Posted on

Information Security and the CIA Triad

Have you ever heard people talking about Information Security and using terms like sensitivity, criticality, confidentiality, integrity, availability? If you have trouble understanding the connection then this article will help explain what is meant by each term and how they relate to each other.

Lets start by asking a few simple questions:

  • “How much do you want to protect your information from improper disclosure?”
  • “When you use your information, to do your job, how accurate and up-to-date must it be?
  • “Can you afford to wait a while to get the information you need to do your job?”

Information Security is the process of protecting the valuable information assets of a company using administrative, physical, and logical controls to ensure you get the right answers to these questions. The concepts of administrative, physical, and logical controls will be covered in my next article.

But what exactly is to be protected? The answer to that is what is referred to as the CIA Triad: confidentiality, integrity, availability. And these are based on the sensitivity and criticality of the information.

If information is sensitive then we must maintain its confidentiality; who is allowed to see the information, who is allowed to modify and/or delete it? This isn’t only about unauthorized individuals; the information must also be protected from authorized users based on their “need-to-know”. An authorized user’s use of the information must be to meet a business objective; an item may be marked as “internal use only” but if it isn’t part of your job you shouldn’t be looking at it.

If the information is critical then from what point of view is it critical? … its integrity and/or its availability? When you use the information how accurate must it be (integrity) and when you need the information how quickly can you get to it (availability).

Integrity actually involves a lot more then just accuracy and a lot more then the simplistic view that it involves only controlling who can modify the information … think of: completeness, validity, consistency, uniqueness, accuracy (electronic), accuracy (real), precision, accessibility, timeliness, clarity, and sufficiency.

Availability is based on the concept that when I want the information to do my job it is there for me … 1. I don’t have to wait too long for it; i.e. great response time! … and 2. It hasn’t been lost or destroyed!

Controls to protect sensitivity involve classifying the information’s confidentiality, labelling it, and handling it appropriately.

Controls to protect criticality involve classifying the information’s integrity and availability, and then designing proper storage methods, handling procedures, and supporting IT systems to meet those needs.

The concepts of confidentiality, integrity, availability, and “need to know” boil down to one simple premise … that “the right people get the right information at the right time for the right reason”.

In summary: sensitivity implies confidentiality; criticality implies integrity and availability; integrity is accuracy and a whole lot more; and availability is speed of access and protection from loss or destruction!

If you need additional information or help on this visit our web site at  We have a complete set of documents to help you with your information security program.

Source by Donald Johnston

Leave a Reply

Your email address will not be published. Required fields are marked *