CIAtriad copy

 

No, we’re not talking about the Central Intelligence Agency.

We mean the Confidentiality Integrity Availability triad, and it’s all about information.

The CIA triad is a security model developed to help people think about important aspects of cyber security and strengthen security awareness.

Confidentiality 

  • You gotta keep your PII from falling into the wrong hands!
  • Set up appropriate levels of access to the information, separate types of information and organize it by who should have access to it.
  • Some common ways of managing confidientiality on individual systems include traditional Unix file permissions, access control lists, and both file and volume encryption.

Integrity

  • Keep the integrity of your data by protecting it from tinkering or deletion by unauthorized people.
  • Some data, like user account controls, should be locked to prevent them from being inappropriately being changed, because it can quickly lead to major service interruptions and confidentiality breaches.
  • Other data, like user files, should be open to change, but also reversible (in case you screw something up)
  • Version control systems and more traditional backups are common ways to ensure data integrity.
  • Traditional Unix file permissions, and even more limited file permissions systems can also be an important factor in single system measures for protecting data integrity.

Availability

  • Your data must be available. Systems, access channels, and authentication mechanisms must all be functioning properly for the information they provide and protect to be available when needed.
  • High Availability (HA) systems are computing resources specifically designed to improve availability.  They might target power outages, upgrades and hardware failures to improve availability
  • Some methods to improve availability are HA clusters, failover redundancy systems, and rapid disaster recovery capabilities.

The CIA triad is often used to plan a good security policy, so it helps to know its principles.  However, you should also understand its limitations: it is only a starting point.  It is helpful as a beginning when developing a security policy, but do not treat it as the end.

 

The Security Awareness Company

With over 25 years of industry experience, we serve both small & large organizations to create successful security awareness and compliance programs on an international scale. Our team is a strong, creative powerhouse with a passionate vision and we consistently produce on-trend end-user training materials of the highest caliber.

Latest posts by The Security Awareness Company (see all)