What is 'integrity'?
‘Integrity’ is a fascinating property of information, multi-faceted, more complex and more widely applicable in information security that it might seem.
It involves aspects and issues such as:
- Factual correctness of information (objectivity versus subjectivity, plus the huge grey area in between and issues arising such as impartiality and perspective);
- Relevance of information to the matter/s at hand and the substantiality or weight of evidence (e.g. 'contemporaneous notes' recorded in the policeman’s pocket book at the time of an alleged offence may carry more weight in court than later, verbal or written accounts and recollections, but audio/video footage and other evidence captured at the scene with all the right controls in effect tends to be even stronger, even weightier);
- Completeness of information (which also touches on context and scope issues, and practicalities in a legal setting: there isn't time to present, consider and take into account absolutely everything, so someone has to select the most valuable bits, introducing their judgement into the process);
- Timeliness and up-to-date-ness of information (not being too outdated or stale, being applicable to and valid within the specific context);
- Impact of information (some things are inherently notable and more important than others, perhaps having shock value or otherwise eliciting strong emotional reactions ... which has implications on what information is provided, how it is expressed, to whom, when, in what manner, with what emphasis etc.);
- Proof and provability (the ability to demonstrate, confidently and convincingly, that everything is in order, with sufficient strength to resist challenges, hence the importance of ‘chain of custody’, for instance, and all manner of physical and logical controls to prevent or at least detect tampering, substitution etc. in forensics);
- Trust and trustworthiness, confidence, credibility etc. of the information, plus the associated activities, systems, storage, analytical methods, analysts and so on (goes hand-in-hand with proof and provability, includes aspects such as compliance with applicable rules concerning how evidence may be obtained or captured in the first place);
- Presentation, discussion, interpretation and ultimately the perceived meaning and value of information (that part of information integrity around communicating things properly in a manner that leads to them being correctly understood: communication involves both sending and receiving, remember, plus other issues such as interception, duplication, duplication, interruption, modification, delays, mis-routing, redirection etc.);
- Competence, capability, credibility and suitability of various witnesses, analysts and advisors, lawyers, judges etc. involved in cases (e.g. what does it really mean to be an “expert witness”? What are the criteria and obligations of that role? Who determines whether a judge is competent to judge, and how?) ... and similar issues in other contexts (e.g. in business, managers rely on sound, expert advice from competent professional specialists);
- IT systems, communications and data integrity (e.g. cyclic redundancy checks, cryptographic methods such as digital signatures using hashing, database/referential integrity and more - the technological and mathematical basis for ICT), plus the whole area of digital or eForensics as opposed to the more traditional forms of forensics;
- Fairness and equitability (e.g. treating similar crimes on a similar basis, and protecting the rights of the weak against the might of the strong – with the interesting consequence that even low-weight ‘circumstantial’ evidence may be valuable if there is nothing better and simply discounting it would be ‘unfair’);
- Ethics, plus all manner of frauds and scams, social engineering, manipulation, deception and more (human integrity failures! This, arguably, makes integrity the ultimate challenge in politics).
I realise this is a brain dump ... but it's clear that there is a lot of stuff here, more than enough to fill a month's awareness module on 'integrity'. The same is true of 'confidentiality' and 'availability', two closely-related core concepts in information security.
But should we go down this route at all or is it all too 'academic', too 'theoretical', too 'airy-fairy'??
I am undecided at the moment. Even if we don't produce C, I and A awareness modules as such, we routinely cover C, I and A in the course of our other topics anyway since these are fundamental to all that we do. However, I find that long shopping list of things above intriguing: there's lots we could say in this area, and plenty of real-world examples we could use to illustrate and explain the topic pragmatically. It would be educational ... but would it be sufficiently interesting and motivational for the majority of our audience?
The list above was prompted by a question on the ISO27k Forum about integrity in forensics ... which suggest another awareness topic. I guess the endless stream of TV shows in this area has set the scene for us, and would provide an opportunity to poke fun at gross inaccuracies such as detectives wandering willy-nilly through crime scenes that are being, or have yet to be, forensically examined. Hmmm, "fun" is something that everyone enjoys so an awareness module on forensics is a definite possibility. I guess I should start watching those CSI programs and taking notes.
Meanwhile, the jury's out.