The data security, business continuity and the resilience, are fundamental aspects that must be considered transversal and vertebral axes of the corporate cybersecurity strategy of the companies.
Guaranteeing the security of information in (and of) companies is critical. The increasingly large amount of data being handled and the dependence on it on information technologies mean that data protection must be a priority.
To achieve effective security, it is essential to understand and apply the five pillars of information security:
Let's look in detail at each of the pillars of information security.
The confidentiality guarantees that data or information (of any type, but especially that which is sensitive and private) is kept protected and safe from those who should not have access to it.
On the other hand, said information, in addition to not being accessible to users without permissions, must be hidden from them, thus protecting the confidentiality, preventing information leaks and/or violations of privacy.
There are many mechanisms to guarantee the confidentiality of data and its protection, but let's look at some of them in order to be able to take measures in this regard:
- Establishment of Access controls in several layers that, through a robust system of authentication of users and authorization segmented at certain levels of information, allow determining and applying the permissions that authorized users have on the available information and at the same time denying access to those who should not have them.
- Encrypting O encrypting the information, so that it is not readable or understandable by those who should not and can intercept it in any of its stages (at rest or in transit), thus guaranteeing that, even if a user could “to access” to her, it is impossible for her to understand or decipher it.
- Applying privacy policies that all company employees must understand and apply scrupulously, thus guaranteeing the confidentiality of the information.
This, in turn, will result in better image corporate, reputation of the company, improving its objectives business, favoring the normative compliance, avoiding sanctions and increasing the trust between clients, partners, collaborators, partners, suppliers, etc.
The integrity The information refers to the fact that the data has not been modified or altered in an unauthorized manner (intentionally or not) by a user or system, thus guaranteeing that it is accurate and reliable.
Among many others, some actions or mechanisms to protect the integrity of the data may be the following:
- Using digital signatures through which it can be corroborated that the signed information is the original, has not been altered and, therefore, has not changed or any type of modification since its creation and/or storage and signature.
- Establishing a version control system that allows for close monitoring of each and every one of the changes that the information undergoes in its life cycle, being able to analyze each of the versions that have taken place and the changes associated with each of them (made at that time) , and even (as in the case of software), being able to return to previous versions of the information (stages prior to the current one) and their corresponding changes.
- Realizing data audits to consolidate existing information, detect possible unauthorized changes to the data and maintain a record of the modifications made.
On the other hand, this will provide an acceptable level of protection for the information, preventing attacks, or even preventing successful attacks from taking advantage of the accessed or stolen information (modifying or altering it to achieve other objectives).
The availability It consists of ensuring that data is always available and accessible, when necessary.
There are many mechanisms to ensure that information is available. Let's look at some of them:
- Counting on backups O Backups that keep the information safe, in versioned secure copies, with the aim of recovering them in that state when necessary (system crash, damage or corruption of information, improper modifications of information, robo and erased data, encryption of information by a ransomware, etc.).
- Maintaining a model of data redundancy that allows having the information duplicated in two (or several) repositories in order to avoid losing it and guarantee the business continuity in case of interruptions and/or failures.
- Making a continuous monitoring to check the status of the data, and alert in case of possible problems with them.
The authenticity of the information guarantees us that it comes from a reliable source, from whom they claim to be or come from and have not been falsified along the way, thus avoiding the identity fraud.
Let's look at some of the possible mechanisms to strengthen the authenticity of the information:
- Implementing and applying robust authentication methods that allow us to identify users, as well as their privileges, through secure passwords, profiling, configurations, roles, authentication systems doble factor (2FA), authentication systems multiple factor (MFA), biometrics, SMS, etc.
- Using electronic signatures which corroborate the authenticity of documents, the data and information they contain, and the transactions carried out with said information.
- Maintain a event log that stores and contemplates all the activity related to each and every one of the different data sets and their “movements”, being able to know at all times who has accessed them and what changes they have made.
The legality refers to the fulfillment of laws, normative and regulations existing ones that apply to data management and its entire life cycle. These, in most cases, are mandatory and carry legal and economic sanctions in case of non-compliance.
Some possible mechanisms for compliance with the law regarding privacy and Data Protection, could be the following:
- Preparation and certification regarding compliance and seal of compliance with laws and regulations about it, like the GDPR / RGPD (General Data Protection Regulation), the LOPD (Organic Data Protection Law), the LOPDGDD (Organic Law on Data Protection and Guarantee of Digital Rights), the HIPAA (Health Insurance Portability and Accountability Act of the United States) etc., depending on which one applies to us as a priority.
- Realization of audits frequent, both internal and external, that guarantee the accordance and the compliance with the laws and regulations regarding Data Protection and privacy that apply to us.
- Documentation management that demonstrates compliance of laws, rules and regulations in this regard.
As we see, guaranteeing the security of the information, of data, is not something that is especially trivial, but rather carries its complexity, especially when it is linked to the concept of business continuity.
Both are closely related elements and we could say that they are even indivisible. A cybersecurity strategy solid must include both pieces to ensure that the company can withstand and recover from cyber incidents (what we know as resilience O cyber resilience).
For this reason, they must work together, seeking, as a tandem, the same capabilities, as well as activities to achieve common final objectives:
- The threat protection, avoiding cyber incidents and cyber attacks that interrupt operations.
- He Legal compliance of the normative and regulations required of companies for data protection and the application of business continuity plans.
- He maintenance of operation that ensures that the company can continue operating even after a cyber incident.
- The immediate recovery that minimizes downtime and data loss in the event of a cyber incident.
- The creation and application of business continuity plans that allow the company to continue operating in crisis situations.
- The incident/cyber incident response that starts from a definition and establishment of procedures clear to apply in case of cyber incident with which the data integrity and minimize the operational impact.
To this panorama and challenges of information protection companies face, all companies, whether they are micro, small, medium, large or enormous corporations, although it applies to each one in a different way and the solutions and regulations to be applied may vary between them.
Small companies can opt for simpler security solutions, have perhaps somewhat more lax approaches in some points with respect to regulations in this area and outsource certain functions for which they do not have the capacity or resources.
Large companies will require more complex infrastructures and solutions, stricter regulatory compliance and qualified, specialized and professional teams, both internal and external.
Does your company need help with information protection and regulatory compliance services, like the ones we offer in Zerolynx: Cybersecurity Services.
If you prefer, contact us and we talked.