The CIA Triad
The CIA Triad is the foundational framework of information security. Every security decision you make — every control you implement, every risk you assess — connects back to one or more of these three properties: Confidentiality, Integrity, and Availability.
Confidentiality
Confidentiality is about ensuring that information is accessible only to those who are authorized to see it. It protects data from unauthorized disclosure. The security professional's job is to regulate access — permitting authorized users in, keeping everyone else out.
Two categories of data that require special confidentiality protection:
- PII (Personally Identifiable Information): Any data that can be used to identify a specific individual — names, addresses, Social Security numbers, biometric records.
- PHI (Protected Health Information): Healthcare-related information governed by HIPAA — health status, treatment records, and payment for healthcare.
Sensitivity refers to the importance assigned to information by its owner — how much harm would result if that information were improperly disclosed or modified.
Common threats to confidentiality and their countermeasures:
- Snooping — gathering information left out in the open. Countered by clean desk policies.
- Dumpster diving — searching discarded materials. Countered by paper shredding.
- Eavesdropping — secretly listening to conversations. Countered by rules governing sensitive discussions.
- Wiretapping — electronic eavesdropping over a network. Countered by encryption.
- Social engineering — manipulating people into giving up information. Countered by user education.
Integrity
Integrity means that information is accurate, complete, and has not been altered in an unauthorized way. It applies to data at rest, data in transit, and data being processed.
A key concept: the baseline — a documented snapshot of the known good state of a system or dataset. If you compare the current state to the baseline and they match, integrity is intact.
Common threats to integrity:
- Unauthorized modification — countered by the principle of least privilege.
- Impersonation — pretending to be someone else. Countered by user education and strong authentication.
- Man-in-the-Middle (MITM) — an attacker inserts themselves between two communicating parties. Countered by encryption.
- Replay attacks — an attacker captures authentication credentials and reuses them. Countered by encryption.
Availability
Availability means that systems and data are accessible when authorized users need them. It is not about 100% uptime — it means systems meet the organization's actual business requirements for timely and reliable access.
Common threats to availability:
- Denial of Service (DoS) — flooding a system with requests. Countered by firewalls.
- Power outages — countered by redundant power sources and generators.
- Hardware failures — countered by redundant components.
- Destruction — physical or logical. Countered by off-site backups.
- Service outages — software errors or infrastructure failures. Countered by resilient architecture.
Authentication, Authorization, and Accounting (AAA)
Access control follows three sequential steps:
- Identification — Making a claim of identity. Typically your username.
- Authentication — Proving that claim. Three categories:
- Something you know: Passwords, PINs, security questions
- Something you have: Hardware tokens, smart cards, one-time passwords
- Something you are: Biometrics — fingerprints, facial recognition, iris scans
- Authorization — Determining what the authenticated user is allowed to do. Enforced through Access Control Lists (ACLs) or role assignments.
Accounting — Maintaining logs of what users do once granted access. This enables auditing and forensic analysis.
Single-Factor Authentication uses only one method. Multi-Factor Authentication requires two or more from different categories. A username and password together still count as single-factor — both are "something you know."
Non-Repudiation
Non-repudiation is the inability of a party to deny having performed an action. In a legal context, it means you cannot claim you didn't send an email you sent or approve a transaction you approved. This becomes critical in e-commerce and electronic transactions. Digital signatures are the primary non-repudiation mechanism — they hold parties accountable for their actions.
Privacy
Privacy is the right of an individual to control the distribution of information about themselves. It is distinct from security: security protects data from unauthorized access, while privacy governs how data is collected, used, and shared even by authorized parties.
- GDPR: EU regulation applying to any organization worldwide that processes personal data of EU residents. Treats privacy as a human right.
- HIPAA: US federal law governing protection of health information.
- PIPEDA: Canada's data protection law.
Risk Management
Risk is the measure of the extent to which an entity is threatened by a potential event. Risk = Likelihood × Impact
Key terminology:
- Asset: Anything of value — hardware, software, data, intellectual property
- Vulnerability: A weakness or flaw that could be exploited
- Threat: A person, event, or circumstance that could exploit a vulnerability
- Likelihood: The probability that a threat will exploit a vulnerability
- Impact: The magnitude of harm resulting from a successful exploit
Risk Assessment Matrix
- High likelihood + High impact = Priority 1 — address immediately
- Low likelihood + High impact = Priority 2 — plan for it
- High likelihood + Low impact = Priority 3 — monitor it
- Low likelihood + Low impact = Priority 4 — accept or monitor
Risk Treatment Options
- Avoidance: Eliminate the risk by stopping the activity that creates it.
- Acceptance: Acknowledge the risk and do nothing further.
- Mitigation: Take action to reduce likelihood or impact — the most common approach.
- Transference: Shift the financial burden to a third party through insurance.
Risk tolerance is the level of risk an organization is willing to accept in pursuit of its goals. Set by executive management and the Board of Directors.
Security Controls
Security controls are the safeguards put in place to protect the CIA Triad. Three types:
- Physical Controls: Tangible mechanisms — badge readers, locks, security guards, fences, cameras, motion detectors, mantraps. Control physical movement of people and equipment.
- Technical Controls (logical controls): Implemented by computer systems — firewalls, IDS, encryption, access control lists, authentication systems.
- Administrative Controls (managerial controls): Policies and procedures directed at people — acceptable use policies, awareness training, hiring and termination procedures.
A badge reader (physical) connected to a door lock (physical) managed by an access control system (technical) governed by a security policy (administrative) — this layering is what defense in depth looks like in practice.
Governance Elements
The governance hierarchy from broadest to most specific:
- Regulations: Laws issued by governments. Non-compliance carries financial penalties. Examples: GDPR, HIPAA, PCI DSS.
- Standards: Frameworks that help organizations implement policies. Developed by NIST, ISO, or IEEE.
- Policies: Organization-specific rules put in place by executive management.
- Procedures: Step-by-step instructions for completing specific tasks.
(ISC)² Code of Ethics
All (ISC)² certified professionals commit to these four canons, in priority order:
- Protect society, the common good, necessary public trust and confidence, and the infrastructure
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent service to principals
- Advance and protect the profession