In the information security world, CIA represents something we strive to attain rather than an agency of the United States government. Confidentiality, integrity, and availability (CIA) are the unifying attributes of an information security program.
Collectively referred to as the CIA triad of CIA security model, each attribute represents a fundamental objective of information security. The Federal Information Security Management Act (FISMA) defines the relation between information security and the CIA triad as follows:
(1) The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:
B. Confidentiality, which means preserving authorized restrictions on access and disclosure, including a means for protecting personal privacy and proprietary information; and
C. Availability, which means ensuring timely and reliable access to, and use of, information.
You may be wondering which is most important. The answer requires an organization to assess its mission, evaluate its services, and consider regulations and contractual agreements. Organizations may consider all three components of the CIA triad equally important, in which case resources must be allocated proportionately.
What is Confidentiality?
As it pertains to information security, confidentially is the protection of information from unauthorized people and processes. Federal Code 44 U.S.C., Sec. 3542 defines confidentiality as “preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.”
None of us like the thought of our private health information or financial information falling into some stranger’s hands. No business owner likes the thought of her proprietary business information being disclosed to competitors. Information is valuable.
Cybercrime is a relatively easy, low-risk, high-reward venture. There is plenty of money to be made. The chances of being caught are slim. The tools are readily available. Criminals look for and are prepared to exploit weaknesses in network designs, software, communication channels, and people. The opportunities are plentiful. Criminals are not always outsiders. Insiders can be tempted to “make copies” of information they have access to for financial gain, notoriety, or to “make a statement.”
The ability to obtain unauthorized access is often opportunist. In this context, opportunistic means taking advantage of identified weaknesses. Criminals (and nosy employees) care about the work factor, which is defined as how much effort is needed to complete a task. The longer it takes to obtain unauthorized access, the greater the chance of being caught. The more a “job” costs to successfully complete, the less profit earned.
The information security goal of confidentiality is to protect information from unauthorized access and misuse. The best way to do this is to implement safeguards and processes that increase the work factor and the chance of being caught. This calls for a spectrum of access controls and protection as well as ongoing monitoring, testing, and training.
What is Integrity?
Whenever the word integrity comes to mind, so does Brian De Palma’s classic 1987 film The Untouchables, staring Kevin Costner and Sean Connery. The film is about a group of police officers who could not be “bought off” by organized crime. They were incorruptible. Integrity is certainly one of the highest ideals of personal character. When we say someone has integrity, we mean she lives her life according to a code of ethics; she can be trusted to behave in certain ways in certain situations. It is interesting to note that those to whom we ascribe the quality of integrity can be trusted with our confidential information. As for information security, integrity has a very similar meaning. Integrity is the protection of information, processes, or systems from intentional or accidental unauthorized modification. In the same way we count on people to behave a certain way, we rely on our information to be a certain way.
Data integrity is a requirement that information and programs are changed only in a specified and authorized manner. In other words, is the information the same as it was intended to be? For example, if you save a file with important information that must be relayed to members of your organization, but someone opens the file and changes some or all of the information, the file has lost its integrity. The consequences could be anything from coworkers missing a meeting you planned for a specific date and time, to 50,000 machine parts being produced with the wrong dimensions.
System integrity is a requirement that a system “performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.” A piece of malware that corrupts some of the system files required to “boot” the computer is an example of deliberate unauthorized manipulation.
Errors and omission are an important threat to data and system integrity. These errors are caused not only by data entry clerks processing hundreds of transactions per day, but also by all types of users who create and edit data and code. Even the most sophisticated programs cannot detect all types of input errors or omissions. In some cases, the error is the threat, such as a data entry error or a programming error that crashes a system. In other cases, the errors create vulnerabilities. Programming and development errors, often called “bugs,” can range in severity from benign to catastrophic.
Integrity and confidentiality are interrelated. If a user password is disclosed to the wrong person, that person could in turn manipulate, delete, or destroy data after gaining access to the system with the password he obtained. Many of the same vulnerabilities that threaten integrity also threaten confidentiality. Most notable, though, is human errors. Safeguards that protect against the loss of integrity include access control such as encryption and digital signatures, process controls such as code testing, monitoring controls such as file integrity monitoring and log analysis, and behavioral controls such as separation of duties, rotation of duties, and training.
What is Availability?
The final component of the CIA triad is also most often left out of consideration when one thinks about security. But, what does it mean to be secure? Would you feel secure if your car failed to start? Would you feel secure if you were very sick and your doctor could not be found? Whether or not systems and data are available for use is just as crucial as the confidentiality and integrity of the data itself. Availability is the assurance that systems and data are accessible by authorized users when needed. If we can’t access the data we need, when we need it, we are not secure.
Just like confidentiality and integrity, we prize availability. We want our friends and family to be there when we need them, we want food and drink available, we want our money available and so forth. In some case our lives depend on the availability of these things, including information. Ask yourself how you would feel if you needed immediate medical care and your physician could not access your medical records.
Threats to availability include loss of processing ability due to natural disasters; hardware failures; programming errors; human errors; injury, sickness, or death of key personnel; distributed denial of service (DDoS) attacks; and malicious code. We are more vulnerable to availability threats than to the other components of the CIA triad. We are certain to face some of them. Safeguards that address availability include access controls, monitoring, data redundancy, resilient systems, virtualization, server clustering, environmental controls, continuity of operations planning, and incident response preparedness.
Note: This article is an excerpt from Security Program and Policies: Principles and Practices (2nd Edition) by Sari Greene.
Advance your Cybersecurity Maturity
An effective cybersecurity program requires a strategic approach because it provides a holistic plan for how you will achieve and sustain your desired level of cybersecurity maturity. An Information Security Policy is the foundation for a successful program to protect your information, prepare for and adapt to changing threat conditions, and withstand and recover rapidly from disruptions. Sage can help inform the process with federal guidance, industry standards, and international practice standards from the best sources.