To define security, it has become common to use Confidentiality, Integrity and Availability, also known as the CIA triad. The purpose of these terms is to describe security using relevant and meaningful words that make security more understandable to management and users and define its purpose.

Confidentiality relates to permitting authorized access to information, while at the same time protecting information from improper disclosure.

Integrity is the property of information whereby it is recorded, used and maintained in a way that ensures completeness, accuracy, internal consistency and usefulness for a stated purpose.

Availability means that systems and data are accessible at the time users need them.

CIA Triad Deep Dive: Confidentiality

Confidentiality is a difficult balance to achieve when many system users are guests or customers, and it is not known if they are accessing the system from a compromised machine or vulnerable mobile application. So, the security professional’s obligation is to regulate access, protect the data that needs protection yet permit access to authorized individuals. Personally Identifiable Information (PII) is a term related to the area of confidentiality. It pertains to any data about an individual that could be used to identify them. Other terms related to confidentiality are protected health information (PHI), which is information regarding one’s health status, and classified or sensitive information, which includes trade secrets, research, business plans and intellectual property. Another useful definition is sensitivity, which is a measure of the importance assigned to information by its owner, or the purpose of denoting its need for protection. Sensitive information is information that if improperly disclosed (confidentiality) or modified (integrity) would harm an organization or individual. In many cases, sensitivity is related to the harm to external stakeholders; that is, people or organizations that may not be a part of the organization that processes or uses the information.

CIA Triad Deep Dive: Integrity

Integrity measures the degree to which something is whole and complete, internally consistent and correct. The concept of integrity applies to:

• Information or data
• Systems and processes for business operations
• Organizations
• People and their actions

Data integrity is the assurance that data has not been altered in an unauthorized manner. This requires the protection of the data in systems and during processing to ensure that it is free from improper modification, errors or loss of information and is recorded, used and maintained in a way that ensures its completeness. Data integrity covers data in storage, during processing and while in transit. Information must be accurate, internally consistent and useful for a stated purpose. The internal consistency of information ensures that information is correct on all related systems so that it is displayed and stored in the same way on all systems. Consistency, as part of data integrity, requires that all instances of the data be identical in form, content and meaning. System integrity refers to the maintenance of a well-known configuration and expected operational function as the system processes the information. Ensuring integrity begins with an awareness of state, which is the current condition of the system. Specifically, this awareness concerns the ability to document and understand the state of data or a system at a certain point, creating a baseline. For example, a baseline can refer to the current state of the information—whether it is protected. Then, to preserve that state, the information must always continue to be protected through a transaction. Going forward from that baseline, the integrity of the data or the system can always be ascertained by comparing the baseline with the current state. If the two match, then the integrity of the data or the system is intact; if the two do not match, then the integrity of the data or the system has been compromised. Integrity is a primary factor in the reliability of information and systems. The need to safeguard information and system integrity may be dictated by laws and regulations. Often, it is dictated by the needs of the organization to access and use reliable, accurate information.

CIA Triad Deep Dive: Availability

Availability can be defined as (1) timely and reliable access to information and the ability to use it, and (2) for authorized users, timely and reliable access to data and information services. The core concept of availability is that data is accessible to authorized users when and where it is needed and, in the form and format required. This does not mean that data or systems are available 100% of the time. Instead, the systems and data meet the requirements of the business for timely and reliable access. Some systems and data are far more critical than others, so the security professional must ensure that the appropriate levels of availability are provided. This requires consultation with the business involved to ensure that critical systems are identified and available. Availability is often associated with the term criticality, because it represents the importance an organization gives to data or an information system in performing its operations or achieving its mission.

Did this help to have a better understanding of the C-I-A triad?

WE ARE HERE TO HELP!

CLICK HERE for a Dogma C3X free trial!

Dogma C3X is an Intelligent Business Consulting Platform inspired by the 3Cs industry model, which offers a strategic look at the pillars that every company needs for success: Customers – Company – Competitors. "Intelligent" because by using artificial intelligence (AI) and machine learning (ML) it can collect, process, and analyze the growing tsunami of data (structured and unstructured) related to the 3Cs, which is incredibly valuable. Only by strengthening, positioning, and integrating these three pillars (Customers - Company - Competitors) you will be able to build a sustainable competitive advantage.