Security Concepts of Information Assurance

CIA

The CIA Triad - Confidentiality, Integrity and Availability

1. Confidentiality Confidentiality relates to permitting authorized access to information, while at the same time protecting information from improper disclosure.

   1. The security professional’s obligation is to regulate access—protect the data that needs protection, yet permit access to authorized individuals.

   2. PII - personally identifiable information - any data about an individual that could be used to identify them.

   3. PHI - protected health information

   4.  Sensitivity - is a measure of the importance assigned to information by its owner

2. Integrity Integrity is the property of information whereby it is recorded, used and maintained in a way that ensures its completeness, accuracy, internal consistency and usefulness for a stated purpose.

   1. measures the degree to which something is whole and complete, internally consistent and correct. 

   2. Data integrity is the assurance that data has not been altered in an unauthorized manner.

   3.  Data integrity covers data in storage, during processing and while in transit.

   4. System integrity refers to the maintenance of a known good configuration and expected operational function as the system processes the information.

   5. Integrity is a primary factor in the reliability of information and systems.

   6. The need to safeguard information and system integrity may be dictated by laws and regulations.

3. Availability Availability means that systems and data are accessible at the time users need them.

   1. Timely and reliable access to information and the ability to use it

   2. Timely and reliable access to data and information services for authorized users

   3. Data should be accessible to authorized users when and where it is needed and in the form and format required

   4. The systems and data meet the requirements of the business for timely and reliable access.

Authentication - a process to prove the identity of the requestor.

When users have stated their identity, it is necessary to validate that they are the rightful owners of that identity. This process of verifying or proving the user’s identification

Authentication types:

• Something you know: Passwords or passphrases

• Something you have: Tokens, memory cards, smart cards

• Something you are: Biometrics, measurable characteristics

Common techniques for authentication:

• Knowledge-based 

  • uses a passphrase or secret code

  • personal identification number (PIN)

  • created a password

  • other secret value that only you know

• Token-based 

• Characteristic-based 

SFA - single-factor authentication

Using only one of the methods of authentication

MFS - multi-factor authentication

Granting users access only after successfully demonstrating or displaying two or more of authentication methods

Non-repudiation

Defined as the protection against an individual falsely denying having performed a particular action.

Determines whether a given individual took a particular action, such as:

1. created information

2. approved information

3. sent a message

4. received a message

Privacy

The right of an individual to control the distribution of information about themselves.

The CIA triad is the cornerstone of information security, and as a security professional you will use all its components—confidentiality, integrity, and availability—to protect the information in your charge. Think of it as a three-dimensional way of thinking. There are many different aspects to protecting information and the more you think about it, the more you realize how complex it can be.