Basics

Security objectives: confidentiality, integrity, availability

What are the three security objectives of information security?

The security objectives of information security are confidentiality, integrity and availability. Confidentiality means that only authorised people can see the data. Integrity means the data stays unaltered. Availability means data and systems are there when you need them.

The three objectives give you a way to order your decisions. Every safeguard supports one or more of them, and every incident violates one or more of them. An attack with ransomware, meaning software that encrypts your data and demands money to release it, hits availability first, because work stops. If data is copied and published during the attack, confidentiality is violated as well.

In daily practice the objectives look like this. Confidentiality fails when the payroll folder sits on the network readable by every employee. Integrity fails when the bank details on an invoice are altered and the payment goes to a stranger's account. Availability fails when the server breaks down and the day's orders cannot be processed.

How you weight the three objectives depends on your business. A manufacturer whose revenue stops when the machines stop puts availability first. A legal practice or a doctor's surgery, holding information covered by professional secrecy, puts confidentiality first. The sensible first step is a short list: which three to five sets of data and which processes does your company need in order to work? For each of them, ask what theft, an unnoticed alteration and an outage would mean for you. The answers show you which measures pay off first.

The objectives also appear in law. Article 32 of the General Data Protection Regulation requires the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, and to test the effectiveness of the measures taken on a regular basis. Anyone processing personal data, such as customer or staff records, therefore has to address all three objectives.

An external review shows where one of the objectives is left unprotected. The vetosec IT Check covers 8 audit areas with more than 100 individual checks, among them access rights, backups and which systems can be reached from the internet. The findings are ordered by urgency and each one comes with a recommended measure.

All terms in the knowledge base

From the term to practice

Where does your business actually stand?

The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.

Book a first call