"Data is trustworthy and is safeguarded from unauthorised access, whether malicious fraudulent or erroneous."
Open sharing of information and the release of information via relevant legislation must be balanced against the need to restrict the availability of classified, proprietary, and sensitive information.
Existing laws and regulations require the safeguarding of national security and the privacy of data, while permitting free and open access. Pre-decisional (work-in-progress, not yet authorized for release) information must be protected to avoid unwarranted speculation, misinterpretation, and inappropriate use. Integrity, confidentiality and availability are maintained as long as information is needed.
The organisation’s technology infrastructure should move towards a single directory-based system that provides authentication services to each and every application, database, file-server and collaboration environment. Each of the latter should then manage access control appropriate to the business needs of each user identity.
Data security safeguards can be put in place to restrict access to "view only", “know only of its existence” or "not know of existence".
Sensitivity labelling for information access should be deployed using ‘protect’ flag and protective marking schemes.
Security should be designed into data elements from the beginning; it cannot be added later. Systems, data, and technologies must be protected from unauthorized access and manipulation. Information must be safeguarded against inadvertent or unauthorized alteration, sabotage, disaster, or disclosure.