The fundamental principles (tenets) of information security are confidentiality, integrity, and availability. Every element of an information security program (and every security control put in place by an entity) should be designed to achieve one or more of these principles. Together, they are called the CIA Triad.
What is Confidentiality?
Confidentiality measures are designed to protect against unauthorized disclosure of information. The objective of the confidentiality principle is to ensure that private information remains private and that it can only be viewed or accessed by individuals who need that information in order to complete their job duties.
What is Integrity?
Integrity involves protection from unauthorized modifications (e.g., add, delete, or change) of data. The principle of integrity is designed to ensure that data can be trusted to be accurate and that it has not been inappropriately modified.
What is Availability?
Availability is protecting the functionality of support systems and ensuring data is fully available at the point in time (or period requirements) when it is needed by its users. The objective of availability is to ensure that data is available to be used when it is needed to make decisions.
Effectively executing all three tenets of the Security Triad creates an ideal outcome from an information security perspective. Consider this example: An organization obtains or creates a piece of sensitive data that will be used in the course of its business operations. Because the data is sensitive, that data should only be able to be seen by the people in the organization that need to see it in order to do their jobs. It should be protected from access by unauthorized individuals. This is an example of the principle of confidentiality.
When the individual that needs that piece of data to perform a job duty is ready to utilize it, it must be readily accessible (i.e. online) in a timely and reliable manner so the job task can be completed on time and the company can continue its processing. This describes the principle of availability. And finally, the data will be used in calculations that affect business decisions and investments that will be made by the organization. Therefore, the accuracy of the data is critical to ensure the proper calculations and results upon which decisions will be made. The assurance that the data has not been improperly tampered with and therefore can be trusted when making the calculations and resulting decisions is the principle of integrity.
LBMC Information Security provides strong foundations for risk-management decisions. We design our security risk assessments to arm your organization with the information it needs to fully understand your risks and compliance obligations. Learn more about our Risk Assessments / Current State Assessments.