- Introduction
- Basic Security Principles
- Data Management: Determining and Maintaining Ownership
- Data Governance Policies
- Roles and Responsibilities
- Data Ownership
- Data Custodians
- Data Documentation and Organization
- Data Warehousing
- Data Mining
- Knowledge Management
- Data Standards
- Data Lifecycle Control
- Data Audits
- Data Storage and Archiving
- Data Security, Protection, Sharing, and Dissemination
- Privacy Impact Assessment
- Information Handling Requirements
- Record Retention and Destruction
- Data Remanence and Decommissioning
- Classifying Information and Supporting Asset Classification
This chapter is from the book
This chapter is from the book
This chapter is from the book
Basic Security Principles
Confidentiality, integrity, and availability (CIA) are the basic building blocks of any good security program. When defining the goals for network, asset, information, and/or information system security, the term CIA triad is commonly used to refer to these concepts. Although the abbreviation CIA might not be as intriguing as the U.S. government’s spy organization, it is a concept that security professionals must know and understand.
Confidentiality addresses the secrecy and privacy of information and preventing unauthorized persons from viewing sensitive information. A number of controls are used in the real world to protect the confidentiality of information, such as locked doors, armed guards, and fences. Administrative controls that can enhance confidentiality include the use of information classification systems, such as requiring sensitive data be encrypted. For example, news reports have detailed several large-scale breaches in confidentiality as a result of corporations misplacing or losing laptops, data, and even backup media containing customer account, name, and credit information. The simple act of encrypting this data could have prevented or mitigated the damage. Sending information in an encrypted format denies attackers the opportunity to intercept and sniff plaintext information. The Organization for Economic Co-operation and Development (OECD) specifies that personal data should be limited and provides guidelines for ensuring privacy and confidentiality.
Integrity has to do with accuracy of information and offering users a high degree of confidence that the information they are viewing has not been tampered with. The integrity of data must be protected while the data is in storage, at rest, and in transit. It is important to ensure that unauthorized users have not made any changes and authorized users have not made inappropriate changes. Data in storage can be protected through the use of access controls and audit controls. Cryptography and hashing algorithms can enhance this protection. Cryptography tools include programs such as HashTools, HashCheck, and PowerShell. Likewise, integrity in transit can be ensured primarily through the use of these tools in combination with protocols and frameworks such as public key infrastructure (PKI), digital signatures, and asymmetric algorithms.
Availability refers to the need for information and systems to be available when needed. Although many people think of availability only in electronic terms, availability also applies to physical access. If, at 2 a.m., you need access to backup media stored in a facility that allows access only from 8 a.m. to 5 p.m., you have an availability problem. Availability in the world of electronics can manifest in many ways. 24x7 access to a backup facility does little good if there are no updated backups to restore from and the original copies have been encrypted with ransomware.
Keeping backups is a good way to ensure availability. A backup provides a copy of critical information that can be reinstated if data is destroyed or equipment fails. Using failover equipment is another way to ensure availability. Systems such as redundant arrays of independent disks (RAID) and redundant sites (which can be hot, cold, or warm sites) are two other examples. Disaster recovery is tied closely to availability because it’s all about getting critical systems up and running quickly.
Which part of the security triad is considered most important? It depends. In different organizations with different priorities, one part might be more important than the other two. For example, your local bank might consider integrity the most important, an organization responsible for data processing might see availability as the primary concern, and an organization such as a healthcare records clearing agency might value confidentiality the most.
Even though this book refers to the triad as CIA, others might refer to it as AIC or as CAIN (where the N stands for nonrepudiation).
Security management does not stop at CIA. These are but three of the core techniques that apply to asset security. True security requires defense in depth. In reality, many techniques are required to protect the assets of an organization; take a moment to look over Figure 2.1.
)
FIGURE 2-1 Asset Protection Triad