Trust and Safeguards in Information Security: An Organizational Perspective

calendar Mar 14, 2026 · 5 min read · information security information assurance organizational security ISO27001 cryptography access control physical security trust  ·
Share on: linkedin copy

Trust and Safeguards in Information Security: An Organizational Perspective

The word "Trust" is defined as related to information security. Based on ones understanding of securing your environment, what are some of the common safeguards is recommend to ensure trust is viable in an organization?

Defining Trust in Information Security

Trust as defined by Jacobs (2016) is a characteristic allowing one entity to assume that a second entity will behave exactly as the first entity expects. Trust can be viewed as assurance in the honesty, skill, character, and certainty of a person or thing.

A few examples of safeguards as described by Jacobs (2016) are the storage of computer fallback equipment, and backup files should be a safe distance from the primary system to safeguard from disaster. At an organization, special security controls could be necessary to protect against physical security threats. Safeguard the organizations supporting facilities, such as electrical power sources, heating–air conditioning, and cabling infrastructure is required. (Jacobs, 2015-12-07, p. 178). The audit tools used by internal organization audit team should be separated from development and operational systems and given an appropriate level of additional security protection to safeguard their integrity and prevent misuse of these tools. (Jacobs, 2015-12-07, p. 184). An organizations network needs to be safeguarded. A common safeguard of WANs is partitioning the networks to provide separate sub-nets where security mechanisms can be more easily provisioned and controlled. (Jacobs, 2015-12-07, p. 278)

Organizational Safeguards in Practice

Examples of safeguards in place and recommended at my organization of employment. Employees are required to wear identification badges with pictures to understand who they are and what level of security they are cleared. Physical security is in place all over the building to safeguard against access to the building. Turnstiles at the entrance where security guards are on duty exist to verify identity when arriving at the office. Where security is not on guard, such as parking lots entry points, two-factor authentication is required by an employee to enter the building and a revolving door during entry is required allowing only one person to come through so no tailgating can occur on entry from the parking lot.

Single sign-on security has been implemented so if a person is terminated all access is denied to the user when they leave the company safeguarding the organization from the person accessing any data or information from internal or external information systems. For sensitive information such as human resources information, two-factor authentication has been enabled for all employees to safeguard against once information ending up in the wrong hands.

The CIA Security Triad

The building blocks of Security are based on the triad of security which is aviliablity, integreity and confidentialty.

Privacy Building Blocks

The building blocks of privacy as described by IAAP (2014) is limited use, defined purpose, limted retention, consent, limted collectiony , limited disclosure, accountability, confidentialty, integrity and avaoilablity.

ISO 27001 Security Domains

IIAP definse the ISO27001 security domains as policy, access control, communication, organization, cryptography, system acquisition, business continuity, human resources, physical security, supplier relationships, compliance, asset management, operations and incident management. Of all these domains a few focus on trust. They are cryptography, communication, business continuity, asset management and operations.

Cryptography and Key Management

Cryptography is the process of reading and writing secret messages. Cryptogrphy keys should be maintained on a regular basis. In other word the keys should be roated out with new ones on a schedule.

Trust as a Measurable Concept

As pointed out by IAAP (2014),

Authentication, Access Control, confidentiality, data integrity, non-repudiation

Two typical definitions are:

Confidence in the integrity, ability, character, and truth of a person or thing (The American Heritage Dictionary, Houghton Mifflin, 1983)

and

assumed reliance on the character, ability, strength, or truth of someone or something, b: one in which confidence is placed, 3a: a property interest held by one person for the benefit of another. (Webster's New Collegiate Dictionary, 2nd ed., 1960)

We routinely establish a qualitative measure of trust with those we associate/interact with regarding their honesty and reliability, with the expectation that they will behave in certain ways. Unfortunately, we have yet to identify a quantitative measure of confidence so the best we can achieve is some measure of assurance that a person or thing cannot abuse the degree of "trust" we have that they will act as expected. Consequently the word trust should not be used when discussing information security as this word cannot be related to any property that can be designed into a system.

Where do we start with measuring assurance? It begins with understanding what needs protection so we need to inventory:

  • objects (i.e., assets, tangible/intangible property), and
  • subjects (i.e., actors, users).

We also need to identify what and how each subject is allowed to interact with which objects. Subjects can also be grouped according to some common set of attributes, such as all members of the finance, sales, or engineering departments. These organizational groupings are frequently called classes or groups. These subject – object – allowed access relationships represent the level of "trust" we grant to subjects within an organization. (Jacobs, 2015-12-07, pp. 63-64)

References

Douglass, B. P. (2016). Agile systems engineering [Electronic version]. Books24x7.

International Association of Privacy Professionals. (2014). An introduction to the ISO security standards [Conference presentation slides]. IAPP Privacy Academy 2014. Retrieved from https://iapp.org/media/presentations/14Symposium/CS14_Introduction%20to%20ISO.pdf

Jacobs, S. (2015). Engineering information security: The application of systems engineering concepts to achieve information assurance (2nd ed.). John Wiley & Sons/IEEE Press. Retrieved from https://onlinelibrary.wiley.com/doi/book/10.1002/9781119104728

Peltier, T. R. (2013). Information security fundamentals (2nd ed.). Auerbach Publications/CRC Press. https://doi.org/10.1201/b15573

Tipton, H. F., & Krause, M. (Eds.). (2007). Information security management handbook (6th ed., Vol. 1). Auerbach Publications/CRC Press.

Posts in this series