Business Secrecy Needs


Published on

Security of Secrets

Published in: Technology

Business Secrecy Needs

  1. 1. SecrecyFoundations of Information Security Series Vicente Aceituno @vaceituno (c)Inovement Europe 2014
  2. 2. Vicente Aceituno - Skype: vaceituno Linkedin - Inovement Europe - Video Blog - Blog - Twitter - Presentations - Articles -
  3. 3. Foundations of Information Security Series  Needs  Secrecy  Intellectual Property you Own  Intellectual Property you Use  Privacy  Availability  Retention  Expiration  Quality  Obligations  Technical  Compliance  Legal
  4. 4. What is Information Security?  “Information Security” is an emergent property of people using information.  People have expectations about information.  If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.
  5. 5. What is Information Security?  When expectations about information are met, there is “Security”.  When expectations about information are not met, there is an “Incident”.
  6. 6. What is Information Security?  Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.  Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.
  7. 7. Secrecy
  8. 8. Secrecy  Some expectations of people about information are related to ownership, control and use of information over time.
  9. 9. Secrecy  Ownership is defined having legal rights and duties on something.  Control is defined as having the ability to:  Grant or deny access to users.  Attribute to specific users their use of information.  Use is defined as having access to read, write or modify information.
  10. 10. Secrecy There are many types of secrets, for example:  Personal and family information.  Business information, like financial, strategy, industrial and trade secrets.  Law enforcement information, sources and methods.  Crime information, like insider trading, organized crime and gangs.  Political information:  Weapon designs and technology (nuclear, cryptographic, stealth).  Military plans.  Diplomatic negotiation positions.  Intelligence information, sources and methods.  International relations, treaties like the Molotov-Ribbentrop pact, Cuba crisis agreement, Dover treaty, Quadripartite agreement, Sykes-Picot agreement  Social information, like certain religions or secret societies as the masonry.  Professional information, like health workers, social workers and journalists.
  11. 11. Secrecy  There is an expectation that Secrets will be controlled by their owners or authorized administrators only, for as long as they are authorized.  There is an expectation that Secrets will be used by authorized users only, for as long as they are authorized.
  12. 12. Secrecy  If these expectations are met or not is independent of the observer and repeatable.  Secrecy expectations can be determined answering the following questions:  Who should control the Secrets?  Who should not control the Secrets?  Who should use the Secrets?  Who should not use the Secrets?  Answering these questions renders lists that can be enumerated, measured and managed.
  13. 13. Secrecy related incidents  When Secrets are controlled by people who are not or have never been the owners or the authorized administrators. For example:  Granting access to unauthorized users.  Denying access to authorized users.  Lack of, or misattribution to specific users of their use of information.  When Secrets are used by people who are not or have never been authorized users. For a more complete list of incidents check
  14. 14. Achieving Secrecy  In order to achieve Secrecy, normally Access Control measures are taken.  Cryptography is an important technology for Access Control.  The Access Control related O-ISM3 processes are:  OSP-11 Access Control  OSP-12 User Registration
  15. 15. Measuring degrees of Secrecy Check the video that explains this metric at
  16. 16. Secrecy
  17. 17. The O-ISM3 Challenge  This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.  Check the exercise in full at  A summary of conclusions from the exercise, in relation to Secrecy, follow.
  18. 18. Secrecy Business Needs Intellectual Property Privacy Confidentiality Business Obligations Confidentiality
  19. 19. Confidentiality  ISO Definition: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.  ITIL Definition: A security principle that requires that data should only be accessed by authorized people.  CobIT Definition: Concerns the protection of sensitive information from unauthorized disclosure.
  20. 20. Secrecy and Confidentiality  Confidentiality can’t be measured (it doesn’t have units). Therefore is not independent of the observer nor repeatable like Secrecy is.  Secrecy can be used to measure, communicate and manage a specific expectation of people about information.  Confidentiality is not necessary to understand or measure Secrecy.
  21. 21. Secrecy and Confidentiality  Secrecy and Confidentiality are not equivalent.  Confidentiality and Secrecy are not synonymous.  Confidentiality is not useful to understand Secrecy.
  22. 22.  Follow the Foundations of Information Security Series by joining the Linkedin O- ISM3 Group at:  Learn Advanced Information Security Management, joining us at an O-ISM3 Course: