– published in the SICASA Newsletter of Mangalore ICAI in the month of August 2013
Information systems are the lifeblood of any large business. As in years past, computer systems do not merely record business transactions, but actually drive the key business processes of the enterprise. In such a scenario, senior management and business managers do have concerns about information systems. The purpose of IS audit is to review and provide feedback, assurances and suggestions. These concerns can be grouped under three broad heads, i.e. Confidentiality, Integrity and Availability of Data.
The CIA triad is a well-known model in information security development. It is applied in various situations to identify problems or weaknesses and to establish security solutions. In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of ready access to the information by authorized people. The model is sometimes known as the CIA triad.
Why are these three elements important? While a business’ assets may be measured in terms of its employees, buildings or cash on hand, the vast majority of its assets are stored in the form of information, whether it is electronic data or written documents. If this information is disclosed to unauthorized individuals, is inaccurate or deceptive, or is not available when required, the business may suffer significant harm such as the loss of customer confidence, contract damages, regulatory fines and restrictions, or a reduction in market share. In the worst case, a failure to control information could lead to significant financial losses or regulatory restrictions on the ability to conduct business.
Confidentiality: It refers to preventing the disclosure of information to unauthorized individuals or systems. Privacy or the ability to control or restrict access so that only authorized individuals can view sensitive information. One of the underlying principles of confidentiality is “need-to-know” or “least privilege”. In effect, access to vital information should be limited only to those individuals who have a specific need to see or use that information. Confidentiality is necessary for maintaining the privacy of the people whose personal information a system holds.
For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.
Integrity: Information is accurate and reliable and has not been subtly changed or tampered with by an unauthorized party. Integrity includes:
- Authenticity: The ability to verify content has not changed in an unauthorized manner.
- Non-repudiation & Accountability: The origin of any action on the system can be verified and associated with a user.
The term Integrity is used frequently when considering Information Security as it is represents one of the primary indicators of security (or lack of it). The integrity of data is not only whether the data is ‘correct’, but whether it can be trusted and relied upon. Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people.
For example, making copies (say by e-mailing a file) of a sensitive document, threatens both confidentiality and the integrity of the information. Why? Because, by making one or more copies, the data is then at risk of change or modification.
Availability: For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks. Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.
It is important to note that confidentiality, integrity and availability are not the exclusive concern of information security. Business continuity planning places a significant emphasis on protecting the availability of information as part of the overall objective of business recovery. Common back office procedures, such as maker/checker, quality assurance, change control, etc. along with such regulatory areas as SOX 404(SOX or Sarbanes-Oxley Act is nothing but the USA version of Clause 49) focus on ensuring the integrity of information.
|Confidentiality||Loss of privacy. Unauthorized access to information. Identity Theft||Encryption, Authentication, Access controls||Information Security|
|Integrity||Information is no longer reliable or accurate. Fraud||Maker/Checker, Quality Assurance, Audit Logs||Operational Controls|
|Availability||Business disruption, Loss of customer confidence, Loss of revenue||BCP Plans and Tests, Back-up storage, Sufficient capacity||Business Continuity Planning|
Applicability of CIA Triad made easy
The CIA Triad is entirely concerned with information. While this is the core factor of most IT security, it promotes a limited view of security that tends to ignore some additional, important factors. For instance, while Availability might serve to ensure that one does not lose access to resources, one need to provide information when it is needed, thinking about information security in and of itself in no way guarantees that someone else isn’t making unauthorized use of your hardware resources.
It can be concluded that the fulfillment of the CIA principles and the compliance with the goal of information security is not a goal with a clear end but an open goal that continually changes with time and the development of technology, the means of information security and the emergence of new threats and vulnerabilities. Lasting efforts must be exerted to maintain the confidentiality, integrity and availability of information, it is not possible to take some precautions and declare that the CIA triad is fulfilled and that nothing more should be done.
Moreover, it can be deduced that efforts ought to be exerted not only by information security professionals, but by employees and all holders of confidential information to safeguard the CIA principles.