The CIA Triad is a well-known model for developing policies and regulations in the field of information security. Ie. it has nothing to do with the US intelligence agency using the same acronym.
In this context, the C stands for Confidentiality, eg. a set of rules to allow or restrict access to the information. I stands for Integrity, eg. rules to ensure that the information is reliable throughout its life cycle. A stands for Availability, eg. regulations or solutions to ensure reliable access to the information when needed.
History of the CIA Triad
The concept of the CIA Triad is shaped over time and does not have a single creator. "Confidentiality" appeared in 1976 in a study in the U.S. Air Force. The concept of "Integrity" is found in a 1987 dissertation titled "A Comparison of Commercial and Military Computer Security Policies" written by David Clark and David Wilson. The dissertation stated that in commercial data processing, methods are needed to ensure the accuracy of data. As for "Availability", there is no clear initial source, but the concept became well known in 1988, which was also the year when the three components were brought together and formed the concept of the CIA Triad.
Confidentiality - ensures the right level of authorization. Assigned to users, applications or infrastructure components, which then controls what processing, storage or transfer of information may be done. This presupposes i.a. that the information (or the entire application, data storage site, etc.) is classified and that technical solutions and processes are in place to ensure that the authorization rules are complied with both internally and externally. The regulations cover applications, databases, storage sites, information transfer, etc., ie all parts of the information system.
Information theft is today classified as “the most expensive and fastest growing cybercrime.” Stolen information can, for example, be used for everything from identity theft and fraud, corporate or government espionage or extortion, so-called ransomware attacks.
Integrity - ensures that data is reliable throughout its life cycle. For example. In the case of personal data, there are currently statutory requirements that they be correct, complete, up-to-date and may only be processed for as long as is necessary. Security solutions may also be necessary to ensure that information is not incorrectly updated, see also Confidentiality above.
The value of the information is in direct correlation with how accurate it is. Incorrect underlying data leads to incorrect decisions. Incorrect information also increases uncertainty, which leads to extra controls downstream in processes, higher costs and slow processes.
Availability - regulations or solutions to ensure reliable access to the information when needed. In order to achieve higher security regarding access, one can e.g. invest in redundant technical solutions. These ensure that accessibility is maintained even if a technical solution fails, ie does not work for some reason.
Why is the CIA Triad important?
Every part of the triad is a foundation in cyber security. Together, they are considered the most important components of information security. You should see the three parts of the triad as a cohesive system and not as independent components. By seeing the triad as a whole, they create a framework for establishing policies and regulations for organizations. When evaluating requirements and needs (use case or user stories) for new IT services, the CIA Triad can help in the question of how value should be created within these three key areas.
Cegal and the CIA Triad
At Cegal, we use the CIA Triad as a model when we help our customers with information security because it is important that a system for IT security fulfills these three parts that make up the CIA triad.