In regards to an organizations cybersecurity and information security, there are certain models designed to serve as a guide in the development of such policies. The CIA triad is one such model companies use as a guide to ensure their data is safe and available to those who should be able to access it. Confidentiality, integrity, and availability are the three pillars of the CIA triad, also referred to as the AIC triad to avoid confusion with the Central Intelligence Agency. These three elements that comprise the CIA triad are crucial in regards to a sound cybersecurity framework, however it’s believed there may be upgrades needed for it to stay relevant and effective (Chai, 2022).

Confidentiality in regards to information and data is crucial for individuals and organizations alike in today’s world. Data should be secure from unauthorized access and only be accessible to those who have the required authorization (which will be discussed in further detail later). It is common for data to be categorized in terms of the amount and type of damage that could be done with it if it fell into the wrong hands (Chai, 2022, p.1). The measures companies go to to protect their sensitive data varies, but there are some best practices to aid organizations in such matters. Typically, data should be handled based on the organizations required privacy, it should be encrypted using 2FA, and access control lists and authorization permissions should be kept up to date (Chai, 2022, p. 6).

The second pillar of the CIA triad is integrity, referring to an organization’s responsibility to ensure the consistency, accuracy, and trustworthiness of data and sensitive information. Data should remain in its intended form and not be changed or altered in transit. There should be measures put in place to ensure data can only be altered by those authorized to do so (Chai, 2022, p.1). Like confidentiality, access controls and file permissions allow companies to ensure the correct users are accessing and altering data. There should also be measures put in place to detect any changes in data that could occur from non-user-caused events, such as a server crash or an environmental impact. Checksums can be used to verify the integrity of data and backups should be available to restore any affected data (Chai, 2022, p.4). In addition to these steps, companies should ensure their employees are knowledgeable in regards to compliance and regulatory requirements to minimize human error (Chai, 2022, p.6).

The last pillar of the CIA triad is availability, meaning data should be consistently and readily available and accessible to authorized users. Availability of data typically involves the proper maintenance of hardware and systems that store and display information (Chai, 2022, p.2). Faulty hardware can result in numerous security incidents as well as critical data being lost. Hardware should be regularly and thoroughly maintained and any required repairs should be done immediately to ensure the operating system runs smoothly. In addition to hardware maintenance, systems should be updated in a timely manner if an update is called for. Backups and redundancies play a vital role in recovering data if hardware issues to happen to occur. In a worst-case scenario, the disaster recovery should be fast and adaptive in nature to protect against data loss and to limit the damage to the system (Chai, 2022, p.4).

As mentioned previously, authorization plays an important role in safeguarding an organization’s data, but so does authentication. Authentication is the process of verifying credentials which are provided by a user against those stored in the system to prove the user is who they claim to be. If the credentials the user provides match those in the system, the user is granted access. One example of this would be two-factor authentication, which is completed by a user entering something known such as a username and password, and then entering a code sent via SMS message to the user’s phone or a security token (Weatherston, 2022). While authentication verifies a user’s identity, authorization verifies whether or not they’re allowed to access certain areas of an application or perform specific actions. Authorization may typically be referred to as access or privilege control, and it simply means a user is either granted or denied permissions to carry out tasks based on certain criteria or conditions put in place by the system. A good example of this would be someone logging into a social media application, clicking on a private profile of someone they aren’t friends with, and not being authorized to view the profile. Based on the applications authorization criteria, the user would be denied permission to view non-public information on the page (Weatherston, 2022).

In summary, the CIA triad is a valuable model which organizations can use as a guide when developing information security policies. Confidentiality, integrity, and availability of data are foundational and crucial elements of a sound cybersecurity infrastructure. As with most things in life, this model may need to be slightly tweaked and upgraded to stay effective in the current climate. Along with the CIA triad, differentiating between authentication and authorization is necessary as they deal with similar issues, but serve two very different purposes.


References

Chai, W. (June 2022). What is the CIA Triad? Definition, Explanation, Examples. TechTarget. (https://www.techtarget.com/whatis/definition/Confidentiality-integrity-and-availability-CIA?jr=on)

Weatherston, G. (Sep. 2022). Authentication vs Authorization – What’s the Difference? freeCodeCamp. (https://www.freecodecamp.org/news/whats-the-difference-between-authentication-and-authorisation/)