The CIA triad is an information systems security term that refers to the critical task of data protection. The core goal of information security is to assure the confidentiality, integrity and availability of all the sensitive data kept by an organization. That’s critical for the continuity of business operations, as well as legally and ethically required.
So what is the CIA triad?
It provides for safely using paper- and computer-based data systems, email, fax machines, telephones, web browsers, and even just talking out loud through the provision of:
Confidentiality of data – where you ensure that critical data is only accessed by people with proper approval and on a need to know basis.
Confidentiality is related to the broader concept of data privacy – the act of limiting access to Personally Identifiable Information (PII). In the US, a range of state and federal laws, with abbreviations like FERPA, FSMA, and HIPAA, set the legal terms of privacy.
Integrity of data – where you do everything possible to protect business and client information from unauthorized alteration. Integrity is all about the trustworthiness of information and the assurance that data have not been changed inappropriately, whether by accident or deliberately. It also includes making sure that the data actually came from the person or entity you think it did, rather than an impostor. In many cases, it might actually come down to making sure that the information recorded reflects actual, reliable and correct record or circumstance. At the end of the day, it is the business owners job to make sure that business’s information system includes mechanism to preserve without corruption, whatever was transmitted or entered into the system, right or wrong.
Availability – where you ensure that critical business information is readily available to authorized users and applications as needed. Businesses today are highly dependent on functioning information systems. Many could not operate without them.
Availability, like other aspects of security, may be affected by purely technical issues (e.g., a malfunctioning part of a computer or communications device), natural phenomena (e.g., wind or water), or human causes (accidental or deliberate).
While the relative risks associated with these categories depend on the particular context, the general rule is that humans are the weakest link. (That’s why each user’s ability and willingness to use a data system securely are critical.)
The provision of Confidentiality, Integrity and Availability is something most businesses take for granted, especially those that provide services dealing with sensitive data like finance, health and legal matters. Consider the following scenarios:
- janitors working at night freely browsing customer information that was left open on a computer without a screen-saver password.
- partially printed result of a retina scan that was thrown into a trashcan
- sensitive email that was sent without encryption
- a USB drive full of financial reports that has no password protection or encryption is carelessly left at the front desk?
- an employee loudly discussing sensitive business details on the phone at an airport
The biggest area where most small businesses fail is in the area of availability – making sure that resources are available to users and clients when needed. This is because over seventy percent of small businesses do not make any effort to back up their critical data. I have dealt with enough to know that it is only when a hard drive fails, or a memory module goes bad (the famous server crash) that they scramble around begging any computer support provider they can find to “do whatever it takes to get our stuff back”. Sadly, in most cases it is either too late or is going to cost an outrageous amount to recover the data through high-end data recovery software or service.
What can you do? We’ll talk about this in the next installment.