How can the CIA triad be applied in risk management?

Podcast Transcript

Let’s talk about the core fundamental concepts of information security, the CIA triad of information security. How does my vendor’s approach to CIA - or Confidentiality, Integrity and Availability - affect you and your customers?

What is the CIA Triad?

The CIA Triad is the foundation of information security:

1. Confidentiality seeks to prevent unauthorized disclosure of information.
2. Integrity seeks to ensure that data is not modified by unauthorized means.
3. Availability ensures that information is available when needed and only to authorized personnel.

You are expected to understand your vendor’s approach to security, which is their posture on Confidentiality, Integrity and Availability. 

How do you verify your vendor’s approach?

1. Confidentiality: Can be breached at numerous points along the flow of information. 

• Does your vendor qualify and monitor its employees?
• Does your vendor conduct regular third party assessments to identify potential vulnerabilities?
• Does your contract have a non-disclosure clause?
• Does your vendor encrypt data in-transit and at-rest?
• The amount of data you share with your vendors should correlate to your contractual agreements and other controls on both sides to protect that data.
  

2. Integrity: Financial institutions have to be confident that their data is not modified.

• Has your vendor implemented thorough Logical and Physical Access Controls?
• Does your vendor have a well-formed Backup Policy that’s implemented and effective?
• What data validation checks are performed?
  

3. Availability: Through Service Level Agreements, SOC Reviews, Business Continuity and Disaster Recovery Plan Reviews and Cybersecurity Reviews financial institutions need to have access to their information.

• Are you able to assure your customers that their information is readily available?
• Do you have a Service Level Agreement in place with your vendor and are you sure they meet these commitments?
• Does your vendor have a well-formed Business Continuity and Disaster Recovery Plan?
• Have their plans been updated and tested recently?

To fully understand your vendor’s position on Confidentiality, Integrity and Availability, it’s essential to perform your vendor due diligence. 

Again, I’m Aaron Kirkpatrick and thank you for watching! If you haven't already, please subscribe to the Third Party Thursday series!

Learn about the CIA Triad and why it can be a helpful model to guide policies for information security within an organization.

What Is the CIA Triad?

Just in case the phrase “CIA Triad” on its own successfully grabbed your attention, I regret to inform you that, no, the CIA Triad does not have anything to do with the Central Intelligence Agency, a group of secret spies, James Bond, or conspiracy theories. The “CIA” in “CIA Triad,” in reality, is an acronym that stands for the terms Confidentiality, Integrity, and Availability. These three terms are meant to serve as the foundation and guiding principles of organizations’ security architectures, procedures, and policies.

Why Use the CIA Triad Security Model?

Confidentiality, Integrity, and Availability together in this context can also be thought of as a three-sided boundary with an organization’s sensitive data and critical systems being protected in the center. In the event that a security incident like a data breach occurs, regardless of whether that breach is due to human error, an insider threat, or a cyberattack, that means that at least one side of the boundary has been broken. 

By framing their organization’s security in this way, security professionals can simplify the process of identifying the organization’s most vulnerable points and reducing the risk of security incidents appropriately. Security professionals can also use the CIA Triad to simplify employee training on best security practices.

Definitions and Examples of Each Principle

Confidentiality

Confidentiality refers to an organization’s ability to keep their sensitive data private and prevent unauthorized access—both from internal or external parties. Confidentiality is particularly applicable to organizations that follow compliance laws and regulations, like those that handle sensitive medical or financial information, for example. 

Maintaining confidentiality in practice can take many forms. For employees, maintaining confidentiality may simply mean having to type a password to access an organization’s systems, using multifactor authentication, or perhaps even ensuring that their immediate workspace is secured while they’re away. On the organizational level, maintaining confidentiality could mean prompting employees to periodically change their passwords, employing data classification and/or digital rights management solutions, or transitioning from a flat network to a segmented network with more stringent access controls.

Integrity

Integrity refers to an organization’s ability to maintain their data’s trustworthiness, authenticity, and correctness throughout its entire life cycle. This means that data should never be tampered with, deleted, or otherwise compromised so as to maintain the reliability of that data. While an attacker could compromise an organization’s integrity by changing file configurations, tampering with intrusion detection systems, or changing system logs, integrity can also unknowingly be compromised at any time due to lax corporate data security policies.

Organizations can protect the integrity of their data by employing granular access controls, encryption, hashing, digital signatures and certificates, auditing, and more. Ultimately, organizations need to know at all times where their data is, who is in possession of the data, how the data is being handled, and whether or not any changes are being made.

Availability

Availability refers to the ability of authorized parties to consistently access an organization’s data and systems at will. An organization’s availability can be compromised incidentally in the event of hardware or software failure, power failure, human error, or a natural disaster. However, an organization’s availability can also be purposefully compromised like in a distributed denial of service (DDoS) attack.

Organizations can maintain the availability of their data by keeping their hardware up-to-date and in working condition, regularly patching and updating software, and backing up data. In the event of a worst-case scenario like a DDoS attack, organizations must have a disaster recovery plan in place.

What Does Using the CIA Triad Accomplish?

Ultimately, the goal of the CIA Triad is to frame security risk in an easy-to-understand way so as to simplify the process of mitigating threats and vulnerabilities. For example, if an organization were to be hit with a DDoS attack or ransomware attack, both of which can cause system access failure, these attacks can be thought of as attacks against an organization’s availability rather than segregated issues. By thinking of these two types of attacks as a single issue, organizations could potentially find solutions that will also account for both types of attacks.

Is the CIA Triad a foolproof model? Certainly not, and because of the ever-growing threat landscape, it can be quite difficult to maintain total confidence in your organization’s confidentiality, integrity, and availability at all times. But for organizations that are only just beginning to take their security seriously, organizations that need to fine-tune their security policies, or for organizations and security teams that are looking to build back stronger after a security incident, following the principles of the CIA Triad can be a fantastic starting point.

What is the CIA triad and how is it applied in information security?

What is CIA in risk assessment?

How the CIA triad or the key security concepts are used in the real world applications?

What is the inverse of CIA triad in risk management?