Which information means ensuring that authorized users have access to information when required?

Confidentiality, Integrity, and Availability. These are the three core components of the CIA triad, an information security model meant to guide an organization’s security procedures and policies.

While people outside the information security community might hear the phrase CIA Triad and think “conspiracy theory,” those in the cybersecurity field know that the CIA Triad has absolutely nothing to do with the Central Intelligence Agency and everything to do with keeping your organization's data, networks, and devices safe and secure.

What is the CIA Triad?

The CIA triad is widely accepted as a model in information security. It’s not a singular doctrine and there was no one author. Rather the model appears to have developed over time, with roots as old as modern computing, pulling concepts from various sources. Ben Miller, vice president for Dragos, seems to be one of the few people who has done any digging on the origins of the triad. He wrote a blog post 11 years ago about its roots and was unable to find a single source. Instead, the concepts seem to be pulled from a few different documents: a 1976 paper for the U.S. Air Force, for example, and a paper written in the 1980s about the difference between commercial and military computer systems.

Whatever the source, the CIA triad has three components:

• Confidentiality: Confidentiality has to do with keeping an organization’s data private. This often means that only authorized users and processes should be able to access or modify data.
• Integrity: Integrity means that data can be trusted. It should be maintained in a correct state, kept so that it may not be tampered with, and should be correct, authentic, and reliable.
• Availability: Just as it is important that unauthorized users are kept out of an organization’s data, data should be available to authorized users whenever they require it. This means keeping systems, networks, and devices up and running.

All of these concepts are important on their own to security professionals of all kinds. The reason these three concepts are grouped into a triad is so information security professionals can think of the relationship between them, how they overlap, and how they oppose one another. Looking at the tension between the three legs of the triad can help security professionals determine their infosec priorities and processes.

An example of the CIA triad in practice

Think of logging into an e-commerce site to check your orders and make an additional purpose. The e-commerce site uses the three principles of the CIA triad in the following ways:

• Confidentiality: When you log in, you’re asked for a password. If it’s been a while since your last log-in, you may be asked to input a code that’s been sent to you or some other form of two-factor authentication.
• Integrity: Data integrity is provided by making sure your purchases are reflected in your account and allowing you to contact a representative if there’s a discrepancy.
• Availability: You can log into your account whenever you want, and you may even be able to contact customer support at any time of the day or night.

This is just one example of how the triad can be practically applied. There are several, more specific examples for each leg of the CIA stool.

For example, examples of Confidentiality can be found in various access control methods, like two-factor authentication, passwordless sign-on, and other access controls, but it’s not just about letting authorized users in, it's also about keeping certain files inaccessible. Encryption helps organizations secure information from both accidental disclosure and malicious attacks.

Integrity can be maintained with access control and encryption as well, but there are many other ways to protect data integrity, both from attacks and corruption. Sometimes it’s as simple as a read-only file. Sometimes, it involves hashing or data checksums, which allow data to be audited to ensure the data hasn’t been compromised. In other cases, integrity might be protected physically from outside sources that might corrupt it.

Availability is really about making sure your systems are up and running so that business can continue, even in the face of an attack. DDoS (Distributed Denial of Service) attacks rely on limited availability, for example. For this reason, creating a DDoS response plan and redundancy in your systems is a way of ensuring availability. However, when there’s no attack, systems can still fail and become unavailable, so load balancing and fault tolerance are a way to keep systems from failing.

How can SecurityScorecard help?

The CIA triad alone is not enough to keep your data secure. You also need to be aware of where your risks are.

SecurityScorecard can help you monitor your information security across 10 groups of risk factors with our easy-to-understand security ratings. Our ratings continuously monitor every part of your security operation.

We monitor your information security by keeping an eye on your data and the systems and networks you have in place to protect it, and we also monitor your cybersecurity by making sure your organization’s systems are patched when they need to be, and that there’s no hacker chatter about your organization on the dark web. Once your score drops, you’ll know that something has changed, and our platform will then offer remediations to help you fix the problem before there’s a breach.

Data and information protection comprise the third and most important pillar of a sound cyber security strategy. It is crucial to consider the ‘CIA triad’ when considering how to protect our data.

This is the third and final article in a series addressing the three-pillar approach to cyber security. The first two pillars are ‘people’ and ‘process’, The last pillar is ‘data and information’.

Data and information protection is the most technical and tangible of the three pillars. The data we gather comes from multiple sources, such as information technology (IT), operational technology (OT), personal data and operational data. It must be properly managed and protected every step of the way.

What is the CIA triad?

When we discuss data and information, we must consider the CIA triad. The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.

The three components of the CIA triad are discussed below:

1. Confidentiality: This component is often associated with secrecy and the use of encryption. Confidentiality in this context means that the data is only available to authorized parties. When information has been kept confidential it means that it has not been compromised by other parties; confidential data are not disclosed to people who do not require them or who should not have access to them. Ensuring confidentiality means that information is organized in terms of who needs to have access, as well as the sensitivity of the data. A breach of confidentiality may take place through different means, for instance hacking or social engineering.
2. Integrity: Data integrity refers to the certainty that the data is not tampered with or degraded during or after submission. It is the certainty that the data has not been subject to unauthorized modification, either intentional or unintentional. There are two points during the transmission process during which the integrity could be compromised: during the upload or transmission of data or during the storage of the document in the database or collection.
3. Availability: This means that the information is available to authorized users when it is needed. For a system to demonstrate availability, it must have properly functioning computing systems, security controls and communication channels. Systems defined as critical (power generation, medical equipment, safety systems) often have extreme requirements related to availability. These systems must be resilient against cyber threats, and have safeguards against power outages, hardware failures and other events that might impact the system availability.

Stability, availability and security

Availability is a major challenge in collaborative environments, as such environments must be stable and continually maintained. Such systems must also allow users to access required information with little waiting time. Redundant systems may be in place to offer a high level of fail-over. The concept of availability can also refer to the usability of a system.

Information security refers to the preservation of integrity and secrecy when information is stored or transmitted. Information security breaches occur when information is accessed by unauthorized individuals or parties. Breaches may be the result of the actions of hackers, intelligence agencies, criminals, competitors, employees or others. In addition, individuals who value and wish to preserve their privacy are interested in information security.

The CIA triad describes three crucial components of data and information protection which can be used as guides for establishing the security policies in an organization. Establishing and maintaining the organization’s security policies can be a daunting task, but using the three-pillared strategic approach to cyber security can help you identify and manage cyber security risks in a methodic and comprehensive manner.