The CIA Triad is an Information Security model that should be referenced or considered when creating a security policy. This model can be applied to situations that aren't necessary classified as "Cyber Security" like filing, cold record storage, etc.
The model consists of three sections, Confidentiality, Integrity & Availability. This model has become the industry standard over the years because it can help determine the value of the data, procedure or policy it's applied to, and in turn, the level of consideration it needs from the business.
This model should be considered a cycle of continuous strategy. Some of these elements will overwrap at times. However, if even one element is not satisfied, the other two are considered useless. Ex: If a security policy doesn't satisfy all 3 elements of the triad, it won't be considered effective.
CONFIDENTIALITY
Confidentiality is simply securing data from unauthorized access or misuse. Organizations have sensitive data that needs constant protection from outside parties.
EX: Billing records would be considered sensitive information. Confidentiality can be applied to this aspect by restricting access to these records to an approved list of employees. Now Billing records aren't as sensitive as government records so the access controls wouldn't be as extreme in this instance.
INTEGRITY
Integrity references the condition of the data being protected; Ensuring the accuracy of the data is consistent unless changed by authorized parties. This aspect is maintained when the information being stored is unchanged during transmission, storage & usage not involving modification.
EX: Hash verifications and digital signatures can help ensure that transactions are authentic and that files have not been modified or corrupted.
AVAILABILITY
In order for data to be used, it must be available for all approved parties. This means that information should be available when authorized users need to access it.
When data is unavailable, it often resorts in damage to the business's reputation, even a loss of clientele. Availability is achieved through a variety of elements:
EX: Well tested hardware can combat unplanned outages due to faulty equipment. Redundancy should also be considered in case of any system/service failures. Security protocols also assist with the integrity of information by only allowing permitted parties; Protecting the technologies & information from attacks.
Hope this helps you on your path. I'll see you next week!
コメント