Confidentiality
The information security objective of confidentiality relates to the protection of information from unauthorised access and disclosure. It ensures that sensitive data is only accessible to individuals, processes or systems that have the appropriate authorisation. Key aspects of confidentiality are:
Access control
Ensuring that only authorised users have access to certain data or systems. This includes implementing mechanisms such as passwords, biometric procedures, access control lists (ACLs) and role-based access control (RBAC).
Encryption
Encrypting information so that only authorised parties can decrypt and read it. Encryption protects data both at rest (stored data) and in transit (data being transmitted over networks).
Data masking and pseudonymisation
Changing certain data elements, e.g. masking sensitive information such as credit card numbers or social security numbers, to protect them from being accessed by unauthorised users. Data masking and pseudonymisation can also be used for personal data (GDPR)
Secure communication
Ensuring that data is transmitted securely over networks, often by using encryption protocols such as SSL/TLS for web traffic or VPNs for secure remote access.
Least privilege principle
Granting the minimum level of access rights necessary to perform a user's tasks, thereby reducing the risk of unauthorised access to sensitive information.
Security policies and procedures
Establishing policies and rules for managing and protecting confidential information, including who can access it, how it should be handled, and what steps should be taken in the event of a breach.
