T 5.71 Loss of confidentiality of classified information
Confidentiality is a requirement specifying that only those persons authorised to have knowledge of certain information should be allowed access to it. Confidentiality is one of the basic values of information security, in addition to integrity and availability.
For information requiring protection of its confidentiality (such as passwords, personal data, confidential company or governmental information, or development data), there is an inherent danger that the confidentiality of this information can be affected by technical failures, carelessness, or even deliberate action.
Access to confidential information can be gained from a variety of sources, for example:
- storage media in computers (hard disks),
- removable storage media (USB sticks, CDs, or DVDs),
- in printed form on paper (printouts, files), and
- transmission routes used during data transmission.
There are various ways of actually obtaining the confidential information, for example:
- reading files,
- copying files,
- restoring data from backup copies,
- stealing the data medium for later evaluation,
- tapping transmission lines,
- infecting computers with malicious software, and
- viewing information on the screen.
Serious consequences can result for an organisation when information is read or disclosed without authorisation. A loss of confidentiality can have the following adverse effects, among others, on an organisation:
- Violations of laws, for example laws relating to data protection or banking secrecy
- Negative internal effects, for example a loss of employee morale
- Negative external effects, for example poorer relationships with business partners or the loss of customer trust
- Financial effects, e.g. damage claims, fines, and court costs
- Impairment of the right to informational self-determination
It must also be noted that a loss of confidentiality is not always noticed immediately. In many cases, an organisation only finds out later that unauthorised persons have gained access to confidential information and that damage was caused as a result.