The CIA triad
InfoSec, the shorthand for information security, refers to procedures designed to secure data from unauthorized access or modification, even when the data is at rest or in transit. It covers a broad range of topics, including safeguarding your digital assets, which is where you hold sensitive data.
Information security relies on three pillars known as the CIA Triad: Confidentiality, Integrity, and Availability, the preservation of which is defined in ISO/IEC 27000. See Figure 1.1 for a visual representation of the following three pillars:
- Confidentiality – Providing access only to authorized personnel who need access
- Integrity – Maintaining the information’s accuracy and completeness
- Availability – Making sure the information is available to authorized users when they need it
Figure 1.1 – CIA triad
Let’s see what each of the pillars in the triad means for information security.
Confidentiality
When an organization takes steps to keep its information private or secret, it is referred to as confidentiality. In the real world, this means limiting who has access to data in order to keep it safe from unwanted disclosure. Unauthorized disclosure of information or unauthorized access to information systems can be prevented by implementing confidentiality safeguards. For the confidentiality principle to be effective, sensitive information must be protected and only those who need access to accomplish their job responsibilities should be able to see or access it.
Confidentiality is required to prevent sensitive information from leaking to the wrong people. It is possible to safeguard user data by using authentication controls such as passwords and the encryption of data that is in transit or at rest to keep it confidential.
Integrity
Integrity refers to the ability of a person or thing to stand on their or its own two feet. In the same sense, integrity in information security entails the safeguarding of data from uncontrolled or unauthorized additions, deletions, or modifications. Integrity is based on the idea that data can be trusted to be accurate and not improperly altered.
The idea of non-repudiation, or the inability to refute anything, is closely linked to integrity. Non-repudiation of information and services is ensured by this criterion and thus provides traceability of the actions conducted on them. At all times, accuracy and consistency in data are vital. You must be prepared to show that document credibility has been maintained, particularly in legal circumstances, when it comes to integrity. Hashing, digital signatures, and digital certificates are often employed to ensure the integrity of data.
Availability
It is useless for a business to have valuable systems, apps, or data that can’t be easily accessed by the people who need them. Being available implies all systems and apps are working as expected, and resources are available to authorized users in a timely and reliable manner. The goal of availability is to ensure that data and services are available when needed to make decisions.
The accessibility of the system and services provided to authorized users is dependent on the availability factor because the system and services should be available whenever the user needs them. Redundancy of important systems, hardware fault tolerance, frequent backups, extensive disaster recovery plans, and so on, are all ways to assure availability.
Accountability and cyber resilience
Accountability entails assigning explicit obligations for information assurance to each person who interacts with an information system. A manager responsible for information assurance can readily quantify the responsibilities of an employee within the context of the organization’s overall information security plan. A policy statement saying that no employee shall install third-party software on company-owned information infrastructure is one example. To be resilient in the face of cyberattacks, a business must be capable of anticipating them, preparing for them, and responding to them appropriately. This aids an organization in combating cyber threats, reducing the severity of attacks, and guaranteeing that the company continues to exist even after an attack has taken place. This is cyber resilience.
The CIA triad forms the foundation of information security standards such as ISO/IEC 27001. Let’s now look at some of the standards that are accessible in the information security sector.