The CIA Triad – Assurance on Information Security

Information systems are the lifeblood of any large business. As in years past, computer systems do not merely record business transactions, but actually drive the key business processes of the enterprise. In such a scenario, senior management and business managers do have concerns about information systems. The purpose of IS audit is to review and provide feedback, assurances and suggestions. These concerns can be grouped under three broad heads, i.e. Confidentiality, Integrity and Availability of Data.
The CIA triad is a well-known model in information security development. It is applied in various situations to identify problems or weaknesses and to establish security solutions. In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of ready access to the information by authorized people. The model is sometimes known as the CIA triad.
Why are these three elements important? While a business’ assets may be measured in terms of its employees, buildings or cash on hand, the vast majority of its assets are stored in the form of information, whether it is electronic data or written documents. If this information is disclosed to unauthorized individuals, is inaccurate or deceptive, or is not available when required, the business may suffer significant harm such as the loss of customer confidence, contract damages, regulatory fines and restrictions, or a reduction in market share. In the worst case, a failure to control information could lead to significant financial losses or regulatory restrictions on the ability to conduct business.
Confidentiality: It refers to preventing the disclosure of information to unauthorized individuals or systems. Privacy or the ability to control or restrict access so that only authorized individuals can view sensitive information. One of the underlying principles of confidentiality is “need-to-know” or “least privilege”. In effect, access to vital information should be limited only to those individuals who have a specific need to see or use that information. Confidentiality is necessary for maintaining the privacy of the people whose personal information a system holds.
For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.
Integrity: Information is accurate and reliable and has not been subtly changed or tampered with by an unauthorized party. Integrity includes:
  • Authenticity: The ability to verify content has not changed in an unauthorized manner.
  • Non-repudiation & Accountability: The origin of any action on the system can be verified and associated with a user.
The term Integrity is used frequently when considering Information Security as it is represents one of the primary indicators of security (or lack of it). The integrity of data is not only whether the data is ‘correct’, but whether it can be trusted and relied upon. Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people.
For example, making copies (say by e-mailing a file) of a sensitive document, threatens both confidentiality and the integrity of the information. Why? Because, by making one or more copies, the data is then at risk of change or modification.
Availability: For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks. Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.
It is important to note that confidentiality, integrity and availability are not the exclusive concern of information security. Business continuity planning places a significant emphasis on protecting the availability of information as part of the overall objective of business recovery. Common back office procedures, such as maker/checker, quality assurance, change control, etc. along with such regulatory areas as SOX 404(SOX or Sarbanes-Oxley Act is nothing but the USA version of Clause 49) focus on ensuring the integrity of information.
CIA Risks Controls/Remedy Primary Focus
Confidentiality Loss of privacy. Unauthorized access to information.Identity Theft Encryption, Authentication, Access controls Information Security
Integrity Information is no longer reliable or accurate. Fraud Maker/Checker,Quality Assurance, Audit Logs Operational Controls
Availability Business disruption, Loss of customer confidence, Loss of revenue BCP Plans and Tests, Back-up storage, Sufficient capacity Business Continuity Planning
Applicability of CIA Triad made easy
The CIA Triad is entirely concerned with information. While this is the core factor of most IT security, it promotes a limited view of security that tends to ignore some additional, important factors. For instance, while Availability might serve to ensure that one does not lose access to resources, one need to provide information when it is needed, thinking about information security in and of itself in no way guarantees that someone else isn’t making unauthorized use of your hardware resources.
It can be concluded that the fulfillment of the CIA principles and the compliance with the goal of information security is not a goal with a clear end but an open goal that continually changes with time and the development of technology, the means of information security and the emergence of new threats and vulnerabilities. Lasting efforts must be exerted to maintain the confidentiality, integrity and availability of information, it is not possible to take some precautions and declare that the CIA triad is fulfilled and that nothing more should be done.
Moreover, it can be deduced that efforts ought to be exerted not only by information security professionals, but by employees and all holders of confidential information to safeguard the CIA principles.
Sources:

  • Information Systems Audit – Ron Weber

Business Continuity Planning – An Overview


Business and enterprises of today depend heavily on information and communication technology (ICT) to conduct business. The ICT plays a central role in the operation of the business activities. This dependence on the systems means that all enterprises should have contingency plans for resuming operations of the business activities. For example, the stock market is virtually paperless. Banks and financial institutions have become online, where the customers rarely need to set foot in the branch premises. This dependence on the systems means that all enterprises should have contingency plans for resuming operations from disruption.

