Which of the following statement best describes “confidentiality?”
A. How the system protects data from unauthorized access
B. Access to the system by authorized personnel
C. How the system prevents the disclosure of information
D. Process of determining the identity of a user
PS. These answer options are excerpts from the ISC2 on-line course, Assessing Application Security.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. How the system prevents the disclosure of information.
Restricting unauthorized access contributes both confidentiality and integrity while preventing the disclosure of information enforces confidentiality only.
Integrity is dependent on confidentiality. Without confidentiality, integrity cannot be maintained.
Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide (Kindle Locations 1640-1641). Wiley. Kindle Edition.
- To access is to obtain the use of a resource. (ISO/IEC 20944-1:2013)
- Ability to make use of any information system (IS) resource. (NIST Glossary)
- A specific type of interaction between a subject and an object that results in the flow of information from one to the other. (Orange Book)
Based on the definitions above, I define “access” as follows:
Access is an entity’s behavior to read or write data or make use of any information system (IS) resource. The active party that initiates the access is a subject; the data or resource as the passive party is an objective.
Unauthorized access (read and write) can lead to the disclosure and alteration of information. For example,
- The Bell-Lapadula Model restricts information flow through simple and star (*) security properties (no read-up and no write-down) to enforce confidentiality.
- The Biba Model restricts information flow through simple and star (*) integrity properties (no read-down and no write-up) to enforce integrity.
It implies the assurance of both confidentiality and integrity if a system protects data from unauthorized access. It ensures confidentiality only if a system prevents the disclosure of information.