Confidentiality ensures that information and data are shared, viewed and processed only by or among authorized persons. As it is with all human endeavors, breaches do occur despite well meaning efforts, time, or other resources expended. Such breaches come about as a result of disclosures by words of mouth, for example when a person is socially engineered to squeal on his organization. When that happens, an organization stands to lose so much of its mission critical information like trade secrets, formulas, etc. Breaches also occur through the use of printers and copiers, e-mailing etc. Not to be discountenanced is the fact that organizations could fall victim to industrial espionage when hackers succeed in circumventing their information system assets.
However, its note worthy that confidentiality of information and data can be assured to a reasonable extend when organizations are willing and excited about getting it right. Such proactive initiatives should include attracting and retaining the right manpower with the knowledge, skill and attitude required to see the job well done. Datenlöschstandards
Other controls include:
- Encryption of data and information in all stages of their life cycle. This method involves a conversion of readable text to cipher text to prevent unauthorized disclosure.
- Passwords: these days the emphasis is in favor of passphrase. Whether an organization decides to stick to password or not, the watchwords should be their secrecy, security and safe keeping.
- Use of biometric technologies really do go a long way in assuring the confidentiality of information and data, they are based on the known fact that humans have different physical attributes that uniquely identifies one thus separating one from another. Therefore a retina scan, iris, fingerprint, voice recognition, data capture techniques, when implemented, will help assure the confidentiality of information and data.
- Access control mechanisms which may come in form of a chosen system of systems configuration option do a lot in this regard. Mention must be made of the fact that access to data and information must be made based on some rules. Notably among such are the need-to-know rule and least privilege. This presupposes that the information and information assets to be protected must be classified. How organizations choose to go about it is entirely at their discretion. A generic classification method includes a simple high, medium and low. when information are classified, systems must be hardened to ensure that a certain employee has the need-to-know of a particular information before he is granted access. It will also assure that employees have access to only the information and data needed to do just their job- least privilege.