When reviewing systems, I use this model to provide useful context to ensure that applications/services have sufficient processing to ensure data security is managed and maintained.
Confidentiality – what level of secrecy is expected for this product or service, how do we protect it, how do we allow access to the data
Integrity – how do we protect the data, how do we prevent unwanted modifications, how do we maintain consistency, how do we know what changed and who changed it.
Availability – ensure uninterrupted access to the data