What is it?
An assurance that information remains unaltered from its intended state as it is produced, transmitted, stored, and received. Ensuring integrity may include ensuring the non-repudiation and authenticity of information as well.
Why is it important?
Integrity is considered by many to be the most important element of the confidentiality, integrity, and availability (CIA) security triad. Any system that is otherwise available and confidential can still be rendered useless if a user cannot be confident that the information it contains is trustworthy, accurate, and complete.
Why does a business professional need to know this?
If you can alter information, you can alter the decisions people make using that information. For organizations, information is of little use unless they can be assured of its integrity. Therefore, maintaining information and system integrity is a core objective of today’s cybersecurity efforts.
Integrity concerns have existed since the earliest days of computing, when system designers used cyclic redundancy checks (CRC) to detect and address errors in data transmission and storage components. While the kind of physical integrity check that CRC provides remains important, cybersecurity predominantly addresses logical integrity of information and the accidental, deliberate, and unauthorized actions that may compromise integrity.
Protections for integrity generally operate at the information and system levels. At the information level, controls are applied to the actual information and its processing, transfer, and storage. At the system level, controls ensure the system can operate unimpaired, while preventing and detecting unauthorized manipulations or integrity violations that could lead to information compromise, theft/exfiltration of data, business disruption, reputational damage, etc.
Integrity assurance is a part of most security controls implemented and used today. Examples include the following:
- Patching: improving processing integrity so exploits cannot compromise coding weaknesses
- Antivirus: defending against code designed to compromise the integrity of systems and information
- File/container permissions: defining the scope of who and what actions can be taken
- Backups and version control: preserving original copies to defend against unauthorized changes
- Encryption and digital signing: ensuring information cannot be stolen (encryption) or altered (digital signing)
- Detection controls: logging, monitoring, and intrusion detection systems (IDS) to discover unauthorized system modifications
- (NIST 800-12) NIST Special Publication 800-12: An Introduction to Information Security: National Institute of Standards and Technology (NIST) (1995, rev. 2017). US Department of Commerce. PDF. Introduction to information security principles that organizations can use to help understand the needs of their systems.
- (Rode 2012) Data Integrity in an Era of EHRs, HIEs, and HIPAA: A Health Information Management Perspective: Rode, Dan (2012). US Office for Civil Rights, Health and Human Services, National Institute for Standards and Technology Conference. PDF. Presentation slide deck covering confidentiality, integrity, availability, interoperability, standards, and security requirements for healthcare information.
- (ISO 27000 Overview) ISO/IEC 27000:2018. Information technology — Security techniques — Information security management systems — Overview and vocabulary: ISO (2018). International management systems standards for information security, also known as the Information Security Management System (ISMS) family of standards.