3 Foundations of InfoSec (and why you should care)

by Dan Strom on April 7, 2009

If you go to any class dealing with information security, you are bound to hear these discussed. They should be well understood before trying to set up a router, install anti-virus, or establish policies.

Yet… why should you care about these?

Just like building a house requires that there be a firm foundation, good information security must be built on these three solid principles.

So then, let’s move on. Here are the three foundational tenants of Information Security – represented by CIA.

No… not the Central Intelligence Agency…

  1. Confidentiality – At the most basic level, the principle of confidentiality ensures that an appropriate amount of secrecy is maintained and that information is protected from unauthorized disclosure.

    2. So, why is Confidentiality important?

    • Many regulations require it! Several industries are regulated by either federal/state governments or standards bodies. Here are a few – HIPAA, GLB, SOX, PCI DSS.
    • Disclosure of confidential information can ruin the reputation of your business.
    • Loss of confidentiality of your personal information can lead to identity theft.
    • I once lost personal banking information due to a worm on my computer that sent me personal information to a server in another country. Confidentiality became much more important to me after that!
  2. Integrity – The principle of integrity is the assurance that the data is accurate and reliable and protected from unauthorized modification.

    3. Why is Integrity important?

    • Once again, it is implied in many regulations. The same regulations listed above also imply controls to ensure the integrity of the data.
    • Just like having a mistake in your checkbook register can be disastrous, likewise errors in the data that you use to run your company can prove disastrous.
    • Years ago, and at another company, we had a situation where an employee was maliciously changing customer records. While everyone thought they could trust the data, the integrity had been compromised.
  3. Availability – Availability ensures that authorized users can use the data when and where necessary.

    4. Why is Availability important?

    • Businesses expect to be able to access information at certain times. It is not unusual for opportunities to be lost if a system is unavailable.
    • In 2002 there was a significant DDoS (distributed denial of service) on the Internet that affected search engines, news sites and retail sites. Their on-line systems were not available, and as a result sales were affected.
    • In the event of catastrophic events, such as fire, flood, or tornadoes, being able to bring the systems back up so that they are available for business can often be the difference between survival or failure for the business

Just remember, doing the latest shiny thing in InfoSec is not the end-goal. The objective is to build on the foundation of Confidentiality, Integrity, and Availability.

- Dan

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

Tagged as: availability, confidentiality, integrity

Leave a Comment

Spam Protection by WP-SpamFree

Previous post:

Next post: