Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Information security
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== CIA triad === The "CIA triad" of '''''c'''onfidentiality, '''i'''ntegrity, and '''a'''vailability'' is at the heart of information security.<ref>{{cite web|last=Perrin|first=Chad|title=The CIA Triad|date=30 June 2008 |url=http://www.techrepublic.com/blog/security/the-cia-triad/488|access-date=31 May 2012}}</ref> The concept was introduced in the Anderson Report in 1972 and later repeated in ''[[The Protection of Information in Computer Systems]].'' The abbreviation was coined by Steve Lipner around 1986.<ref>{{Cite journal |last=Ham |first=Jeroen Van Der |date=2021-06-08 |title=Toward a Better Understanding of "Cybersecurity" |url=http://dx.doi.org/10.1145/3442445 |journal=Digital Threats: Research and Practice |volume=2 |issue=3 |pages=1β3 |doi=10.1145/3442445 |issn=2692-1626}}</ref> Debate continues about whether or not this triad is sufficient to address rapidly changing technology and business requirements, with recommendations to consider expanding on the intersections between availability and confidentiality, as well as the relationship between security and privacy.<ref name="SamonasTheCIA14" /> Other principles such as "accountability" have sometimes been proposed; it has been pointed out that issues such as [[non-repudiation]] do not fit well within the three core concepts.<ref name="NIST">{{cite web |title=Engineering Principles for Information Technology Security |year=2004 |url=http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf |publisher=csrc.nist.gov |doi=10.6028/NIST.SP.800-27rA |last1=Stoneburner |first1=G. |last2=Hayden |first2=C. |last3=Feringa |first3=A. |access-date=2011-08-28 |archive-date=2011-08-15 |archive-url=https://web.archive.org/web/20110815124528/http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf |url-status=dead }}</ref> ==== Confidentiality ==== In information security, [[confidentiality]] "is the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes."<ref name="BeckersPattern15">{{cite book |author=Beckers, K. |url=https://books.google.com/books?id=DvdICAAAQBAJ&pg=PA100 |title=Pattern and Security Requirements: Engineering-Based Establishment of Security Standards |publisher=Springer |year=2015 |isbn=9783319166643 |page=100}}</ref> While similar to "privacy", the two words are not interchangeable. Rather, confidentiality is a component of privacy that implements to protect our data from unauthorized viewers.<ref>{{Citation |last1=Fienberg |first1=Stephen E. |title=International Encyclopedia of Statistical Science |date=2011 |pages=342β345 |chapter=Data Privacy and Confidentiality |doi=10.1007/978-3-642-04898-2_202 |isbn=978-3-642-04897-5 |last2=SlavkoviΔ |first2=Aleksandra B.}}</ref> Examples of confidentiality of electronic data being compromised include laptop theft, password theft, or sensitive emails being sent to the incorrect individuals.<ref name="AndressTheBasics14">{{cite book |author=Andress, J. |url=https://books.google.com/books?id=9NI0AwAAQBAJ&pg=PA6 |title=The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice |publisher=Syngress |year=2014 |isbn=9780128008126 |pages=240}}</ref> ==== Integrity ==== In IT security, [[data integrity]] means maintaining and assuring the accuracy and completeness of data over its entire lifecycle.<ref>{{cite journal |last=Boritz |first=J. Efrim |year=2005 |title=IS Practitioners' Views on Core Concepts of Information Integrity |journal=International Journal of Accounting Information Systems |publisher=Elsevier |volume=6 |issue=4 |pages=260β279 |doi=10.1016/j.accinf.2005.07.001}}</ref> This means that data cannot be modified in an unauthorized or undetected manner.<ref>{{Cite journal |last=Hryshko |first=I. |date=2020 |title=Unauthorized Occupation of Land and Unauthorized Construction: Concepts and Types of Tactical Means of Investigation |journal=International Humanitarian University Herald. Jurisprudence |issue=43 |pages=180β184 |doi=10.32841/2307-1745.2020.43.40 |issn=2307-1745 |doi-access=free}}</ref> This is not the same thing as [[referential integrity]] in [[databases]], although it can be viewed as a special case of consistency as understood in the classic [[ACID]] model of [[transaction processing]].<ref>{{Citation |last=Kim |first=Bonn-Oh |title=Referential Integrity for Database Design |date=2000-09-21 |work=High-Performance Web Databases |pages=427β434 |url=http://dx.doi.org/10.1201/9781420031560-34 |access-date=2021-05-29 |publisher=Auerbach Publications |doi=10.1201/9781420031560-34 |isbn=978-0-429-11600-1|url-access=subscription }}</ref> Information security systems typically incorporate controls to ensure their own integrity, in particular protecting the kernel or core functions against both deliberate and accidental threats.<ref>{{Cite journal |last=Pevnev |first=V. |date=2018 |title=Model Threats and Ensure the Integrity of Information |journal=Systems and Technologies |volume=2 |issue=56 |pages=80β95 |doi=10.32836/2521-6643-2018.2-56.6 |issn=2521-6643 |doi-access=free}}</ref> Multi-purpose and multi-user computer systems aim to compartmentalize the data and processing such that no user or process can adversely impact another: the controls may not succeed however, as we see in incidents such as malware infections, hacks, data theft, fraud, and privacy breaches.