Timely reliable access to data and information services for authorized users

Confidentiality—“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…”

A loss of confidentiality is the unauthorized disclosure of information.

Integrity—“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…”

A loss of integrity is the unauthorized modification or destruction of information.

Availability-—“Ensuring timely and reliable access to and use of information…”

A loss of availability is the disruption of access to or use of information or an information system.

Risk Assessment is a process which determines what information technology resources exist that require protection, and to understand and document potential risks from IT security failures that may cause loss of information confidentiality, integrity, or availability.

Control Activities are the policies, procedures, techniques, and mechanisms that help ensure that management's response to reduce risks identified during the risk assessment process is carried out.

Information Assets—Definable pieces of information in any form, recorded or stored on any media that is recognized as “valuable” to the University.

Access Control refers to the process of controlling access to systems, networks, and information based on business and security requirements.

ISO (International Organization for Standardization)—An international-standard-setting body composed of representatives from various national standards organizations.

NIST (National Institute of Standards and Technology)—A non-regulatory federal agency within the U.S. Department of Commerce whose mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

VPN (Virtual Private Network)—A network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to the University’s network. VPN’s use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

IDS (Intrusion Detection System)—A device (or application) that monitors network and/or system activities for malicious activities or policy violations.

IPS (Intrusion Prevention System)—A device (or application) that identifies malicious activity, logs information about said activity, attempts to block/stop activity, and reports activity.

Encryption—Process of converting information so that it is humanly unreadable except by someone who knows how to decrypt it.

The CIA Triad of confidentiality, integrity and availability is considered the core underpinning of information security.  Every security control and every security vulnerability can be viewed in light of one or more of these key concepts. For a security program to be considered comprehensive and complete, it must adequately address the entire CIA Triad.

Confidentiality means that data, objects and resources are protected from unauthorized viewing and other access.  Integrity means that data is protected from unauthorized changes to ensure that it is reliable and correct. Availability means that authorized users have access to the systems and the resources they need.

If you are preparing for the CISSP, Security+, CySA+, or another security certification exam, you will need to have an understanding of the importance of the CIA Triad, the definitions of each of the three elements, and how security controls address the elements to protect information systems.

Confidentiality

Confidentiality measures protect information from unauthorized access and misuse.  Most information systems house information that has some degree of sensitivity. It might be proprietary business information that competitors could use to their advantage, or personal information regarding an organization’s employees, customers or clients.

Confidential information often has value and systems are therefore under frequent attack as criminals hunt for vulnerabilities to exploit.  Threat vectors include direct attacks such as stealing passwords and capturing network traffic, and more layered attacks such as social engineering and phishing.  Not all confidentiality breaches are intentional. A few types of common accidental breaches include emailing sensitive information to the wrong recipient, publishing private data to public web servers, and leaving confidential information displayed on an unattended computer monitor.

Healthcare is an example of an industry where the obligation to protect client information is very high.  Not only do patients expect and demand that healthcare providers protect their privacy, there are strict regulations governing how healthcare organizations manage security.  The Health Insurance Portability and Accountability Act (HIPAA) addresses security, including privacy protection, in the the handling of personal health information by insurers, providers and claims processors.  HIPAA rules mandate administrative, physical and technical safeguards, and require organizations to conduct risk analysis.

There are many countermeasures that organizations put in place to ensure confidentiality.  Passwords, access control lists and authentication procedures use software to control access to resources.  These access control methods are complemented by the use encryption to protect information that can be accessed despite the controls, such as emails that are in transit.  Additional confidentiality countermeasures include administrative solutions such as policies and training, as well as physical controls that prevent people from accessing facilities and equipment.

Integrity

Integrity measures protect information from unauthorized alteration.  These measures provide assurance in the accuracy and completeness of data.  The need to protect information includes both data that is stored on systems and data that is transmitted between systems such as email.  In maintaining integrity, it is not only necessary to control access at the system level, but to further ensure that system users are only able to alter information that they are legitimately authorized to alter.

As with confidentiality protection, the protection of data integrity extends beyond intentional breaches.  Effective integrity countermeasures must also protect against unintentional alteration, such as user errors or data loss that is a result of a system malfunction.

While all system owners require confidence in the integrity of their data, the finance industry has a particularly pointed need to ensure that transactions across its systems are secure from tampering.  One of the most notorious financial data integrity breaches in recent times occurred in February 2016 when cyber thieves generated $1-billion in fraudulent withdrawals from the account of the central bank of Bangladesh at the Federal Reserve Bank of New York.  The hackers executed an elaborate scheme that included obtaining the necessary credentials to initiate the withdrawals, along with infecting the banking system with malware that deleted the database records of the transfers and then suppressed the confirmation messages which would have alerted banking authorities to the fraud.  After the scheme was discovered most of the transfers were either blocked or the funds recovered, but the thieves were still able to make off with more than $60-million.

There are many countermeasures that can be put in place to protect integrity.  Access control and rigorous authentication can help prevent authorized users from making unauthorized changes.  Hash verifications and digital signatures can help ensure that transactions are authentic and that files have not been modified or corrupted.  Equally important to protecting data integrity are administrative controls such as separation of duties and training.

Availability

In order for an information system to be useful it must be available to authorized users.  Availability measures protect timely and uninterrupted access to the system. Some of the most fundamental threats to availability are non-malicious in nature and include hardware failures, unscheduled software downtime and network bandwidth issues.  Malicious attacks include various forms of sabotage intended to cause harm to an organization by denying users access to the information system.

The availability and responsiveness of a website is a high priority for many business.  Disruption of website availability for even a short time can lead to loss of revenue, customer dissatisfaction and reputation damage.  The Denial of Service (DoS) attack is a method frequently used by hackers to disrupt web service. In a DoS attack, hackers flood a server with superfluous requests, overwhelming the server and degrading service for legitimate users.  Over the years, service providers have developed sophisticated countermeasures for detecting and protecting against DoS attacks, but hackers also continue to gain in sophistication and such attacks remain an ongoing concern.

Availability countermeasures to protect system availability are as far ranging as the threats to availability.  Systems that have a high requirement for continuous uptime should have significant hardware redundancy with backup servers and data storage immediately available.  For large, enterprise systems it is common to have redundant systems in separate physical locations. Software tools should be in place to monitor system performance and network traffic.  Countermeasures to protect against DoS attacks include firewalls and routers.

Understanding the CIA Triad is an important component of your preparation for a variety of security certification programs.  If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam.

What are the three 3 features of security?

What are the 5 elements of security?

What are the 3 information assurance levels?

What is information assurance and security and its purpose?