CIA: The Key Information Security Principles

What is the CIA triad and why is it so important?

The CIA triad is a model that is used to guide the design and implementation of information security systems. It stands for Confidentiality, Integrity, and Availability, and represents the three key pillars of information security.

• Confidentiality refers to the protection of information from unauthorised disclosure. It is important to ensure that sensitive information is only accessible to those who are authorised to view it and that it is not disclosed, whether intentionally or accidentally, to unauthorised parties.

• Integrity refers to the protection of information from unauthorised modification. It is important to ensure that information is accurate and reliable. To make sure of this we must make sure that it is not modified or corrupted by unauthorised parties but also that no unauthorised modifications are made even by those who are authorised to make other changes.

• Availability refers to the ability of authorised users to access information and systems when they need them so they may do their jobs. It is important to ensure that they are not disrupted by cyber attacks or other types of incidents.

Finding the right balance.

Confidentiality, Integrity and Availability can often be in conflict with each other. In certain situations, the importance of one aspect of the triad may outweigh the others depending on the goals of the security implementation.

For instance, in organisations that handle highly sensitive data that is only accessible to a select group of authorised users and must be safeguarded from unauthorised disclosure at all costs, a conflict may arise between confidentiality and availability. In such cases, confidentiality is typically prioritised over availability, meaning that the organisation may be willing to sacrifice ease of availability to the few who are authorised to access it in order to ensure the confidentiality of the data from those who are unauthorised.

In most cases it is important to find the right balance rather than maximising one aspect at the expense of another. Finding the right balance all comes down to risk management, which we will cover in another article, but essentially each organisation will have a risk management matrix in place to calculate what risks they are willing to tolerate and which risks they have to mitigate. Using these calculations they can find the right configuration for each aspect of the CIA Triad so that any remaining risk is tolerable to the organisation.

Making a start.

With most security objectives being related to achieving one of the three aspects of the CIA triad, then by focusing on and finding the right balance between confidentiality, integrity, and availability in their systems and processes, organisations can ensure a strong baseline level of security for their assets from a wide range of threats to start achieving their security goals.

So it is important to make a start to achieve security objectives relevant to your organisation even if it won't produce a fully comprehensive security program straight away.