Business are concerned with information security in their physical as well as electronic presence and systems. As electronic systems often gather employee and customer data, store financials, store identities and health records, store code and designs, and other protected data, those electronic systems are often a target for hackers and people wanting to possess. destroy or release that information. In order to maintain that information in a way that is private, protected, and accessible, Donn B. Parker, a security consultant and researcher, developed the cybersecurity triad, called the C.I.A. Triad in 1998 (Marks, n.d.). C.I.A. stands for confidentiality, integrity, and availability. Confidentiality, integrity, and availability are the core things that any company and its information security program is responsible for and accountable for (Gelbstein, 2013, p.26). Later, Donn B. Parker shored up the triad with three more elements: authenticity, possession and control, and utility (Gelbstein, 2013, p.26).
Accountability to Confidentiality
Businesses are accountable to their customers, employees, and other stakeholders in the realm of confidentiality. Confidentiality refers to “ensuring that information can only be accessed by those authorized to do so” (Gelbstein, 2013, p.26). Confidentiality requires data classification to identify what data is for public access, and what data is locked down to particular parties (like the finance team or a particular customer). This data classification is done by a custodian of the data who decides what data should be accessible by whom and under what conditions the data can be accessed by them (Gebstein, 2013, p.29).
Certain organizations, like the U.S. Department of Defense, have classification requirements that require a secret or top-secret clearance to access certain documents. According to the “DoD Guide to Marking Classified Documents” published by the U.S. Department of Defense, there are three levels of classified national security information: “CONFIDENTIAL,” “SECRET,” and “TOP SECRET” (Paige, 1997, p.3). The Department of Defense also has a policy for de-classifying documents after a certain time if there is not a reason to keep them classified. The Office of the Director of National Intelligence published a guide which explains what levels of classification go to what kinds of documents (Ewing, 2014, p.8-9). “TOP SECRET” information has the potential risk of being “exceptionally grave” to national security (Ewing, 2014, p.10), for example.
Custodians of data, after classifying the data and determining the appropriate access levels for each piece of information, put controls in place, such as permissions or role-based access, to protect that data from unauthorized access (Gelbstein, 2013, p.29). Strong authentication methods as well as encryption by VPN or by HTTPS are methods to maintain confidentiality (Walkowski, 2019).
Accountability to Integrity
Businesses are accountable to their customers, employees, and stakeholders in the realm of data integrity and the integrity of information systems. Integrity of information (or systems) means that the information (or source code or a system like a web server) has not been changed without authorization, lost, or corrupted. Businesses must preserve the “accuracy and completeness of information” and ensure that no unauthorized edits are made to the information (Gelbstein, 2013, p.26). Data integrity targets the changeability of information in addition to the systems that the business uses (Marks, n.d.). A server can be corrupted to do something malicious, for instance, causing the system to lose integrity. A press release can be tampered with, feeding false information to the public, causing the information to lose integrity.
Integrity leads to trust. Safeguarding data and systems against tampering and corruption ensures that data can be trusted and is reliable (Walkowski, 2019). Having controls in place to detect changes and alterations to data and systems is a crucial part of ensuring that reliability. Examples of controls that protect integrity include encryption, hashing, digital signatures, intrusion detection systems, audits, version control, change logs, and access controls (Walkowski, 2019). In the example of intrusion detection systems, they log access to the network, systems, and data. A good intrusion detection system monitors traffic and alerts on suspicious activity. It can also be used forensically to determine what systems or data were accessed, and whether data or systems were changed. This can be used to verify integrity of data.
Accountability to Availability
Businesses are accountable to their customers, employees, and stakeholders for the availability of information systems and data. Availability refers to the accessibility of information and systems when they need to be accessed (Gelbstein, 2013, p.26). Is the server up when people need to access files on it? Are the files actually there? Is email up when people need to send email? Is the Internet working, so that the business can operate? Availability addresses all of these things. Availability means that information systems are functioning when needed, along with the security controls and infrastructure needed to protect that data or system (Marks, n.d.). Debbie Walkowski, a Security Threat Researcher for F5 Labs, indicates that availability means that all “networks, systems, and applications are up and running” and that they are accessible only by authorized users who have “timely, reliable access to resources when they are needed” (Walkowski, 2019).
An example of availability happened earlier today. Pennsylvania’s Governor Tom Wolf gave a speech in which he announced the statewide closure of all non-essential businesses in the coronavirus outbreak. So many visitors went to the site at once that they brought down the governor’s streaming site (https://www.governor.pa.gov/live). This is known as a DDoS (distributed denial of service). Since thousands of people were trying to access the site at once, they caused the servers to crash with too many requests, making the service unavailable.
Another example of availability has been occurring over the last week. In a rush to enable employees to work remotely, most companies have been telling their employees to access networks via VPN. Many companies’ Internet connections cannot sustain the traffic used by all of their users trying to access the server from the outside through a VPN. Everyone connecting at once made the VPN connection unusable over the Internet. All the internal systems were unavailable. This lack of availability is directly affecting the business’ business continuity.
In conclusion, confidentiality of classified data, integrity of data and systems, and availability of data and systems are concepts that a business is responsible and accountable for providing to its customers, employees, and stakeholders (vendors, partners, shareholders, etc). Many companies achieve this through hiring a cybersecurity manager or chief information security officer and delegating the responsibility to them, or to some outsource firm. Ultimately, the company itself is accountable for any breaches, downtime, data loss, and system failures that could cause identity theft, loss of privacy, and financial loss.
Gelbstein, E. (2013). Information Security for Non-Technical Managers. Bookboon.
Marks, Paul. (n.d.). Cybersecurity and the Parkerian Hexad. Retrieved from https://www.staffhosteurope.com/blog/2019/03/cybersecurity-and-the-parkerian-hexad
Paige, Emmett, Jr. (1997). DoD Guide to Marking Classified Documents. Command, Control, Communications, and Intelligence. Retrieved from https://apps.dtic.mil/dtic/tr/fulltext/u2/a340216.pdf
Ewing, Mark. (2014). Office of the Director of National Intelligence Classification Guide. Retrieved from https://www.dni.gov/files/documents/FOIA/DF-2015-00044%20(Doc1).pdf
Walkowski, Debbie. (2019). What is the CIA Triad? Retrieved from https://www.f5.com/labs/articles/education/what-is-the-cia-triad