¿What is The CIA Triad?
In Information Security (InfoSec), when someones says CIA, they are most likely referencing to, Confidentiality, Integrity, and Availability.
We commonly know this three principles as the CIA Triad.
The CIA Triad is a common security model, and serves as the foundation of any organization’s security program.
As a security professional, you will evaluate risk based on the potential impact they may have on one of these three principles.
That evaluation will drive your strategy for designing and implementing a remediation plan.
Let’s start with the first term on the CIA triad!.
In theory, confidentiality is keeping data private or secret.
But in practice, it is controlling access to prevent unauthorized disclosure.
For example, employee data needs to be kept private, as such it should only be accessible by certain members of the Human Resources.
Access needs to be restricted to those members who have a business need to access the data.
Any access outside of this would constitute a breach of confidentiality.
It doesn’t matter if it’s a malicious external party, or an internal employee mistakenly accessing the information, either situation would violate confidentiality.
Now!, let’s talk about integrity!.
Integrity ensures the legitimacy of data, and that it can be trusted.
Practically speaking, it means no unauthorized modification, or deletion.
For example, we are going to use a financial reporting company.
Consider a company that provides data on the performance of your financial portfolio.
You, as an investor, are counting on that data be accurate, as you base your investing decisions on that information.
If you are making investing decision based on incorrect data, you could face potential losses.
On the last scale but no least important is availability.
Availability ensures networks, systems, and applications are up and running.
Denial of Service is a common vulnerability.
This vulnerability violates the principle of availability as it overwhelms the systems resources to the point where the system is unresponsive, and thus unusable.
Availability as a security issue may seem less obvious than confidentiality and integrity, but it is equally important.
Consider an airline system. How catastrophic would it be if an airline’s guidance, or the other critical systems were unavailable?.
Here is a resume of the CIA Triad, and his definitions:
- Confidentiality: Keeping data secret or private.
- Integrity: Ensuring the legitimacy of data so it can be trusted.
- Availability: Ensuring networks, systems, and applications are up and running.
On the next article, we will discuss the NIST Framework and why these two models are connected.
Thank you for your time (Joaquin Iglesias).