Term of the Week: Confidentiality

Why does a business professional need to know this?

Confidentiality is a fundamental concept of information security that business professionals, as well as cybersecurity professionals, must understand. After information is collected or generated, it must be evaluated and assigned a level of security appropriate to company policy and other regulatory controls. Maintaining confidentiality in accordance with the security level assigned by the organization is a responsibility of all business professionals.

The question of data confidentiality gained media attention when Edward Snowden disclosed NSA documents in 2013, revealing data collected by the U.S. government’s internet and phone surveillance program (Snowden, Edward)(House of Representatives report 2016). The issue in this case was whether Snowden was acting as a whistleblower when he disclosed these documents and whether acting as a whistleblower justified the release of these documents, despite their level of confidentiality.

Regulatory legislation and standards to protect personal information exist at all levels from international standards to local laws. Examples include the following:

• US: Health Insurance Portability and Accountability Act (HIPAA)(HIPAA)
• EU: General Data Protection Regulation (GDPR)(GDPR)
• Industry: Payment Card Industry Data Security Standard (PCI DSS)(PCI-DSS)
• US: Children’s Online Privacy Protection Act (COPPA)(COPPA).
• California: Shine the Light Law(CA 2003)

Once information is classified, organizations use employee education (for example, password complexity guidelines) and technical controls to protect confidentiality. Technical controls include: secure protocols, encryption, password protection, firewalls, and antivirus mechanisms.

To design a secure infrastructure, companies must provide safeguards against unauthorized access and maintain the confidentiality of information assets as mandated by both the relevant regulatory bodies and business policy.