The CIA Triad
Name: Stephen E. Rockefeller
Date: 3/14/2022
Details:
In the world of information security, CIA stands for confidentiality, integrity, and availability. These 3 letters are well known within the cyber security and information security community as the CIA Triad. According to Walkowski (2019), the CIA Triad is the cornerstone of any organization’s cyber security policies and goals. An organization’s data breach in the form of malicious attacks, phishing scams, or data leaks are usually the result of one of these three principles being compromised. Fruhlinger (2020) states keeping the CIA triad in mind, as an organization structures their security policies, helps a cyber security team focus on productive decisions.
Confidentiality is the first letter in the Triad and refers to a company’s ability to keep data private. Many policies can be implemented to enforce an organizations confidentiality such as limiting those with authorized access to private information, implementing multi-factor authentication for all users, and encryption. The goal of confidentiality is to ensure private files are protected or not accessible to those not authorized to access it (Walkowski, 2019). There are two main distinctions when it comes to confidentiality. The first, authentication, entails a process allowing a system to determine if the user is allowed. When a system is authenticating the user, it is verifying who the user is. Various techniques encompass authentication such as passwords and numerous other techniques in which a system can verify a user’s identity including cryptographic keys, security tokens, and biometrics (Fruhlinger, 2020). The second important aspect of confidentiality is authorization. Authorization determines who has the right to access data. Which users have rights to which data, files, and applications? In an organization many users may have limited authorization to many of the company’s files and data. Their access is limited to their specific job description. For example, only certain employees have authorization to payroll information while others may have limited authorization to private Human Resource files. Fruhlinger (2002) states the most important aspect of enforcing confidentiality is creating “need to know” mechanisms for access.
Integrity is the second letter in the Triad and is defined as maintaining the validity of the data This means ensuring the data is not tampered with or altered and can be a trusted to be authentic. This might include a vendor’s ability to provide its customers accurate information regarding accounts or a business providing pricing and policies that have not be tampered with. Securing the integrity of data involves protecting information that is either stored or in use. The use of intrusion detections systems (IDS) is one measure employed to protect the integrity of data. Other measures include auditing and strong authentication of users (Walkowski, 2019). Fruhlinger, (2020) states many of the methods for protecting confidentiality also include protecting data’s integrity. This overlap exists because data cannot be compromised if it cannot be accessed.
The third letter in the Triad represents availability. Availability refers to a user’s ability to access data when needed. This timely and reliable access to information provides an organization efficiency when performing their daily tasks and is critical to the success of any company or organization. Availability can be hampered or compromised not only through the threat of cyber-attacks such as DDoS (Distributed Denial of Service), but can also include natural disasters, power outages, and human error. Fruhlinger, (2020) suggest mechanisms such as implementing read only files so that access is available however, the user cannot edit or alter the material. Remedies and proactive measures for protecting availability include systematic upgrading of systems and software, patches where and when needed, frequent back up policies, having a disaster recovery plan in place, and other protective policies to avert DDos or other attacks affecting availability (Fortinet, 2021).
As stated by Fortinet (2021), the CIA Triad is a simple, yet highly effective plan to evaluate an organization’s security policies and procedures. Incorporating the CIA Triad checklist into one’s security policy makes the difference in protecting highly sensitive data and securing a company’s viability in a highly dangerous cyber environment. According to Fruhlinger, (2020) however, as important as the concepts of the CIA Triad are to cyber security, it is not the holy grail of all cyber security woes. This article reports that in 1998 Donn Parker proposed a more elaborate 6-sided model that included the additional concepts of possession, authenticity, and utility. Although the author suggests that these additional concepts can possibly fall under the 3 concepts of the CIA Triad, the key concept rests in the idea that establishing specific and focused mechanisms to protect an organizations private data is imperative to the safety of all organizations.
Today’s highly volatile cyber world has left many companies in need of reliable policies and procedures to protect their company and customer’s private data. The CIA Triad is the stepping off point for cyber security managers within a company. Utilizing this model is the first step in implementing safe and secure measures for an organization. Utilizing this 3-pronged model lends focus and direction for any company or organization establishing strong and reliable cyber security procedures.
References:
Fortinet. (2021). What is the CIA Triad and Why is it important? Retrieved from Fortinet website: https://www.fortinet.com/resources/cyberglossary/cia-triad
Fruhlinger, J. (2020, February 10). The CIA triad: Definition, components and examples. CSO
Online. Retrieved March 13, 2022, from https://www.csoonline.com/article/3519908/the-cia-triad-definition-components-and-examples.html
Walkowski, D. (2019, July 9). What Is The CIA Triad? Retrieved from F5 Labs website: https://www.f5.com/labs/articles/education/what-is-the-cia-triad#:~:text=These%20three%20letters%20stand%20for