This disruption of business operations can be due to unforeseen man-made or natural disaster that mat result into revenue loss, productivity loss and loss of market share among many other impacts. Thus enterprises have to take necessary steps to ensure the continuity of operation in the event of disruptions.
Business continuity is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions. These activities include many daily chores such as project management, system backups, change control, and help desk. Business continuity is not something implemented at the time of a disaster; Business Continuity refers to those activities performed daily to maintain service, consistency, and recoverability.
The objective of a Business Continuity Plan (BCP) is to enable an organization to continue to operate through an extended loss of any of its business premises or functions. The fundamental aim of BCP is to:
·         Manage the risks which could lead to disastrous events.
·         Reduce the time taken to recover when an incident occurs and,
·         Minimize the risks involved in the recovery process.
The foundation of business continuity are the standards, program development, and supporting policies; guidelines, and procedures needed to ensure a firm to continue without stoppage, irrespective of the adverse circumstances or events. All system design, implementation, support, and maintenance must be based on this foundation in order to have any hope of achieving business continuity, disaster recovery, or in some cases, system support. Business continuity is sometimes confused with disaster recovery, but they are separate entities. Disaster recovery is a small subset of business continuity. It is also sometimes confused with Work Area Recovery (due to loss of the physical building which the business is conducted within); which is but a part of business continuity.
Steps in constructing an effective BCP:
 
 

 
 
1.       Document internal key personnel and backups. These are people who fill positions without which a business absolutely cannot function – make this list as large as necessary but as small as possible.
·         Consider which job functions are critically necessary, every day. Think about who fills those positions when the primary job-holder is on vacation.
·         Create a list of all those individuals with all contact information including business phone, home phone, cell phone, business email, personal email, and any other possible way of contacting them in an emergency situation where normal communications might be unavailable.
2.       Identify who can telecommute. Some people in an organization might be perfectly capable of conducting business from a home office. Find out those who can and who cannot work from home.
3.       Document external contacts. If an organization has critical vendors or contractors, then build a special contact list that includes a description of the organization and any other absolutely critical information about them including key personnel contact information.
·         Include in the list people like attorneys, bankers, IT consultants etc anyone that you might need to call to assist with various operational issues.
·         Don’t forget utility companies, municipal and community offices (police, fire, water, hospitals) and the post office.
4.       Document critical equipment. Personal computers often contain critical information
·         Some businesses cannot function even for a few hours without a fax machine. Does the company rely heavily on the copy machine? Does the company have special printers that it absolutely must have?
·         Don’t forget software – that would often be considered critical equipment especially if it is specialized software or if it cannot be replaced.
5.       Identify critical documents. Articles of incorporation and other legal papers, utility bills, banking information, critical HR documents, building lease papers, tax returns. You need to have everything available that would be necessary to start your business over again. Critical Documents would include loan payment schedules, email services bill payments etc
6.       Identify contingency equipment options. If your company uses trucks, and it is possible the trucks might be damaged in a building fire, where would you rent trucks? Where would you rent computers? Can you use a business service outlet for copies, fax, printing, and other critical functions?
7.       Identify your contingency location. This is the place where the company would conduct business while the primary offices are unavailable.
·         It could be a hotel – many of them have very well-equipped business facilities you can use. It might be one of the company’s contractors’ offices, or its attorney’s office.
·         Telecommuting for everyone is a viable option.
·         If you do have an identified temporary location, include a map in your BCP. Wherever it is, make sure you have all the appropriate contact information (including people’s names).
8.       Make a “How-to”. It should include step-by-step instructions on what to do, who should do it, and how.
9.       List each responsibility and write down the name of the person assigned to it. Also, do the reverse: For each person, list the responsibilities. That way, if you want to know who is supposed to call the insurance company, you can look up “Insurance
10.   Put the information together! A BCP is useless if all the information is scattered about in different places. A BCP is a reference document – it should all be kept together in something like a 3-ring binder.
·         Make plenty of copies and give one to each of your key personnel.
·         Keep several extra copies at an off-site location, at home and/or in a safety-deposit box.
11.   Communicate. Make sure everyone in the company knows the BCP. Hold mandatory training classes for each and every employee whether they are on the critical list or not. You do not want your non-critical staff driving through an ice storm to get to a building that has been damaged by fire then wondering what to do next.
12.   Test the plan! You’ve put really good ideas down, accumulated all your information, identified contingency locations, listed your personnel, contacts and service companies, but can you pull it off?
·         Pick a day and let everyone know what’s going to happen (including your customers, contractors and vendors); then on that morning, act as though your office building has been destroyed. Make the calls – go to the contingency site.
·         One thing you will definitely learn in the test is that you haven’t gotten it all just exactly right. Don’t wait until disaster strikes to figure out what you should do differently next time. Run the test.
·         If you make any major changes, run it again a few months later. Even after you have a solid plan, you should test it annually.
13.   Plan to change the plan. No matter how good your plan is, and no matter how smoothly your test runs, it is likely there will be events outside your plan. The hotel you plan to use for your contingency site is hosting a huge convention. You can’t get into the bank because the disaster happened on a banking holiday. The power is out in your house. The copy machine at the business services company is broken. Your IT consultant is on vacation.
·         Every time something changes, update all copies of your BCP.
Never let it get out of date. An out-of-date plan can be worse than useless: it can make you feel safe when you are definitely not safe.