I recently attended a conference for security professionals at which a number of experienced (sounds better than seasoned) CISOs and SOs were presenting their insights into the challenges of cyber attacks and cyber crime faced by their organisations.
Almost without exclusion, each presenter used the term CIA when discussing methodologies and frameworks for cyber security.
Now, I don’t like to remember how long I’ve been working in this business, but CIA is one of those acronyms I’ve grown up with and like many in attendance, I just assumed everyone understood its meaning in the context of the discussion.
Imagine my surprise and amusement when a slightly younger members of the audience turned to me and said “the presenter is obviously confusing the CIA with the FBI.”
As we discussed the meaning of CIA in the context of cyber security, it became obvious from the interest shown by others that this young man was not alone; there seemed many who had little or no knowledge of the term.
So, for those who can claim the ignorance of youth and members of our sales team, CIA represents Confidentiality, Integrity and Availability. Since the mid-eighties (if memory serves me well) these have been the three principle that should be guaranteed in any kind of secure system. A weakness in any one principle will leave a system open to abuse.
The correct level of access should be given to only those people and processes that need it to complete their duties. If no access is required then none should be given.
Ensure the integrity of the information is maintained at all times and that any information provided is an accurate and unchanged representation of the original.
Ensure all information is readily accessible to all authorised users at all times.
The theory is simplistic but the practicality of supporting such requirements is anything but. If you study each principle separately, you will quickly realise that to achieve the end goal across a reasonably simple system requires a number of complex controls be put in place.
Meeting the requirements of all three principles brings more complexity, especially as the missing part of the jigsaw is Audit; the ability to evidence controls, findings, remediation etc. Maybe we can change it to CIA2 – it may also help to reduce confusion.
Anyway, we’re creeping back into the realms of cyber security fundamentals now so my task is done.