CIA

The CIA triad of information security was

created to provide a baseline standard for
evaluating and implementing information
security regardless of the underlying system
and/or organization. The three core goals have
distinct requirements and processes within each
other.
 Confidentiality: Ensures that data or an

information system is accessed by only

an authorized person. User Id’s and
passwords, access control lists (ACL)
and policy based security are some of
the methods through which
confidentiality is achieved
Access must be restricted to those
authorize to view the data.
Data encryption is a common method of
ensuring confidentiality. two-
factor authentication is becoming the
norm. Other options include biometric
 verification and security tokens, key
fobs or soft tokens.

 Integrity: Integrity assures that the data

or information system can be trusted.
Ensures that it is edited by only
authorized persons and remains in its
original state when at rest. Data
encryption and hashing algorithms are
key processes in providing integrity
involves maintaining the consistency,
accuracy, and trustworthiness of data
over its entire life cycle . Data must not
be changed in transit, and steps must
be taken to ensure that data cannot be
altered by unauthorized people

 Availability: Data and information

systems are available when required.
Hardware maintenance, software
patching/upgrading and network
optimization ensures availability
Availability is best ensured by rigorously
maintaining all hardware, performing
hardware repairs immediately when
needed and maintaining a correctly
functioning operating system
environment that is free of software
conflicts. It’s also important to keep
current with all necessary
system upgrades. Safeguards against
data loss or interruptions in connections
must include unpredictable events such
as natural disasters and fire. To prevent
data loss from such occurrences,
a backup copy may be stored in a
geographically-isolated location,
perhaps even in a fireproof, waterproof
safe. Extra security equipment or
software such as firewalls and proxy
servers can guard against downtime
and unreachable data due to malicious
actions such as denial-of-service (DoS)
attacks and network intrusions.
PARKERIAN HEXARD MODEL

Confidentiality
Confidentiality is essentially about the
visibility of information. Only the right
parties have access to certain information.
This seems simple, but it remains one of
the biggest challenges. A familiar example
is the use of HTTPS when you visit a
website with sensitive information, such as
that of your bank. The connection with your
data has been encrypted and because of
this, attackers cannot gain access to this
information.

Possession or Control
For example, if attackers want to overload a
service, they look for a large number of
machines from which they can perform their
attack simultaneously. They often use
known problems in systems for this. The
may steal data, and not do anything with it,
but the worry is that they could as and
when they wanted to – this suggests a loss
of control or possession of information.
Integrity
In information security, data integrity means
maintaining and assuring the accuracy and
completeness of data over its entire
lifecycle. Integrity focuses on the
changeability of information as well as
systems. In other words, no one may be
able to adjust information in an
unauthorised or undetected manner.
Authenticity
Authenticity is the part where attackers
focus on today. It refers to the accuracy and
truth of the origin of the information. For
example, a digital signature could be used
to verify the user of a digital document or
indeed the integrity of the document. You
probably have had to pass a code after
logging in, which you have received via
SMS or email. This ensures that attackers
cannot just take over your account with
your password.
Availability
Fully functioning information systems need
to be able to grant authorised access when
needed. The systems used to store and
process the information, along with the
security controls used to protect it, and the
communications channels used to protect it
must be working correctly. Many different
key roles are needed within a successful
information security team for the CIA Triad
to be provided efficiently.
Utility
Utility is all about usefulness. Imagine
someone encrypted data on a disk in order
to prevent unauthorised access or
undetected modifications, but then they lost
the decryption key. This example highlights
a breach of utility. Whilst the data would be
confidential, controlled, integral, authentic,
and available – it just wouldn’t be useful in
that form. Another example would be
converting salary data from one currency
into an inappropriate currency – this would
be a breach of utility. Not to be confused
with availability, utility may require time to
work around the change in data format or
presentation, but usefulness is distinct from
that of availability.
Computer security, cybersecurity or information technology security is the protection of
computer systems from theft or damage to their hardware, software or electronic data, as well
as from disruption or misdirection of the services they provide

Information security, sometimes shortened to InfoSec, is the practice of preventing unauthorized

access, use, disclosure, disruption, modification, inspection, recording or destruction of
information. The information or data may take any form, e.g. electronic or physical.