Information Security
The third pillar is data and information protection
This is the third and final article in a series addressing the three-pillar approach to cyber
security. The first two pillars are ‘people’ and ‘process’, The last pillar is ‘data and
information’.
Data and information protection is the most technical and tangible of the three pillars.
The data we gather comes from multiple sources, such as information technology (IT),
operational technology (OT), personal data and operational data. It must be properly
managed and protected every step of the way.
What is the CIA triad?
When we discuss data and information, we must consider the CIA triad. The CIA triad
refers to an information security model made up of the three main components:
confidentiality, integrity and availability. Each component represents a fundamental
objective of information security.
The three components of the CIA triad are discussed below:
Confidentiality: This component is often associated with secrecy and the use of
encryption. Confidentiality in this context means that the data is only available to
authorized parties. When information has been kept confidential it means that it has not
been compromised by other parties; confidential data are not disclosed to people who do
not require them or who should not have access to them. Ensuring confidentiality means
that information is organized in terms of who needs to have access, as well as the
sensitivity of the data. A breach of confidentiality may take place through different
means, for instance hacking or social engineering.
Integrity: Data integrity refers to the certainty that the data is not tampered with or
degraded during or after submission. It is the certainty that the data has not been subject
to unauthorized modification, either intentional or unintentional. There are two points
during the transmission process during which the integrity could be compromised: during
the upload or transmission of data or during the storage of the document in the database
or collection.
Availability: This means that the information is available to authorized users when it is
needed. For a system to demonstrate availability, it must have properly functioning
computing systems, security controls and communication channels. Systems defined as
critical (power generation, medical equipment, safety systems) often have extreme
requirements related to availability. These systems must be resilient against cyber
threats, and have safeguards against power outages, hardware failures and other events
that might impact the system availability.
Stability, availability and security
Availability is a major challenge in collaborative environments, as such environments
must be stable and continually maintained. Such systems must also allow users to access
required information with little waiting time. Redundant systems may be in place to offer
a high level of fail-over. The concept of availability can also refer to the usability of a
system.
Information security refers to the preservation of integrity and secrecy when information
is stored or transmitted. Information security breaches occur when information is
accessed by unauthorized individuals or parties. Breaches may be the result of the
actions of hackers, intelligence agencies, criminals, competitors, employees or others. In
addition, individuals who value and wish to preserve their privacy are interested in
information security.
The CIA triad describes three crucial components of data and information protection
which can be used as guides for establishing the security policies in an organization.
Establishing and maintaining the organization’s security policies can be a daunting task,
but using the three-pillared strategic approach to cyber security can help you identify and
manage cyber security risks in a methodic and comprehensive manner