CIA Triad

It is not wrong to say that information is power in today’s fast-changing competitive world. The one who has the right information at the right time and can use it in the right way is at the top of the pyramid.

It is therefore prudent to know that unavailability of information or incorrect information may result in wrong or incompetent decision making by the management resulting in jeopardizing the business and hence the information must be protected in order to continue to do the business as usual and successfully.

Information security is there to support business goals & objectives and not to become an impediment in doing so. Not only just the IT and business staff but every employee in an organization be a security guard, cleaner, contract staff deals with one or the other type of information be it in:

– Information systems

– E-mails or postal mails

– Electronic records or Physical documents (e.g. printed papers)

– Storage media (e.g. USBs/disks, memory cards etc.)

– Or even the information transmitted while in verbal conversation (over phone calls, even while talking to someone in an elevator)

So it is evident that securing information is the responsibility for every employee in the organization and not just the Information Security Department.

Misuse or mishandling of information not only can result in personal trauma or job loss or personal or organization’s reputational damage, but It can also make the organization liable to lawsuits, regulatory sanctions etc.

So what should be the basis for determining:

– How to classify information?

– Which information to secure?

– What should be the basis to secure it?

– What is the value of information?

– How much to spend on securing information?

So if we understand and can help employees understand the meaning of CIA, will they be in better position to take an intelligent decision while handling Confidential, Restricted, Public and information pertaining to the internal use of the organization? Let us explore.

What is CIA?

CIA triad in information security or cybersecurity space stands for Confidentiality, Integrity, and Availability of information and it helps to answer above questions.

Confidentiality: Is to protect information from accidental or malicious disclosure.

Integrity: Is to protect information from accidental or intentional (malicious) modification.

Availability: Is to make sure that information is available to those who need it and when they need it.

Why do we need CIA as a basis for Information security?

There is an enormous amount of information:

– Flowing through the network of networks. [In Transit]

– Stored on to the cloud, personal and other devices. [In Storage]

– Being processed by various systems and sub-systems.  [In Process]

During its lifecycle, the information is passing through many stages and many hands handling it. Hence It is not feasible for any organization to protect all the information from accidental or intentional disclosure, modification or deletion.

Therefore a ‘wise decision’ must be made to invest just enough money to implement various controls in order to protect the information assets based on the priority of their criticality and sensitivity.

That is the reason we must know how to classify information based on their Confidentiality, Integrity, and Availability needs to make that wise decision and help the organization achieve its business objectives…

Why CIA is important?

To protect an organization’s information assets it is essential for every employee to understand what CIA is? And how they can contribute to achieving CIA for the information they are handling and can help achieve the organizational goals and objectives.

Information is the key to the success of every organization today. Appropriately maintaining the Confidentiality, Integrity, and Availability of information thus becomes crucial in today’s business environment because once in wrong hands, not only it can jeopardize the day to day business operation or achieving business objectives it could also threaten the very existence of the organization.

How CIA can be achieved?

The first step before the information is weighed against CIA is to classify the information. Once information classification has taken place it becomes easier for the information handler to decide whether the information is required to be protected or not, or if yes to what level?

Why each employee in an organization must know the CIA Triangle?

Simple examples:

Confidentiality: E.g. Encryption

In a simplest form, for example if you encrypt a message “I LOVE CYBER” with an encryption key ‘2’ (for example by adding 2 to each character) in to “K NQXG EADGT” and provided only the person who knows the key can read this message (by reducing 2 from the message) and no one else, you can protect the information from being disclosed or revealed to the adversary.

Integrity: E.g. Digital Hash, Digital signature

Once you have received the message “K NQXG EADGT”, you used your encryption key and unencrypted the message to “I LOVE CYBER” but the question is, how do you ensure that the message actually sent was “I LOVE CYBER” and not anything else (i.e. the integrity of the information is intact).

So in order to achieve the integrity, if you can use a formula (i.e. hash formula) which derives fixed output (e.g. 3452) for the same input (“I LOVE CYBER”) every time it is used, the same can be used to validate that the message is the same as the one sent. So the receiver of the message can use the same formula which the sender used to generate the unique hash value and if both matches the integrity is achieved.

Availability : E.g. Load balancing, RAID

If one server on which your application is hosted fails you fail over to another connected server so that information processing is not interrupted. Similarly, if you are using RAID( Redundant Array of Independent Disks), it gives you the flexibility to switch over to another backup disk in case of failure of one.

Above examples give a warranty that the information will always be available to the authenticated user whenever requested even in case of failure of one system or part of it hence maintaining the availability.

And remember at the end, the goal is to always make sure that every employee in the organization is able to take a cognitive decision to protect the information they’re handling while performing their job role and day to day responsibilities, to ensure that they are able to design, develop, deploy and dispose systems in a way it protects the confidentiality, integrity, and availability of information.

If they understand the basic principles of security, they will be able to design and develop systems that seek to minimize the vulnerabilities and reduce the attack surface of systems being used by the organization.

CREDITS:  All the Content of this Article Belongs to Original Author Rajesh Laskary  Rajesh Laskary (CISSP, CISM, CEH, ISO 27001 LA, and ISO 27005 RM) who is a Cybersecurity professional and a strong advocate of ‘Security-By-Design’, a writer and a cyber speaker based in Singapore

Leave a Reply