The IT Law Wiki




is the combination of systems, applications, and internal controls used to safeguard the integrity, authenticity, and confidentiality of data and operating processes.[1]
relates to the capability to control access to information and system resources so that they cannot be used or altered by those lacking proper credentials.[2]
refers to the range of administrative, technical, and physical mechanisms that aim to preserve privacy and confidentiality by restricting information access to authorized users for authorized purposes.[3]
[is] a collection of safeguards that ensure the confidentiality of information, protect the integrity of information, ensure the availability of information, account for use of the system, and protect the system(s) and/or network(s) used to process the information. Security is intended to ensure that a system resists attacks and tolerates failures.[4]
[is a] condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protection measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise's risk management approach.[5]


Security refers to

[a]ttributes of software that bear on its ability to prevent unauthorized access, whether accidental or deliberate, to programs or data.[6]

System security

Security is

a system property. Security is much more that a set of functions and mechanisms. Information technology security is a system characteristic as well as a set of mechanisms which span the system both logically and physically.[7]


Proper security relies on the development and implementation of adequate security policies and security measures for processes within an entity, and for communication between that entity and external parties. Security policies and measures can limit the risk of external and internal attacks, as well as the reputational risk arising from security breaches.

Security encompasses data security, computer and network security, physical security, and procedural controls. All of these must be deployed to protect personal information from a wide range of threats. Measures that enhance security also enhance privacy; however, while these two concepts are complementary, they are not the same. Simply focusing on security alone does not ensure privacy, even though it is an essential component of protecting privacy. One may securely transmit personal or credit card information to a company, but information about who within or outside the company has access to the information is generally unknown. Although privacy breaches directly affect individuals, they can also affect the organizations for which the affected individuals work.

Concern for privacy arises in connection with the security of computer systems in two disparate ways:

The first need supports privacy; the institution of policies and mechanisms for confidentiality should strengthen it. The second, however, is a case in which need is not aligned with privacy; strong auditing or surveillance measures may well infringe on the privacy of those whose actions are observed. It is important to understand both aspects of privacy.[8]


See also