Is the protection of data from unauthorized disclosure?
|
Show
Data confidentiality refers to protection of data from unauthorized access and disclosure, including means for protecting personal privacy and proprietary information. Lapses in data confidentiality can lead to a data breach, which can have far-reaching operational, financial, and reputational impacts for the enterprise. The NCCoE is committed to helping organizations address threats to data confidentiality.
Demonstrating how organizations can identify and protect information from threats to data confidentialityThe NCCoE Data Security Project Team is collaborating with industry experts and technology vendors to develop a reference design and a detailed description of the practical steps needed to identify and protect the confidentiality of an enterprise’s data. Status: Preparing Draft This project is currently in the build phase. We have selected the technology collaborators, who have signed a Cooperative Research and Development Agreement (CRADA) with NIST. Project AbstractAn organization’s data is one of its most valuable assets and must be protected from unauthorized access and disclosure. Large and small data breaches can impact the ability of an organization to survive as operational and financial data, along with employee or customer personally identifiable information, can become compromised. This can undermine the organization’s work and success and lead to severe reputational damage. The NCCoE is helping enterprises address data confidentiality challenges through collaborative efforts with industry and the Information Technology (IT) community, including vendors of cybersecurity solutions. The goal of this project is to provide a practical solution to identify and protect the confidentiality of an enterprise’s data. This project will also provide guidance that parallels the Detect, Respond to, and Recover from Data Breaches Project. The NCCoE chose to address data confidentiality in two parallel projects to provide modular, adaptable guidance rather than an utilize an all-or-nothing approach. This project will result in a publicly available National Institute of Standards and Technology Cybersecurity Practice Guide, a detailed implementation guide of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.
Collaborating VendorsOrganizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.
Confidentiality—“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” A loss of confidentiality is the unauthorized disclosure of information. Integrity—“Guarding against improper information modification or destruction, and includes ensuring information
non-repudiation and authenticity…” A loss of integrity is the unauthorized modification or destruction of information. Availability-—“Ensuring timely and reliable access to and use of information…” A loss of availability is the disruption of access to or use of information or an information system. Risk Assessment is a process which determines what information technology resources exist that require
protection, and to understand and document potential risks from IT security failures that may cause loss of information confidentiality, integrity, or availability. Control Activities are the policies, procedures, techniques, and mechanisms that help ensure that management's response to reduce risks identified during the risk assessment process is carried out. Information Assets—Definable pieces of information in any form, recorded or stored on any
media that is recognized as “valuable” to the University. Access Control refers to the process of controlling access to systems, networks, and information based on business and security requirements. ISO (International Organization for Standardization)—An international-standard-setting body composed of representatives from various national standards organizations. NIST (National Institute of Standards and Technology)—A non-regulatory federal agency within the U.S. Department of Commerce whose mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. VPN (Virtual Private Network)—A network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to the University’s network. VPN’s use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. IDS (Intrusion Detection System)—A device (or application) that monitors network and/or system activities for malicious activities or policy violations. IPS (Intrusion Prevention System)—A device (or application) that identifies malicious activity, logs information about said activity, attempts to block/stop activity, and reports activity. Encryption—Process of converting information so that it is humanly unreadable except by someone who knows how to decrypt it. What is unauthorized data disclosure?Unauthorized Data Disclosure can be interpreted that information is illegally or improperly released either in Inadvertent Human error and Malicious Human Activity.
What is unauthorized disclosure in cyber security?Definition(s): An event involving the exposure of information to entities not authorized access to the information.
What is an example of unauthorized disclosure?Examples of this type of unauthorized disclosure include, but are not limited to, leaving a classified document on a photocopier, forgetting to secure classified information before leaving your office, and discussing classified information in earshot of unauthorized recipients.
What is a consequence of an unauthorized data disclosure?The long-term consequences: Loss of trust and diminished reputation. Perhaps the biggest long-term consequence of a data breach is the loss of customer trust. Your customers share their sensitive information with businesses like yours assuming that you'll have the proper security measures in place to protect their data ...
|
