Posted on Sep 1, 2021
Confidentiality, Integrity, and Availability. These are the three core components of the CIA triad, an information security model meant to guide an organization’s security procedures and policies.
While people outside the information security community might hear the phrase CIA Triad and think “conspiracy theory,” those in the cybersecurity field know that the CIA Triad has absolutely nothing to do with the Central Intelligence Agency and everything to do with keeping your organization's data, networks, and devices safe and secure.
The CIA triad is widely accepted as a model in information security. It’s not a singular doctrine and there was no one author. Rather the model appears to have developed over time, with roots as old as modern computing, pulling concepts from various sources. Ben Miller, vice president for Dragos, seems to be one of the few people who has done any digging on the origins of the triad. He wrote a blog post 11 years ago about its roots and was unable to find a single source. Instead, the concepts seem to be pulled from a few different documents: a 1976 paper for the U.S. Air Force, for example, and a paper written in the 1980s about the difference between commercial and military computer systems.
Whatever the source, the CIA triad has three components:
All of these concepts are important on their own to security professionals of all kinds. The reason these three concepts are grouped into a triad is so information security professionals can think of the relationship between them, how they overlap, and how they oppose one another. Looking at the tension between the three legs of the triad can help security professionals determine their infosec priorities and processes.
Think of logging into an e-commerce site to check your orders and make an additional purpose. The e-commerce site uses the three principles of the CIA triad in the following ways:
This is just one example of how the triad can be practically applied. There are several, more specific examples for each leg of the CIA stool.
For example, examples of Confidentiality can be found in various access control methods, like two-factor authentication, passwordless sign-on, and other access controls, but it’s not just about letting authorized users in, it's also about keeping certain files inaccessible. Encryption helps organizations secure information from both accidental disclosure and malicious attacks.
Integrity can be maintained with access control and encryption as well, but there are many other ways to protect data integrity, both from attacks and corruption. Sometimes it’s as simple as a read-only file. Sometimes, it involves hashing or data checksums, which allow data to be audited to ensure the data hasn’t been compromised. In other cases, integrity might be protected physically from outside sources that might corrupt it.
Availability is really about making sure your systems are up and running so that business can continue, even in the face of an attack. DDoS (Distributed Denial of Service) attacks rely on limited availability, for example. For this reason, creating a DDoS response plan and redundancy in your systems is a way of ensuring availability. However, when there’s no attack, systems can still fail and become unavailable, so load balancing and fault tolerance are a way to keep systems from failing.
The CIA triad alone is not enough to keep your data secure. You also need to be aware of where your risks are.
SecurityScorecard can help you monitor your information security across 10 groups of risk factors with our easy-to-understand security ratings. Our ratings continuously monitor every part of your security operation.
We monitor your information security by keeping an eye on your data and the systems and networks you have in place to protect it, and we also monitor your cybersecurity by making sure your organization’s systems are patched when they need to be, and that there’s no hacker chatter about your organization on the dark web. Once your score drops, you’ll know that something has changed, and our platform will then offer remediations to help you fix the problem before there’s a breach.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.