What is the CIA triad?
The CIA triad is a model that helps organisations implement information security programmes to protect their confidential and sensitive data.
Typically, this is carried out through policies, processes and procedures.
The CIA triad comprises:
1) Confidentiality: Access to information should be restricted to only those who need it.
2) Integrity: Information should be accurate, reliable and protected from unauthorised modification, destruction and loss.
3) Availability: Authorised persons should be guaranteed access to information when necessary.
Organisations need to ensure that all three elements of the CIA triad are addressed, as protecting confidentiality alone does not constitute security.
After all, information is only useful if you know it is correct and can access it.
Unfortunately, confidentiality is the element that is focused on the most, leading many organisations to overlook availability and, in particular, integrity.
NIST warns that it’s a mistake to undermine the importance of integrity
The importance of integrity is often underestimated, particularly in a security context.
Ron Ross, a fellow at NIST (the National Institute of Standards and Technology), says that an integrity-related incident could undermine an organisation’s holistic CIA approach.
“If you have a compromise of integrity, it can affect both availability and confidentiality. The malicious code can wreck confidentiality by getting access to things it shouldn’t have access to and seeing things it shouldn’t.
“Alternatively, compromising key components of a system through an integrity violation can make the system crash and the capability go away.”
Cyber criminals are targeting data and IT system integrity at an ever-increasing pace.
According to NIST’s Special Publication 1800-25, Data Integrity: Identifying and Protecting Assets against Ransomware and Other Destructive Events:
“Destructive malware, ransomware, malicious insider activity, and even honest mistakes all set the stage for why organizations need to properly identify and protect against events that impact data integrity. Businesses must be confident that data is protected and safe.
“Attacks against an organization’s data can compromise emails, employee records, financial records, and customer information—impacting business operations, revenue, and reputation.
“Examples of data integrity attacks include unauthorized insertion, deletion, or modification of data to corporate information such as emails, employee records, financial records, and customer data.”
Ransomware is a threat to information integrity
Ransomware attacks to organisations see criminal hackers infiltrate their computer systems, encrypt their data and hold it for ransom, demanding payment to decrypt the data.
Organisations must ensure that their data is accurate and safe – before and after a data breach or hack.
NIST’s Cybersecurity Framework can help prevent security incidents, or else successfully recover from one, should one have occurred.
This Framework is promoted as a US framework for critical infrastructure organisations but can be implemented by organisations of all sizes and complexity.
NIST’s Cybersecurity Framework takes a risk-based approach to managing cybersecurity
The Framework can be used to tackle ransomware and other cyber security threats and vulnerabilities. Through the Framework, an organisation can:
- Expedite cyber security strategy creation efforts.
- Reduce internal miscommunications and human error by implementing an information security programme.
- Heighten its awareness of cyber threats.
- Implement security controls to mitigate or reduce risks, and manage data breaches and other cybersecurity incidents.
The Framework can also increase board members’ awareness of key cyber security areas.
According to Ross, integrity must be considered at board level. Once the board takes its importance to the organisation seriously, this will trickle down to the operational and/or development levels. He says:
“So, if you’re developing a system or a product, that development work has to have high integrity, too, because management wants to make sure that what they’re producing is what the customer gets and they can be trusted to be giving customers what they expect.”
Combined with other control sets, NIST’s Framework can protect against threats to your integrity
Organisations can pair the Framework with NIST SP 800-53, the CIS (Center for Internet Security) Critical Security Controls and other information security frameworks or control sets.
You may also integrate ISO 27001, the international standard that outlines best practice for an ISMS (information security management system).
Obtaining ISO 27001 certification sends a clear message that your organization has taken reasonable measures to ensure the CIA of your sensitive and confidential data.
Testing and assessing your ISMS is essential to learn whether or not it is functioning as it should and make improvements as necessary.
Achieving ISO 27001 compliance requires a risk assessment, which can help you better understand your organisation’s cyber security posture.
Free PDF download: Risk Assessment and ISO 27001
Section 6.1.2 of ISO 27001 explicitly requires compliant organisations to carry out risk assessments based on agreed risk acceptance criteria.
An ISMS that follows a risk acceptance criteria will find itself organised and ready for the next step towards implementation, but the risk assessment process can be a complex, difficult aspect to manage.
Download this free paper and:
- Understand the relationship between ISO 27001 and ISO 31000;
- Discover how to produce reliable and robust results in five simple steps;
- Identify the challenges you may face during the risk assessment process; and
- Recognise the importance of the risk assessment to the ISO 27001 SoA (Statement of Applicability).
The post How NIST’s Cybersecurity Framework Protects the CIA Triad appeared first on IT Governance Blog.
