiality" is the most obvious of the three elements in CIA. It means the data is protected from unauthorized access and disclosure.
"Integrity" means the data can be relied upon as accurate and that it has not been subject to unauthorized alteration. Data integrity is likely the least obvious of the elements necessary for achieving good information security. Consider the importance of the integrity element in the context of a medical information system used in a hospital. If the data in a patient record cannot be relied upon (e.g., to identify a drug allergy, recent medical treatments, results of blood tests, etc.) because certain elements may have been altered, the entire database is rendered suspect.
Finally, "Availability" means data is available for access and use when required. It does no good to have data that is confidential and for which integrity is maintained if that data is not actually available when a user requires it. Consider, again, the example of the healthcare information system. If a patient record is unavailable because of a system failure when a patient comes into the emergency room in critical condition, it is useless. Hackers understand the substantial impact unavailability may have on a business, particularly online businesses. Denial-of-service attacks are frequent. In these attacks, hackers inundate a target business' services with fake requests in an effort to overwhelm them, preventing real users from accessing and using the systems.
The importance of CIA cannot be overstated. It is not just a well-worn concept in information security treatises. Lawmakers have directly incorporated that very language into certain information security and privacy laws and regulations. Businesses that fail to achieve CIA with regard to their data, may be found in violation of those laws.
A final misconception about information security and privacy laws is that they require perfection (i.e., any breach, regardless of how diligent the business has been, will create liability). This is not true. The laws and regulations in this area are directed at having businesses do what is reasonable and appropriate. If the business achieves that standard and a breach nonetheless occurs, it will generally not have a compliance problem. Liability will turn on whether the business has thoughtfully attempted to address the security of its data.
Sign up for CIO Asia eNewsletters.