It is not wrong to say that information is power in today’s fast changing competitive world. The one who has right information at the right time and can use it in a right way is at the top of pyramid.
It is therefore prudent to know that unavailability of information or incorrect information may result in wrong or incompetent decision making by the management resulting in jeopardizing the business and hence the information must be protected in order to continue to do the business as usual and successfully.
Information security is there to support business goals & objectives and not to become an impediment in doing so. Not only just the IT and business staff but every employee in an organization be a security guard, cleaner, contract staff deals with one or the other type of information be it in:
– Information systems
– E-mails or postal mails
– Electronic records or Physical documents (e.g. printed papers)
– Storage media (e.g. USBs/disks, memory cards etc.)
– Or even the information transmitted while in verbal conversation (over phone calls, even while talking to someone in an elevator)
So it is evident that securing information is the responsibility for every employee in the organization and not just the Information Security Department.
Misuse or mishandling of information not only can result in personal trauma or job loss or personal or organization’s reputational damage, It can also make the organization liable to law suits, regulatory sanctions etc.
So what should be the basis for determining:
– How to classify information?
– Which information to secure?
– What should be the basis to secure it?
– What is the value of information?
– How much to spend in securing information?
So if we understand and can help employees understand the meaning of CIA, will they be in better position to take an intelligent decision while handling Confidential , Restricted, Public and information pertaining to internal use of the organization? Let us explore.
What is CIA?
CIA triad in information security or cyber security space stands for Confidentiality, Integrity and Availability of information and it helps answering above questions.
Confidentiality: Is to protect information from accidental or malicious disclosure.
Integrity: Is to protect information from accidental or intentional (malicious) modification.
Availability: Is to making sure that information is available to those who need it and when they need it.
Why do we need CIA as a basis for Information security?
There is enormous amount of information:
– Flowing through network of networks. [In Transit]
– Stored on to cloud, personal and other devices. [In Storage]
– Being processed by various systems and sub-systems. [In Process]
During its lifecycle the information is passing through many stages and many hands handling it. Hence It is not feasible for any organization to protect all the information from accidental or intentional disclosure, modification or deletion.
Therefore a ‘wise decision’ must be made to invest just enough money to implement various controls in order to protect the information assets based on the priority of their criticality and sensitivity.
That is the reason we must know how to classify information based on their Confidentiality, Integrity and Availability needs to make that wise decision and help organization achieve its business objectives..
Why CIA is important?
To protect an organization’s information assets it is essential for every employee to understand what CIA is? And how they can contribute to achieve CIA for the information they are handling and can help achieve the organizational goals and objectives.
Information is the key to the success for every organization today. Appropriately maintaining the Confidentiality, Integrity and Availability of information thus becomes crucial in today’s business environment because once in wrong hands, not only it can jeopardize the day to day business operation or achieving business objectives it could also threaten the very existence of the organization.
How CIA can be achieved?
The first step before information is weighed against CIA is to classify the information. Once information classification has taken place it becomes easier for the information handler to decide whether the information is required to be protected or not, or if yes to what level?
Why each employee in an organization must know the CIA Triangle?
Confidentiality: E.g. Encryption
In a simplest form, for example if you encrypt a message “I LOVE CYBER” with an encryption key ‘2’ (for example by adding 2 to each character) in to “K NQXG EADGT” and provided only the person who knows the key can read this message (by reducing 2 from the message) and no one else, you can protect the information from being disclosed or revealed to the adversary.
Integrity : E.g. Digital Hash, Digital signature
Once you have received the message “K NQXG EADGT”, you used your encryption key and unencrypted the message to “I LOVE CYBER” but the question is, how do you ensure that the message actually sent was “I LOVE CYBER” and not anything else (i.e. the integrity of the information is intact).
So in order to achieve the integrity if you can use a formula (i.e. hash formula) which derives fixed output (e.g. 3452) for the same input (“I LOVE CYBER”) every time it is used, the same can be used to validate that the message is same as the one sent. So the receiver of the message can use the same formula which sender used to generate the unique hash value and if both matches the integrity is achieved.
Availability : E.g. Load balancing , RAID
If one server on which your application is hosted fails you fail over to another connected server so that information processing is not interrupted. Similarly if you are using RAID( Redundant Array of Independent Disks), it gives you a flexibility to switchover to another back up disk in case of failure of one.
Above examples give a warranty that the information will always be available to authenticated user whenever requested even in case of failure of one system or part of it hence maintaining the availability.
And remember at the end, the goal is to always make sure that every employee in the organization is able to take a cognitive decision to protect the information they’re handling while performing their job role and day to day responsibilities, to ensure that they are able to design, develop, deploy and dispose systems in a way it protects the confidentiality, integrity and availability of information.
If they understand the basic principles of security, they will be able to design and develop systems that seeks to minimize the vulnerabilities and reduce the attack surface of systems being used by the organization.