The CIA triad is what information security professionals refer to when developing an organizations security infrastructure. Although this model shares the same acronym, it has no relation to the Central Intelligence Agency (Fruhlinger, 2020). These three letters stand for confidentiality, integrity, and availability. This model is used by organizations to keep data secure in many ways. According to Ben Miller, a vice president at a cyber-security firm named Dragos, found that the CIA triad was not created by one specific person (Fruhlinger, 2020). Since this concept was not created by any one person, it has left space for many researchers to elaborate and on the concept and create their own meanings. The CIA triad is so fundamental to apply to infosec applications so that you can be assured that one or more of these concepts have been breached if data is leaked, a system is breached, or any number of other security incidents occur (Walkowski, 2019).
The first part of the CIA triad is confidentiality. This term means that infosec professionals aim to keep their data private or secret. This also means that only authorized users should be able to access and change data. Anything that relates to data access lies under the confidentiality concept. There are 2 subdivisions in confidentiality that are very important in keeping data secure, authentication and authorization. Authentication is a process used to determine if a user is who they say they are (Fruhlinger, 2020). There are many ways for a program to authenticate a user including face scanning, voice recognition, and fingerprint scanning. For example, the iPhone gives an option instead of just typing a password to unlock your phone you can set up a face scan of your face or a fingerprint scan of up to five fingers. This means if the apple software does not recognize your face, or your fingerprint your phone will not unlock because your information was not authenticated. Authorization deals with determining who has access to what data (Fruhlinger, 2020). A program can use authentication to see if you are who you say you are, but you still may not have access to all of the data on whatever program you are running. For example, when you are logging into blackboard to see what grade your teacher gave you, instead of seeing all of the grades the teacher loaded into the blackboard program, you would only be able to see your specific grade because you are authorized to do so.
The second part of the CIA triad is integrity. Integrity in infosec means that data should be left in its original form and nobody should be able to change it whether by accident or maliciously (Fruhlinger, 2020). In other words, making sure data has not been tampered with and is correct and authentic. For example, when a teacher inputs grades into the grade book, nobody can come in and change the grades or add or remove information from the gradebook. The last part of the CIA triad is availability. This means that authorized users should be able to access data whenever they need to do so (Fruhlinger, 2020). For an organization to ensure availability this means that network systems and applications should be fully functioning 24/7 so that users can have reliable access at any time. For example, if a student wants to view their grades and available assignments, they should be able to do so at any time.
References:
Fruhlinger, J. (2020). The CIA Triad. IDG Communications Inc.
Walkowski, D. (2019, July 09). What Is The CIA Triad? Retrieved December 29, 2020, from https://www.f5.com/labs/articles/education/what-is-the-cia-triad