The Principles Of Information Cybersecurity: CIA Triad

madunixExecutive Information Technology Director
CERTIFIED EXPERT
Name: Fadi Sodah, aka madunix, Electrical & Telecommunications Engineering. University: RWTH-Aachen. Executive IT Director.
Published:
Updated:
Edited by: Andrew Leniart
Any organization's cybersecurity strategy should aim to protect the (CIA) confidentiality, integrity, and availability of its information systems. Altogether, these three elements are referred to as the CIA triad.

Introduction

 

Information Technology (IT) infrastructure plays a critical role in an organization. As IT becomes more integral to the day-to-day operation, the cost of failing to protect these systems becomes more significant. To do this, an organization must ensure the security and reliability of its IT infrastructure via a robust cybersecurity framework. 

 

 

Business Impact Analysis (BIA)

 

The BIA correlates information system elements (systems, networks, and data) with the organization's stated mission and identifies the most critical information system elements organization on the cost that the disruption would incur. Critical systems are any system whose failure may result in a loss of human life, revenue, harm to the environment, or a threat to the longevity of an organization.

 

 

There are three steps involved in completing a BIA:

 

  • Determine mission/business processes and recovery criticality
  • Identify resource requirements
  • Identify recovery priorities for system resources

 

Information Cybersecurity Policy

 

It is crucial that when cybersecurity strategies are developed, the consequent policies and procedures are aligned with business objectives to support the CIA triad of an organization's information systems. This support should extend to all information systems, whether managed by the organization or third-party services.

 

The following principles that need to be followed for the effective implementation of the Corporate Information Cybersecurity Policy:

 

  • Information and information processing systems shall be used in a manner that supports the strategic goals and objectives of the organization. 
  • All applicable legal and/or regulatory requirements pertaining to information security shall be met. 
  • All information and information processing systems shall be identified and classified to ensure adequate protection. 
  • All risks related to information and information processing systems shall be identified and mitigated in a timely organization. 
  • Employees and non-employees shall be adequately aware of their roles and responsibilities towards information security and exercise discretion, common sense, and reasonable judgment towards using the organization's information. 
  • Employees and non-employees shall adhere to the information security policies and procedures approved by the organization. 
  • Information assets shall be classified following the information asset classification procedure. 
  • Information shall be handled securely to avoid any loss of confidentiality, integrity, and availability during its creation, storage, processing, transmission, and disposal. 
  • All changes related to information and information processing systems shall be managed securely through change control management. 
  • All information security incidents shall be reported and addressed promptly. 
  • Business Continuity Plans shall be documented, implemented, and tested adequately to ensure the availability of information and information processing systems during any emergency. 
  • The posture of information security shall be continuously reviewed and improved to ensure continuous adherence to this policy. 
  • Continually improve information security through the implementation of corrective actions. 
  • Annually review this policy for adequacy and appropriateness.

 

The CIA triad

 

As cybersecurity practitioners, we concentrate on three goals: ensuring the confidentiality, integrity, and availability. Any organization's cybersecurity strategy should aim to protect the (CIA) confidentiality, integrity, and availability of its information systems. Altogether, these three elements are referred to as the CIA triad. 

 

  • Confidentiality (prevents unauthorized disclosure): only authorized entities have access to the data.
  • Integrity (prevents unauthorized alteration): there are no unauthorized modifications of the data.
  • Availability (ensures authorized access): authorized entities can access the data when and how they are permitted to do so.

  

Confidentiality

 

Confidentiality ensures that sensitive information is only available to people who are authorized to access it. Confidentiality measures the attacker’s ability to get unauthorized data or access to information from an application or system. It involves using techniques, often cryptography, to allow only approved users the ability to view sensitive information.

 

Some keywords related to confidential include:

 

  • Cryptography (Encryption / Decryption)
  • Password
  • 2FA Two-factor authentication / MFA Multi-factor authentication
  • Biometric
  • Security Tokens
  • Steganography
  • Masking
  • Obfuscation
  • Anonymization
  • Tokenization
  • Network Security Protocols 
  • Network authentication services
  • Least Privilege
  • Sensitivity / Privacy
  • Privacy Enhanced Mail (PEM)
  • Transport Data Encryption (TDE)
  • Non-Disclosure Agreement (NDA)
  • BitLocker
  • Trusted Platform Module (TPM)
  • No Shoulder Surfing
  • Secrecy
  • High Secure Environment
  • Mandatory Access Control
  • Security Labels
  • Pad Lock
  • Asymmetric / Symmetric
  • IPsec:ESP (Encapsulation Security Payload)
  • Clearance
  • Data Classification
  • Non-Interference Model

 

Integrity

 

Integrity refers to the consistency of systems, networks, and data. Maintaining integrity includes pre-emptive and mitigation measures that restrict users editing rights while also recovering from any unapproved changes. Integrity measures an attacker’s ability to manipulate, change, or remove data at rest and data in transit

 

Some keywords related to integrity include:

 

  • Cryptography (Encryption / Decryption)
  • Hashing Algorithms 
  • Checksums
  • Version Control
  • Backups
  • Tripwire
  • Data Classification
  • Digital signature
  • Authentication Header (AH)
  • Encapsulating Security Payload (ESP)
  • Message Authentication Code (MAC)
  • Check digit 
  • WTLS (Wireless Transport Layer Security)
  • Message digest
  • Cyclic Redundancy Check (CRC)
  • TLS (Transport Layer Security)
  • Public Key Infrastructure (PKI)
  • Configuration Management 
  • Data Custodians
  • Privacy Enhanced Mail (PEM)
  • S/MIME (Secure/Multipurpose Internet Mail Extensions)
  • Write-Once
  • Data Dictionary
  • Directory System
  • Commitment and Rollback
  • Prevent alteration
  • Resiliency
  • Read-only Restriction
  • Table Link
  • Reference Checks
  • DNSSEC (Domain Name System Security Extensions)
  • Code of Ethics
  • One Way Function
  • Trust
  • Non-Repudiation  
  • Authentication
  • IPsec: AH
  • Data Loss Prevention (DLP)

 

Availability

 

Availability ensures that resources are available whenever authorized users need them. An information system is considered available if authorized users can freely access their systems, networks, or data. Availability measures an attacker’s ability to disrupt or prevent access to services or data. 

 

Some keywords related to availability include:

 

  • Proper Monitoring
  • Environmental Controls
  • Virtualization
  • Active-Active, Active-Passive, and High Availability Cluster 
  • Off-site Backups
  • Fault Tolerance (Load balancing and failover)
  • Redundancy
  • RAID (Disk Duplexing / Mirroring)
  • Synchronous / Asynchronous Replication
  • Business Continuity Plan (BCP) / Disaster Recovery Plan (DRP)
  • Ping
  • Vertical / Horizontal Scaling
  • Service Level Agreement (SLA)
  • Resiliency

 

 

Conclusion

 

The CIA triad is an essential concept in cybersecurity. An organization must ensure that the three aspects of the CIA triad are implemented, which is a necessary step in designing any secure environment.

 

https://csrc.nist.gov/glossary/term/confidentiality

https://csrc.nist.gov/glossary/term/availability

https://csrc.nist.gov/glossary/term/integrity

5
3,411 Views
madunixExecutive Information Technology Director
CERTIFIED EXPERT
Name: Fadi Sodah, aka madunix, Electrical & Telecommunications Engineering. University: RWTH-Aachen. Executive IT Director.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.