These definitions together as a group collectively represent important fundamentals - underpinnings - to cloud security, cloud audit, and cloud compliance. If you've heard me speak... you've heard me stick to this script. It hasn't changed. The message is the same. The application and context in which I use them happen to be cloud computing.
The five security goals are confidentiality, availability, integrity, accountability, and assurance.
A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
SOURCE: SP 800-53; SP 800-53A; SP 800-18; SP800-27-RevA; SP 800-60; SP 800-37; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542
The property that sensitive information is not disclosed to unauthorized individuals, entities, or processes.
SOURCE: FIPS 140-2
The property that information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information.
Ensuring timely and reliable access to and use of information.
SOURCE: SP 800-53; SP 800-53A; SP800-27; SP 800-60; SP 800-37; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542
The property of being accessible and useable upon demand by an
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
SOURCE: SP 800-53; SP 800-53A; SP 800-18; SP800-27; SP 800-37; SP 800-60; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542
The property that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
SOURCE: FIPS 140-2
The property whereby an entity has not been modified in an unauthorized manner.
The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or by-pass.
The grounds for confidence that the set of intended security controls in an information system are effective in their application.
SOURCE: SP 800-37; SP 800-53A
Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
SOURCE: SP 800-37; SP 800-53; SP 800-53A; SP 800-18; SP 800-60; CNSSI-4009 FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—
1) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
2) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
3) availability, which means ensuring timely and reliable access to and use of information.
SOURCE: SP 800-66; 44 U.S.C., Sec 3542
The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes: 1) he development of a strategy to regularly evaluate selected IA controls/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events, 3) Recording changes to IA controls, or changes that affect IA risks, and 4) Publishing the current security status to enable information-sharing decisions involving the enterprise.