The CIA triad consists of three principles that form the basis of an organization’s security systems and policies.
Understanding the CIA triad
The CIA triad is not at all affiliated with the American intelligence service. Instead, it is a common and respected framework that underpins an organization’s security infrastructure.
The CIA triad is an acronym of three principles: confidentiality, integrity, availability. Any time a website is taken down, a system is attacked, or an individual falls for a phishing scam, you can bet that at least one of these principles has been contravened.
Within an organization, security teams evaluate vulnerabilities and threats based on their potential effect on each principle in the triad. In more specific terms, teams assess applications, data, and critical systems and then endeavor to reduce risk via the implementation of controls.
The three principles of the CIA triad
Let’s now take a look at the three principles in more detail:
This describes the ability of the organization to protect private or otherwise sensitive information from unauthorized access. In some organizations, employees will have access to different levels of information based on rank or experience. Information can also be categorized according to the level of damage that would occur if it was obtained by an entity without the required permissions.
Confidentiality can be violated via deliberate acts such as network reconnaissance, escalation of system privileges, and electronic eavesdropping. However, it can also occur due to less intentional acts such as the sharing of user accounts or non-existent authentication systems.
In essence, this means the organization can make assurances that its information has not been tampered with in any way. These assurances mean the information in question is trusted, authentic, and reliable. To maintain integrity, data should also be protected while it is in use, in transit, and in storage.
Integrity can be comprised in much the same way as confidentiality, but direct and indirect attacks can be prevented with digital certificates, version control, auditing, and encryption, to name a few measures.
Availability means systems, applications, and data are accessible to authorized users when needed. Information should be readily and consistently available and its access should not require an inordinate amount of time.
Availability is often comprised when there is a natural disaster and subsequent power outage with no recovery system in place. Natural disasters such as floods and snowstorms may also physically prevent employees from traveling to the workplace, which impacts the availability of business-critical applications and systems. More malicious impacts on availability include ransomware and denial-of-service (DoS) attacks.
To bolster this CIA triad principle, organizations can utilize redundant systems that are programmed to become available whenever a primary system has been compromised. Availability can also be increased by ensuring that software and security systems are upgraded when necessary, a process that some businesses tend to neglect.
- The CIA triad consists of three principles that form the basis of an organization’s security systems and policies.
- When a website is taken down, a system is attacked, or an individual falls for a phishing scam, at least one of three principles of the CIA triad has been comprised.
- The CIA triad’s three principles are confidentiality, integrity, and availability. Confidentiality describes the ability of the organization to protect sensitive information, while integrity ensures that information is authentic and has not been tampered with. Availability, on the other hand, describes systems, applications, and data that is accessible to authorized users when needed.