Availability was the main focus some years ago. Denial-of-service was the main worry, and business continuity was the focus of organizations. Then came the turn for confidentiality, and encryption became something that was -almost- everywhere. The impacts of a loss in availibility is big; the impact of a loss of confidentiality is bigger… and scarier.

But now comes the time for data integrity. Right now, few decision-making minds in organizations focus on that, or care about it. But still, the impact of a loss in data integrity is -and here we agree with Mr. Lacey- huge. What if somebody changed the data -intentionally or not? Results can go from from undermining the people’s (think about the recent alleged attack by a hacker to the Virginia Health Professions Database) or even fraud (think about the Satyam Computers‘ case.

And it gets darker. The problem comes not only by safeguarding integrity, but also to the long and painful process of recovering from one of this attacks: how to know exactly which data is trustworhty (i.e. hasn’t been tampered with) and what is not?

It is surprising that currently there is not a big concern about this. We are guessing that unfortunately this concern will come when it is too late, and there are many breaches in data integrity and costs and consequences are there to remind us of its important. That is why, in David Lacey’s words,  it a time-bomb, waiting to explode.

We are working for showing Mr. Sembhi that we are what he misses: a data integrity protection solution aimed at protecting every type of data.

In the meantime, he mentions a fact as true as the sky is blue: it all starts with putting proper procedures in place. For reducing the organization’s exposure to data integrity attacks (and to high-value frauds), Mr. Sembhi mentions:

• “Create policies and procedures for data quality and data integrity
• Create policies and procedures to identify the extent of the problem and record incidences of data integrity compromises and suspected incidents of fraud
• Ensure information assets are correctly valued, (including configuration and log files, and meta data)
• Undertake threat assessment of valued data
• Take a risk management approach to protecting data integrity
• Ensure adequate protection of all data that is relied upon for investigatory purposes
• Include data integrity protection as part of security awareness programme”

The new standard’s name is quite self-explanatory: “Evidential weight and legal admissibility of electronic information. Specification”. As the BSI website states, “legal admissibility concerns whether or not a piece of evidence would be accepted by a court of law. To ensure the admissibility, information needs to be managed by a secure system throughout its lifetime (which can be for many years). Where doubt can be placed on the information, the evidential weight may well be reduced, potentially harming the legal case”. The BSI 10008 is aimed therefore to ensure that any piece of electronic information used in a Court of Law has the maximum evidential weight.

There are many interesting aspects here. First, it shows the need of clearly establishing guidelines and a common framework for how to deal with electronic data and digital evidence. And second -but no less important- it outlines how data integrity is a key aspect in information management.

We just bought a copy of the standard. We’ll read it and publish some thoughts… Stay tuned.