Confidentiality, integrity and availability. These are the three components of the CIA triad, an information security model designed to protect sensitive information from data breaches.
The CIA triad is a widely accepted principle within the industry, and is used in ISO 27001, the international standard for information security management.
It’s also referenced in the GDPR (General Data Protection Regulation), with Article 32 stating that organisations must “implement appropriate technical and organisational measures to ensure the confidentiality, integrity, availability and resilience of processing systems and services”.
But what exactly do mean by confidentiality, integrity and availability, and how does they help protect organisations from security incidents?
Components of the CIA triad
The first element of the CIA triad is confidentiality. This describes an organisation’s ability to keep sensitive information private and secure.
The goal is to prevent unauthorised personnel from accessing the data – whether that’s cyber criminals or employees who don’t have a legitimate reason to access the files. To protect the confidentiality of data, organisations need security measures that can identify unauthorised personnel and keep them out.
The second element of the CIA triad is integrity. This refers to the completeness and accuracy of data, as well as the organisation’s ability to protect it from corruption.
Data integrity plays an essential and unique role in data protection. We often think of it in relation to who has (or doesn’t have) have access to information. However, it’s just as important to consider whether the information itself is correct.
If there are mistakes within the data, organisations might accidentally share classified information with the wrong person. There is also the possibility that the information won’t be delivered at all.
The third element of the CIA triad is availability. This refers to an organisation’s ability to access information when needed. This might be the case, for example, if a power cut knocks out an organisation’s servers or if a Cloud hosting provider’s systems are disrupted.
Although data availability often refers to these sorts of organisation-wide issues, it can also apply to individual circumstances. For instance, an employee might have a technical problem that prevents them viewing a sensitive file, or they don’t have keys to a filing cabinet.
Examples of the CIA triad
Confidentiality
Data confidentiality is most likely to apply in relation to personal data, such as customers’ names, contact details and payment card information. These details should be stored in relevant databases and made accessible only to those who need it.
This might mean password-protecting files or setting up access controls. You should also consider storing different pieces of information in the separate databases.
You wouldn’t, for instance, keep the customer account details, such as their username and password, in the same files as their other personal data. You should also silo highly sensitive data, such as credit card information and health records.
Confidentiality doesn’t only refer to personal data, though. It encompasses any information of a sensitive nature. This might include things such as intellectual property and corporate records. These too must be given adequate protection to ensure that only authorised personnel can gain access.
Integrity
An example of data integrity would occur in relation to a healthcare firm mailing a patient information about their medical condition.
The organisation must be certain that their records are correct, otherwise the recipient will receive incorrect information about their health status, or they might not receive an update at all. Meanwhile, the person who inadvertently received the communication will be privy to a third party’s health condition.
Data integrity can also refer to corporate data. For example, an organisation must ensure that the price of products on their e-commerce site are listed correctly. If they inadvertently undercharge someone for an item, they are obliged to fulfil their order, which will have financial ramifications for your business.
Availability
An organisation’s systems, applications and data must be accessible to authorised users on demand. If, for example, the organisation suffers a power outage that knocks their systems offline, their operations will grind to a halt.
Likewise, if cyber criminals encrypt the organisation’s files in a ransomware attack, they will face major disruption.
Availability can also apply to a specific employee’s ability to view information. If there is a problem with their account or hardware, they might not be able to access information necessary to perform their job.
Why is the CIA triad important?
Each aspect of the CIA triad represents the foundational principles of information security. Between them, they cover every possible way that sensitive data can be compromised.
But the triad is about more than the individual aspects of data protection; the three components work together to become more than the sum of their parts.
There is a reason that confidentiality, integrity and availability are thought of in a triangular pattern.
Each element connects with the others, and when you implement measures to ensure the protection of one, you must consider the ramifications it has elsewhere.
For example, say an organisation implements multifactor authentication on a piece of third-party software.
Doing so protect the confidentiality of sensitive data, making it harder for unauthorised actors to compromise an employee’s login credentials and view information on their account.
But doing so hampers the availability of data, because employees now need to complete an authentication process to access the software.
Without the means to complete the authentication process – whether it’s a hardware token, an app on one’s phone or a functional biometric scanner – employees cannot continue.
Considering the three principles together within the framework of a triad helps organisations understand their needs and requirements when developing information security controls.
Implementing the CIA triad
The CIA triad runs through the heart of information security best practice. If you’re implementing the requirements of ISO 27001, the GDPR or any other framework, you are bound to run into the concepts of confidentiality, integrity and availability.
One thing that these frameworks have in common is the emphasis they place on risk assessments. ISO 27001 and the GDPR in particular mandate that organisations analyse their operations to measures the risks, threats and vulnerabilities in their systems that could compromise sensitive information.
By implementing controls to address these risks, you will satisfy one or more of the CIA triad’s core principles.
You can find out more about this process by reading Risk Assessment and ISO 27001. This free green paper explains how you can complete the risk assessment process in line with best-practice advice.
You’ll learn how to determine the optimum risk scale so that you can determine the impact and likelihood of risks, how to systematically identify, evaluate and analyse risks and how to create a baseline security criteria.
If you’re ready to begin the risk assessment process, you will benefit from vsRisk. This software package provides a simple and fast way to deliver repeatable and consistent information security risk assessments year after year.
Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.
Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.
We’re currently offering a free 30-day trial of vsRisk. Simply add the number of licenses you require to your basket and proceed to the checkout.
The post What Is the CIA Triad and Why Is It Important? appeared first on IT Governance UK Blog.
