The CIA triad is a model designed to guide policies and procedures for information security within an organisation. Read on to find out more about the CIA triad and some of the common methods organisations implement to meet CIA requirements.
The Confidentiality, Integrity, and Availability triad, also known as the CIA triad, is a key theory underpinning information security. These three components are considered the most crucial elements of information security and should be at the forefront of all information security decisions within an organisation.
Confidentiality is about implementing measures that are designed to stop unauthorised individuals accessing sensitive data, whilst ensuring authorised individuals can still access it. Sometimes confidential data may be categorised depending on its sensitivity and different protections based on those categorisations may be implemented. Data encryption is a common method of ensuring confidentiality of information.
Integrity involves maintaining the accuracy, consistency and trustworthiness of data. Data must not be changed whilst at rest or in transit by unauthorised individuals (which would demonstrate a breach of confidentiality). Integrity of data is commonly ensured by implementing security measures such as file permissions and access control models. Version controls can also be utilised to avoid changes to data made accidentally by authorised individuals. We can also check the integrity of data by using Checksums, such as SHA-2 and MD5.
Availability means that authorised individuals are able to access their data whenever they want. This is best met by ensuring that key information systems have redundancy built in and may include failovers, RAID, and even high-availability clusters. A key part of ensuring high availability is to implement strong disaster recovery procedures should the worst occur. If the worst does happen, ensuring that regular backups are taken to an offsite location means that data can be recovered, although how long this takes and the subsequent impact to the organisation should be considered when implementing a backup solution.
Like all triads, or triangles, there is a balance to be struck:
- Implement controls for Confidentiality that are too strict? This will effect the Availability of data as it becomes more complex and time-consuming to access data.
- Focused too heavily on ease of Availability? You may lose Integrity and thus Confidentiality of data by opening up key systems without proper checks in place (see my previous post on the importance of IAAA).
- Too worried about the Integrity of data? This could affect the Availability as authorised individuals are unable to make valid alterations to their data.