Typical security objectives of cybersecurity are confidentiality, integrity and availability. It’s just how they are prioritized in dealing with different use cases.

Confidentiality is per the associated information classification to derive the necessary protection. Integrity protection is to understand consequence thru risk assessment what info entities need to protect.

Then what about availability? I saw a cybersecurity practitioner developed security policy by copying textbook definition – simply to ensure information is available at all time.

Without a measurement, it is not practically achievable. We have to define information must be available per the service pledge. Then, give certain margin in the service pledge with definition availability excludes planned outage for maintenance, achieving say 99.99% at all time. This is the foundation to establish cost-optimal resilience to achieve the committed target.

Leave a Reply