<ref>{{Cite journal |last1=Fan |first1=Lejun |last2=Wang |first2=Yuanzhuo |last3=Cheng |first3=Xueqi |last4=Li |first4=Jinming |last5=Jin |first5=Shuyuan |date=2013-02-26 |title=Privacy theft malware multi-process collaboration analysis |journal=Security and Communication Networks |volume=8 |issue=1 |pages=51β67 |doi=10.1002/sec.705 |issn=1939-0114 |doi-access=free}}</ref> More broadly, integrity is an information security principle that involves human/social, process, and commercial integrity, as well as data integrity. As such it touches on aspects such as credibility, consistency, truthfulness, completeness, accuracy, timeliness, and assurance.<ref>{{Cite book |title=Measuring Data Quality for Ongoing Improvement |date=2013 |publisher=Elsevier |isbn=978-0-12-397033-6 |series=MK Series on Business Intelligence |pages=e11βe19 |chapter=Completeness, Consistency, and Integrity of the Data Model |doi=10.1016/b978-0-12-397033-6.00030-4 |access-date=2021-05-29 |chapter-url=http://dx.doi.org/10.1016/b978-0-12-397033-6.00030-4}}</ref> ==== Availability ==== For any information system to serve its purpose, the information must be [[availability|available]] when it is needed.<ref>{{Cite video |url=http://dx.doi.org/10.1117/12.2266326.5459349132001 |title=Video from SPIE - the International Society for Optics and Photonics |access-date=2021-05-29 |doi=10.1117/12.2266326.5459349132001}}</ref> This means the computing systems used to store and process the information, the [[security controls]] used to protect it, and the communication channels used to access it must be functioning correctly.<ref>{{Cite journal |date=2005 |title=Communication Skills Used by Information Systems Graduates |journal=Issues in Information Systems |doi=10.48009/1_iis_2005_311-317 |issn=1529-7314 |doi-access=free}}</ref> [[High availability]] systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades.<ref>{{Cite report |url=https://www.osti.gov/biblio/5083196/ |title=Outages of electric power supply resulting from cable failures Boston Edison Company system |date=1980-07-01 |doi=10.2172/5083196 |osti=5083196 |access-date=18 January 2022}}</ref> Ensuring availability also involves preventing [[denial-of-service attack]]s, such as a flood of incoming messages to the target system, essentially forcing it to shut down.<ref>{{Cite journal |last1=Loukas |first1=G. |last2=Oke |first2=G. |date=September 2010 |title=Protection Against Denial of Service Attacks: A Survey |url=http://staffweb.cms.gre.ac.uk/~lg47/publications/LoukasOke-DoSSurveyComputerJournal.pdf |url-status=dead |journal=[[The Computer Journal|Comput. J.]] |volume=53 |issue=7 |pages=1020β1037 |doi=10.1093/comjnl/bxp078 |archive-url=https://web.archive.org/web/20120324115835/http://staffweb.cms.gre.ac.uk/~lg47/publications/LoukasOke-DoSSurveyComputerJournal.pdf |archive-date=2012-03-24 |access-date=2015-08-28 |orig-year=August 2009}}</ref> In the realm of information security, availability can often be viewed as one of the most important parts of a successful information security program.{{Citation needed|date=June 2021}} Ultimately end-users need to be able to perform job functions; by ensuring availability an organization is able to perform to the standards that an organization's stakeholders expect.<ref>{{Citation |title=Be Able To Perform a Clinical Activity |date=2020-02-02 |work=Definitions |publisher=Qeios |doi=10.32388/dine5x |s2cid=241238722|doi-access=free }}</ref> This can involve topics such as proxy configurations, outside web access, the ability to access shared drives and the ability to send emails.<ref>{{Cite book |last1=Ohta |first1=Mai |title=2011 IEEE International Symposium on Dynamic Spectrum Access Networks (DySPAN) |last2=Fujii |first2=Takeo |date=May 2011 |publisher=IEEE |isbn=978-1-4577-0177-1 |pages=623β627 |chapter=Iterative cooperative sensing on shared primary spectrum for improving sensing ability |doi=10.1109/dyspan.2011.5936257 |chapter-url=http://dx.doi.org/10.1109/dyspan.2011.5936257 |s2cid=15119653}}</ref> Executives oftentimes do not understand the technical side of information security and look at availability as an easy fix, but this often requires collaboration from many different organizational teams, such as network operations, development operations, incident response, and policy/change management.<ref>{{Citation |title=Information technology. Information security incident management |url=http://dx.doi.org/10.3403/30387743 |access-date=2021-05-29 |publisher=BSI British Standards |doi=10.3403/30387743|url-access=subscription }}</ref> A successful information security team involves many different key roles to mesh and align for the "CIA" triad to be provided effectively.<ref>{{Citation |last=Blum |first=Dan |title=Identify and Align Security-Related Roles |date=2020 |work=Rational Cybersecurity for Business |pages=31β60 |place=Berkeley, CA |publisher=Apress |doi=10.1007/978-1-4842-5952-8_2 |isbn=978-1-4842-5951-1 |s2cid=226626983|doi-access=free }}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)