Concept – The C-I-A Triad
When building an Information Security Management System, there is a concept that should be followed to design the measures for protecting information stored in computer systems. This concept is known as C-I-A or Confidentiality, Integrity and Availability.
The three components can be described as:
- Confidentiality: a system’s ability to ensure that only the correct, authorised user/system/resource can access or use data contained within that system, ie information is protected.
In a non-security sense, confidentiality is your ability to keep something secret. For example, in the real world, we may obscure the view into your home by putting curtains on the windows.
Confidentiality as it relates to using technology in the home environment may include the use of VPNs or encryption to ‘hide’ your online traffic from view.
In enterprise security, confidentiality is considered breached when an unauthorised person can view, copy and/or change files.
- Integrity: a system’s ability to ensure that systems and information are accurate and correct, ie the expected, accurate state of that information is maintained.
In computer systems, integrity means that the information they store is precise, factual and can be trusted and relied upon.
When securing any information system, part of the security framework must concentrate on preventing accidental or deliberate damage to the information.
- Availability: a system’s ability to ensure that information and services are available whenever they are needed, ie technology systems and services are up and running.
Availability is a term widely used in IT – it generally means the availability of resources to support your operational services.
In security, availability means the information and/or your systems are available to people who would normally have access to them.
An attack on availability rather than the information itself, could limit user access to some or all of your services, meaning information may still be intact but not accessible.
No security framework is absolutely guaranteed to protect against every threat all of the time. But if the C-I-A triad is used to evaluate risks and vulnerabilities, it should assist in formulating a set of preventive measures suitable to safeguard several different elements of your technology environment.
The theory is that every potential threat, vulnerability, attack can be distilled down to an attempt to compromise any one function of the triad (and sometimes a combination of them). For example:
- a data breach has impact on the confidentiality of your data;
- accidental data modification degrades the integrity of your data;
- a ransomware incident limits the availability of your information systems and may also lead to a breach of confidentiality of your data.
Understanding what is being threatened will help define how you can build protection against that attack. In the case of ransomware it is easy to view it as an exotic malware attack but treating it with such a narrow focus could result in incomplete measures to safeguard against this type of attack. However, if viewed as an attack designed to limit availability of data and possibly breach confidentiality, you can take additional mitigation steps that may not be included if your primary focus was narrower.
The C-I-A triad applies to an ICMS at a strategy and policy level and can also help you drill down into specific controls – it can be used to evaluate the risk of different types of attack and understand the consequences for each. This holistic approach is important when when defining measures to be included in the ISMS.
A security framework covers systems, guidelines, policies and process for a wide range of topics. Each topic has its own special focus, involving a set of measures designed to handle security for a specific area of an organisation’s operation and the technology solutions used.
In defining the measures included in an ISMS, the interconnected nature of information systems must be considered to ensure a complete understanding of the risks presented by the linkages that exist – a holistic perspective.
Remember too that security isn’t just about your technology; there are elements of how your business operates that will influence what security controls are needed in different areas.
A typical ISMS/framework will cover:
- Organisation Management
- Asset Management
- Information Management
- Access Control
- Physical Security
- Use of ICT Systems
- ICT Operational Management
- Software Development
- Business Continuity and Disaster Recovery
Note that all material developed within a company’s ISMS applies to its employees, contractors and other parties that are engaged to provide services that may have relevance to information management.
The ISMS should also provide a framework for the organisation to interact with its customers and clients, with particular relevance to the management of information provided by or affected by those partners.
With this in mind, there needs to be consideration given to the topics of:
- Human Resources
- Supplier Relationships
More To Come...
Look out for the next instalment in this topic.
In the meantime, browse more Thistle Tech posts by clicking this button.
If you need assistance with this topic,
or advice on any other aspect of what we do,
feel free to contact us using this button.