Information Technology Reference
In-Depth Information
table 12.2
Business risk Motiations for security Framework
IA Core
Principle
Risk
Mitigation Objective
Confidentiality
Disclosure of information
Nondisclosure
Integrity
Corruption of information or
information technology
Accuracy
Availability
Loss of use
Usable on demand
Possession
Loss of physical possession;
theft or misplacement
Owner/custodian maintains
custody
Authenticity
Information does not reflect
reality; although not corrupt,
it is not accurate; deception
violates authenticity.
Conforms to reality
Utility
Information or information
technology may not be
utilized for their intended
purpose.
Accessible for use
Privacy
Violation of trust; legislative
violation governing privacy
rights
Protect individual rights;
maintain trust levels
Nonrepudiation
Person initiating a
communication or
transaction may deny having
done so.
Nondeniability; a
communication or
transaction is traceable to a
particular person or entity
(e.g., computer system or
service)
Authorized use
Theft of service, e.g., toll fraud
Appropriate access to services
funds transfers, etc. Personal transactions often include a signature or other
form of tangible representation of the agreement (e.g., store receipt). Subsequent
disputes may examine the proof of those transactions. Disputes over online
transactions, or virtual transactions, require definitive, unique representation
of both parties. Nonrepudiation is part of the overall scheme to provide that
definitive, unique representation.
Authorized use addresses theft of service, e.g., toll fraud. Toll fraud, or the
theft of long-distance services, costs organizations worldwide billions of dollars
per year. Theft of service may also be theft of CPU time in a multiprocessing
environment, or theft of a service (unauthorized use of a service) in a service-ori-
ented architecture (SOA).
