Confidentiality, integrity and availability. These are the three components of the CIA triad, an information security model designed to protect sensitive information from data breaches.
The CIA triad is an important concept in the information security industry and is used in ISO 27001, a global standard for managing information security.
The GDPR also mentions the CIA triad in Article 32, which requires organisations to use appropriate measures to protect the confidentiality, integrity, availability, and resilience of their information processing systems and services.
But what exactly do mean by confidentiality, integrity and availability, and how does they help protect organisations from security incidents?
Components of the CIA triad
Confidentiality is the first element of the CIA triad, which means keeping sensitive information private and secure.
The aim is to prevent unauthorised access to the data by cyber criminals or employees without legitimate access.
To ensure confidentiality, organisations need security measures that can identify unauthorised personnel and prevent them from accessing the data.
The second element of the CIA triad is integrity. This refers to the completeness and accuracy of data, as well as the organisation’s ability to protect it from corruption.
Data integrity plays an essential and unique role in data protection. We often think of it in relation to who has (or doesn’t have) have access to information. However, it’s just as important to consider whether the information itself is correct.
If there are mistakes within the data, organisations might accidentally share classified information with the wrong person. There is also the possibility that the information won’t be delivered at all.
The third element of the CIA triad is availability. This refers to an organisation’s ability to access information when needed. This might be the case, for example, if a power cut knocks out an organisation’s servers or if a Cloud hosting provider’s systems are disrupted.
Although data availability often refers to these sorts of organisation-wide issues, it can also apply to individual circumstances. For instance, an employee might have a technical problem that prevents them viewing a sensitive file, or they don’t have keys to a filing cabinet.
Examples of the CIA triad
Data confidentiality usually applies to personal information, like customers’ names, contact details, and payment card information. These details should be stored in relevant databases and made accessible only to those who need it.
This might mean password-protecting files or setting up access controls. You should also consider storing different pieces of information in the separate databases.
You wouldn’t, for instance, keep the customer account details, such as their username and password, in the same files as their other personal data. You should also silo highly sensitive data, such as credit card information and health records.
Confidentiality doesn’t only refer to personal data, though. It encompasses any information of a sensitive nature. This might include things such as intellectual property and corporate records. These too must be given adequate protection to ensure that only authorised personnel can gain access.
An example of data integrity would occur in relation to a healthcare firm mailing a patient information about their medical condition.
The organisation must be certain that their records are correct, otherwise the recipient will receive incorrect information about their health status, or they might not receive an update at all. Meanwhile, the person who inadvertently received the communication will be privy to a third party’s health condition.
Data integrity can also refer to corporate data. For example, an organisation must ensure that the price of products on their e-commerce site are listed correctly. If they inadvertently undercharge someone for an item, they are obliged to fulfil their order, which will have financial ramifications for your business.
An organisation’s systems, applications and data must be accessible to authorised users on demand. If, for example, the organisation suffers a power outage that knocks their systems offline, their operations will grind to a halt.
Likewise, if cyber criminals encrypt the organisation’s files in a ransomware attack, they will face major disruption.
Availability can also apply to a specific employee’s ability to view information. If there is a problem with their account or hardware, they might not be able to access information necessary to perform their job.
Why is the CIA triad important?
Each aspect of the CIA triad represents the foundational principles of information security. Between them, they cover every possible way that sensitive data can be compromised.
But the triad is about more than the individual aspects of data protection; the three components work together to become more than the sum of their parts.
There is a reason that confidentiality, integrity and availability are thought of in a triangular pattern.
Each element connects with the others, and when you implement measures to ensure the protection of one, you must consider the ramifications it has elsewhere.
For example, say an organisation implements multifactor authentication on a piece of third-party software.
Doing so protect the confidentiality of sensitive data, making it harder for unauthorised actors to compromise an employee’s login credentials and view information on their account.
But doing so hampers the availability of data, because employees now need to complete an authentication process to access the software.
Without the means to complete the authentication process – whether it’s a hardware token, an app on one’s phone or a functional biometric scanner – employees cannot continue.
Considering the three principles together within the framework of a triad helps organisations understand their needs and requirements when developing information security controls.
Implementing the CIA triad
The CIA triad runs through the heart of information security best practice. If you’re implementing the requirements of ISO 27001, the GDPR or any other framework, you are bound to run into the concepts of confidentiality, integrity and availability.
One thing that these frameworks have in common is the emphasis they place on risk assessments. ISO 27001 and the GDPR in particular mandate that organisations analyse their operations to measures the risks, threats and vulnerabilities in their systems that could compromise sensitive information.
By implementing controls to address these risks, you will satisfy one or more of the CIA triad’s core principles.
You can find out more about CIA cyber security by reading Risk Assessment and ISO 27001. This free green paper explains how you can complete the risk assessment process in line with best-practice advice.
You’ll learn how to determine the optimum risk scale so that you can determine the impact and likelihood of risks, how to systematically identify, evaluate and analyse risks and how to create a baseline security criteria.
If you’re planning to start the risk assessment process, vsRisk can help. It provides a fast and straightforward way to conduct consistent and repeatable information security risk assessments year after year.
The software comes with an asset library that assigns roles to each asset group, automatically applying relevant potential threats and risks.
The integrated risk, vulnerability, and threat databases eliminate the need to create a list of risks, while the built-in control sets help comply with multiple frameworks.
We’re currently offering a free 30-day trial of vsRisk. Simply add the number of licenses you require to your basket and proceed to the checkout.