Module 9 · Security controls - the CIAR attributes
Security has four attributes - CIAR: Confidentiality, Integrity, Availability and Resilience. Resilience is new to EU data-protection law via the GDPR. Good security is a holistic approach combining management buy-in, a policy framework (an ISMS), the physical environment, technical measures and organisational measures. Article 28 requires controllers to use only processors providing sufficient guarantees, so vendor due diligence and ongoing checks are part of security.
| Attribute | Function |
|---|---|
| Confidentiality | Access on a need-to-know basis |
| Integrity | Data is accurate and complete |
| Availability | Data is accessible when needed |
| Resilience | Systems withstand and recover from errors/threats (new via the GDPR) |
Security in practice is a holistic approach: management and worker buy-in; a policy framework (an ISMS); the physical environment (entry control, CCTV, clean-desk); technical measures; and organisational measures.
- Technical measures: encryption, antivirus/antispam, firewalls, IAM, incident detection, DLP, 2FA, logging/audit trails, vulnerability management, pen testing.
- Organisational measures: training, vetting, data governance/classification, DPAs, vendor due diligence.
"The controller shall use only processors providing sufficient guarantees..." - so the controller must do vendor due diligence and ongoing checks/audits, at a frequency proportionate to the sensitivity and volume of data.