Skip to main content

Trustworthiness of Information Systems

The concept of trustworthiness applies to both information systems and the information technology products and services that compose them.

Trustworthiness refers to how reliably an information system preserves the confidentiality, integrity, and availability of data across a range of threats. A trustworthy system functions within the organization’s acceptable risk appetite, despite potential disruptions, errors, or attacks.

Two key factors determine the trustworthiness of information systems:

  1. Security functionality: The security features and functions within the system, achieved through management, operational, and technical controls.
  2. Security assurance: The Confidence that security features are effective and operating as intended.

Security functionality is achieved through the implementation of management, operational, and technical controls, guided by the organization’s enterprise architecture.

Security assurance is built by the actions of developers and assessors, including designing, implementing, and verifying security controls to ensure they function as intended.

The concepts of assurance and trustworthiness are closely related and assurance contributes to the trustworthiness determination relative to an information technology product or an information system.

Assurance is typically evaluated throughout the system development life cycle, from design to operation, through testing, inspections, audits, and independent assessments. Evidence such as design documentation, testing results, and security incident reports contribute to determining system trustworthiness.

Ultimately, trustworthiness is critical in selecting IT products and systems. Higher trustworthiness means fewer flaws and better resistance to cyberattacks, natural disasters, and errors. The required level of trustworthiness depends on the risks faced by the organization, its mission, and its operational environment.

Failing to ensure sufficient trustworthiness in IT products and systems can harm an organization’s ability to fulfill its mission and business objectives.

(Source : NIST SP 800-39).