Confidentiality and criticality
Data management needs can be understood in terms of data's confidentiality, integrity, and availability. These concerns address different data needs, including protective needs, and are a reflection of how, when, and why that data is used. The purpose of data management is to protect against unintentional, unlawful, or unauthorized disclosure, alteration, or destruction of data.
In the University's information security model, confidentiality is the driving force behind most information security requirements. Some requirements apply based on data's criticality—its combined integrity and availability concerns—to business continuity and operational effectiveness.
Definition: Confidentiality is the preservation of authorized restrictions on University information access and disclosure, including means for protecting personal privacy and proprietary information.
Confidentiality has to do with the privacy of information, including authorizations to view, share, and use it. Information with low confidentiality concerns may be considered "public" or otherwise not threatening if exposed beyond its intended audience. Information with high confidentiality concerns is considered secret and must be kept confidential to prevent identity theft, compromise of accounts and systems, legal or reputational damage, and other severe consequences.
Examples of data with high confidentiality concerns include:
- Social Security numbers, which must remain confidential to prevent identity theft.
- Passwords, which must remain confidential to protect systems and accounts.
Definition: Integrity is the protection against improper modification or destruction of University information. It includes non-repudiation and authenticity.
Integrity concerns—along with availability concerns—contribute to data's criticality.
Integrity has to do with the accuracy of information, including its authenticity and trustworthiness. Information with low integrity concerns may be considered unimportant to precise business function or not necessary to vigorously check for errors. Information with high integrity concerns is considered critical and must be accurate in order to prevent negative impact on business function.
Examples of data with high integrity concerns include:
- Application code, which must be accurate and unaltered in order to ensure proper application function.
- System logs, which must be accurate and unaltered in order to ensure proper detection of intrusions and system changes.
Definition: Availability is the timeliness and reliability of access to and use of University information.
Availability concerns—along with integrity concerns—contribute to data's criticality.
Availability has to do with the accessibility and continuity of information. Information with low availability concerns may be considered supplementary rather than necessary. Information with high availability concerns is considered critical and must be accessible in order to prevent negative impact on business function.
Examples of data with high availability concerns include:
- website files, which must remain accessible to prevent site downtime and disruption of service.
- Payroll and tuition data, which must remain accessible to facilitate business continuity.
Definition: Criticality is the importance of data availability and integrity to the business continuity and operational effectiveness of the University.
Criticality is a reflection of data's integrity and availability concerns.
Non-critical information is necessary to the business continuity or operational effectiveness of the unit. Loss of integrity or availability of non-critical information would have little to no short-term impact on business continuity or operational effectiveness. The consequences could include the delay or degradation of services or operational effectiveness. Non-critical systems require protective measures, techniques, or procedures generally commensurate with commercial best practices.
Critical information is important to the business continuity or operational effectiveness of the unit. Loss of availability or integrity of critical information would have moderate short-term impact on business continuity or operational effectiveness. The consequences could include delay or degradation in providing key services or project progress that may seriously impact operational effectiveness. Critical information requires additional safeguards beyond best practices.
Mission critical information is vital to the business continuity or operational effectiveness of the unit. Loss of integrity or availability of mission critical information would have significant short-term impact on business continuity or operational effectiveness. The consequences could include sustained loss of operational effectiveness. Mission critical information requires the most robust protection measures.