© 2013 Margaret Hillary. All rights reserved.
If securing data is the foundation to information security; its principal elements subsist precisely within a model of three core tenets: Confidentiality, Integrity, and Availability. This policy is known as the CIA Triad which ensures protection from danger and provides a position of safety for information and data stored on hardware, software, and the World Wide Web. Due to the persistently evolving computer industry, modified branches of events have superseded the CIA triangle; this has developed into seven distinct expansions contained within the CIA model.
Validated users possess Availability, liberating them from any constraints or hindrances in accessing information, applications, and/or systems at their convenience. Declared as an extent of time, availability is comprised into seven measured components: Uptime, Downtime, Availability, Mean Time Failure (MTTF), Mean Time to Repair (MTTR), and Recovery Time Objective (RTO), which calculates segments of time in which availability is accounted for. In the event a computer account is logged into, the system is programmed to require authentic login and password for entry into a specific partitioned user account. This allocates permission to all files, documents, pictures, media, etc. which is saved on the hard drive. Availability must be quantified and tracked in to maintain availability. Network devices, computers and applications ought to possess and provide a sufficient measure of availability for authorized users.
Accuracy is the state of precision in which all information remains free of error and attains the value in which the target audience presumes. At times, I create web pages on software for websites. Once I have saved, completed, and posted that page, I expect accuracy upon returning to view that particular page again. This indicates the webpage has maintained its value in remaining free from error (or in my case, free from hacking intrusions), exactly how I required it to appear. Accuracy must preserve the state in which it was initially intended, exempt from any inclusions or flaws.
In the event legitimate data, transactions, communications, and/or documents which produces bona fide information occurs, Authenticity ensues. Suppose I receive an email from a friend, which I believe is authentic due to the sender’s name in my email inbox. This email concludes to be an email spoof in which the attacker sends me a modified field with my friend’s email address in hopes of deceiving me to open the email. Once it is opened, this malicious attack is triggered which can propagate malware on my email and/or computer. Ensuring authenticity is a state free from deceit; thus free from security intrusion.
Confidentiality ensures all information is private; permitting exclusive access to authorized user(s). It is the act of protecting data through security controls which reduces breach by safeguarding information such as “individual data, business intellectual property, or national security for countries and governments”. (Hutchison, 2009) Perhaps my boss requests an email of my recent client acquisition. I would need to provide confidential information entailing company sensitive information. I accidentally send the email to my mother instead of my boss which causes an unintentional exposure of classified data. Inadvertently, I compromised my company which could provoke an unfavorable consequence. This sort of mistake can be evaded through means of protected data cache, data classification, utilizing common security policies, and ensuring data guardians/target audiences are properly edified. Social engineering is another prime example of a breach in confidentiality. Tactics such as shoulder surfing or social engineering can dupe an unwitting person into disclosing sensitive data. Thwarting such vulnerabilities through educating personnel (SAT), ensuring data encryption and employing strict access controls (such as role based access) may mitigate against confidentiality breaches.
Data which remains pristine and intact possesses Integrity – the very foundation of information security. Without integrity, data does not hold value thus cannot be confirmed. Once data is breached, modified, or inaccurate, integrity has been exposed. An example of integrity corruption can be identified through viruses or even worms. Because this can occur while data is being transmitted or stored, I can easily identify exploitation through file hashing which generates a hash value to calculate a number and assign it to my file. Once my file has been assigned, I can check the file’s integrity and if the number returns different for the same file, then my file has been compromised, thus a deficit of its legitimate and precise state.
Utility encompasses data or information in which is beneficial to the target audience. This occurs once value is established for a specific purpose for utilization. Programming code on my file management in my programming software contains utility due to its relevancy to website development. Any programming code not confined in my file management is extraneous, thus I do not/cannot use in my website development. I can only utilize code in which is valuable to the end result of my website, thus holds utility.
Possessing proprietorship or dominion is to retain Possession of data or information through free form procurement. Tightly integrated with confidentiality, any violation in confidentially directly results in violation with possession, however, this is not always reciprocated. Suppose an employee quit their job and decided to steal client sensitive data to sell to the competition? If the data is encrypted on the backups, confidentially remains intact hence are indecipherable. Because all the data was encrypted, the employee only breached possession, not confidentiality.
These fundamental policies are the cornerstone in building a solid foundation in any computer security concern. In this ever evolving environment of computer technology, protection is vital from malicious events whether fortuitous or contrived. The establishment of a more complex and dynamic policy has fortified the very basis for information assets to ensure protection against threats for data and users collectively.
Hutchison, Dan (2009). Arapaho Internet Server at Northeastern State University, “Introduction to Information Security.” http://arapaho.nsuok.edu/~hutchisd/IS_4853/C6572_01.pdf
Kim, D. and Solomon, M. (2012). Fundamentals of Information System Security, Jones & Bartlett Learning. eText: ISBN-10 1-4496-4248-9
Image provided by Dan Hutchison.