The three primary security principles are Confidentiality, Integrity, and Availability. They are often know as the CIA Triad. The importance of these principles in an organization is based on the extent to which an organization’s security is threatened.
Confidentiality
Confidentiality offers a high level of assurance that objects are restricted from unauthorized subjects. In order to maintain confidentiality, data must be protected from unauthorized access while in storage, in process, and in transit. When confidentiality is breached, unauthorized disclosure may take place.
Examples of direct attacks against confidentiality include network traffic capture, sniffing, stealing password files, social engineering, port scanning, shoulder surfing, eavesdropping.
Indirect disclosure of confidentiality may happen due to human error, oversight, or ineptitude. Examples include failing to fully authenticate before data transmission, failing to apply proper data encryption, failing to secure access points, running malicious code that creates a new vulnerability, misrouted faxes, documents left on printer, leaving access terminal open with data and walking away. Confidentiality may also be breached due to oversight in security policy or misconfigured security control.
Countermeasures include encryption, network traffic padding, strict access control, rigorous authentication, data classification, and extensive personnel training.
Confidentiality depends on integrity. Without object integrity, confidentiality cannot be maintained. Other concepts, conditions, and aspects include sensitivity, discretion, criticality, concealment, secrecy, privacy, seclusion, isolation.