CIA Triad - The Model For Data Security

The CIA triad is one of the most well known and established models for security and policy development among businesses around the world. The aim of the CIA triad is that it allows businesses to develop internal security whilst following a global standard security model.

So, the CIA triad, what is it? The triad is made up of three parts:

Confidentiality: The overall meaning of confidentiality is that some information is being kept incredibly private only to be read or known by a select few - if any at all. With regards to the CIA triad, this is virtually the same pretense, however, in more specific terms, it involves the information/data to be kept confidential by using security mechanisms such as passwords, usernames, access control lists (ACL’s) and also encryption. The idea is that the information is kept confidential rather than at the risk of being in the wrong hands. Most commonly, data is kept in the order of most risk to smallest risk if someone was to obtain that data, for example, someone’s full bank details and address will be kept incredibly secure; someone’s first name and country of origin will be kept secure however less than the bank details and full address. This is at the businesses discretion however this is also governed by law such as GDPR.

How to ensure this is applied: Make sure that all access control lists and all file permissions are frequently checked and updated, this ensures there are no out of date permissions or access granted where it shouldn’t be. Ensure all data is encrypted through standard methods such as strong passwords and if possible, in addition to this, via a form of two-factor authentication - this can be an email address and phone number for example.

Integrity: Alongside having confidentiality, it is incredibly important to have data integrity. Maintaining the integrity of data and how it is handled internally in businesses is important as it allows prevention of accidents when editing data by authorized members of staff/business colleagues and in even worse cases, when edited by unauthorized people, this could be classed as a data breach if it happens which is another problem in itself. Data can be protected in multiple different ways, version control is a huge positive to apply data integrity, another way you can apply and ensure data integrity is by adding in file permissions and user access controls, having these in place means that the chances of accidental deletion or editing of the files is incredibly reduced by internal staff and potential external people trying to cause a data breach.

How to ensure this is applied: Whenever documents are changed, ensure version control is updated and with the colleague/staff members name attached to it, this ensures that if something is changed with any potential malicious intent that it is recorded. Data logs are also needed to be kept which ensures when data is changed it’s recorded/updated on the log. Make sure that you have a backup and recovery process setup, if possible use a backup and recovery software, it will make it easier for you than trying to set an entire process up yourself but it still ensures there is a process in place if needs be. Ensure that your company has a regularly updated security and IT policy, employees and colleagues should be aware of any data retention policies your company has, this all helps towards having your data set up in the most secure way possible.

Availability: Having availability within the CIA triad means that the data, information and resources are readily available to the correct people with the correct access when required, this can be implemented in a huge range of ways, these are processes such as failover, RAID, redundancy and high-availability clusters. These are used to migrate any sensitive and protected data when something goes wrong, they are used as a completely secure and protected backup incase of a serious malfunction or data breach. Disaster recovery plans need to be in place as well - they will ensure, alongside your hardware, you have a plan if something does go wrong. The idea is that data is kept safe and secure however also available to the required people.

How to ensure this is applied: Make sure that as a business you have a disaster recovery plan in place, this ensures that if you do have an issue - you can get the data back that was breached or at least get to a point where all staff can then work again. Make sure you have monitoring systems on your network infrastructure, this will ensure that it is monitored at all times for potential issues. With all of the network and server applications available, it is vital that they are always kept up to date with the latest version.

The overall concept of the CIA triad can seem daunting to many people as there are a multitude of factors to consider, whilst ensuring you and your business are fulfilling the three steps. If you or your business need help in any of these steps or any other cyber security needs, please do not hesitate to contact us today and find out how we can help you become cyber secure.