This video discusses the three fundamental pieces of information security: confidentiality, integrity, and availability.
- [Instructor] There are three fundamental components to information system security, confidentiality, integrity, and availability. Often when we look at the realization of a risk, it is the result of a failure to provide one of the three tenets of security properly. So let's look at each of these three tenets and how they apply to the security of our systems. The first tenet is confidentiality. Confidentiality is concern with preventing the disclosure of data or information to unauthorized people or systems. When we are concerned with confidentiality we ask two main questions, how secure is the information and how secure does the information need to be.
In order to increase the confidentiality of data, we will implement things like encryption of the data, both at rest and in transit. Access control lists on our network devices, proper data classification, locked doors, fences, security guards, and other technical and nontechnical means. Confidentiality has failed if someone can obtain or view the data you're attempting to protect. This is an important distinction, because if someone can hack into your network and retrieve an encrypted file, but they're unable to unencrypt it to read it, then you have not had a breach of your confidentiality.
The second tenet is integrity. Integrity is concerned with protecting the data from unauthorized modifications or data corruption. When we're concerned with integrity, we ask two main questions, how correct is the information and has the data been modified during retrieval, in transit, or in storage. In order to increase the integrity of the data we're going to implement things like hashing of files and the information to ensure that it's accurate and provides checksums during the transmission of the data over the network. Integrity has failed if someone can modify the data during its retrieval, it's being transferred, or while it's being stored, which is called data at rest.
The third tenet is availability. Availability is concerned with ensuring the data is accessible when and where it's needed. When we're concerned with availability we ask the questions, how much up time is the system providing? And is the data always accessible by the end user? In order to increase the availability of the data, we're going to implement things like increasing the redundancy of the system design by providing redundant components and data paths, providing detailed backup strategies and establishing a good disaster recovery plan. Availability has failed if the end user cannot access the data when they need it.
A great example of this is if your company's servers are suffering at the hands of a denial of service attack. Your end users can no longer access the data even though the data still maintains its full confidentiality and integrity while sitting on the server. Often you'll see the CIA triad displayed as shown here with three equally balanced legs of a triangle, each one perfectly balanced, but this approach is extremely hard to obtain. Instead, one or more of the tenets will be more important to your organization's business practices, and additional resources and controls will be applied to maintaining those components of security.
It is a good idea to categorize potential risk by considering the impact your organization in each of the three tenets of security. These potential impacts are categorized as low, moderate, or high. A low impact to your organization in confidentiality, for example, would mean that an unauthorized disclosure of information will have a limited adverse effect. A moderate impact in integrity, for example, would mean that an unauthorized modification will have a serious adverse effect on the organization. A high impact in availability, for example, means that there will be a severe adverse effect to the organization.
This categorization of low, moderate, and high impacts is required for any information systems owned and operated by the US government. This falls under FIPS 199, or the Federal Information Processing Standards Publication. This is not mandatory for commercial businesses, though, but it is considered a best practice and highly followed by most businesses as part of their risk management programs.
- Risk mitigation strategies and controls
- Data security classification
- Extreme scenario and worst-case scenario planning
- Risk management of new products, technologies, and user behaviors
- Business models and strategies
- Third-party outsourcing and security
- Integrating diverse industries
- Security, privacy policies, and procedures in risk management
- Metrics collection and analysis
- Analyzing security solutions