Kevin Henry: Why do We Use the CIA-Information Security Triad?

About our Talent Services

You want new efficiencies, new opportunities and growth from technology, and you will need skills to get them. With Readynez Talent Services you will answer real and burning business challenges. No wonder we’ve been awarded the Microsoft Learning Partner of the year global finalist award for helping businesses transform and achieve remarkable results.

Get started

I’m an opportunity Leader looking for talent

I’m an ambitious graduate looking for an exciting career

Many people struggle to define the word ‘security’. It is an abstract term that has a different meaning and significance to each individual. It is often defined as ‘safety’ (and in some languages it is the same word), or as assurance, protection, or a physical control.

As information security professionals we also struggle to describe what security is, what it does, and why it is important. Even for us that work in the field, security can be an abstract term that is hard to define in a meaningful way.

Even more so for the managers and users we are there to support. They often perceive information security as a futile and expensive endeavor that gets in the way  - when they are just trying to do their jobs.

For this reason, it is good that we have a way to define information security in a way that even non-security people can understand. The Confidentiality, Integrity and Availability model reflects a method of describing information security that is first of all much more than just privacy.

It is important that we understand the value of the CIA triad and how it can help us to communicate the value and benefits of security to everyone in our organization. Confidentiality is based on confidence and the ability to generate trust amongst our customers, employees and shareholders. You can trust us with your information. It is safe with us. We are aware of the risk of improper disclosure and the need to protect privacy and secrecy.

Integrity is important in more than one way. The most common understanding is to protect the accuracy or precision of data – is the data right, correct, precise? But we also know the importance of protecting the processes that affect our data. To ensure that the ‘right amount is credited to the right account!’

The term ‘sensitivity’ is often used in relation to confidentiality and integrity – would a person or an organization be harmed if the data or process was disclosed or modified incorrectly? If so, what would the level of impact be? Low, Moderate or High?

Too little attention is often given to the concept of availability – is that really the job of information security? I believe that it is – we must work with the managers of networks, applications, databases, and other supporting systems to ensure that the business has the data and processes it needs to operate. We need to seek out single points of failure. Including the problem today of many systems that are supported by one individual – and no one else knows how to maintain or operate those systems. We need to work with project teams to ensure that the risk of unavailability is identified early in the process of designing a new system or process so that redundancy and resilience can be built into systems. Availability is often associated with criticality.

So from this we see that the CIA triad is not just a saying or ancient ideology – it is a way for us to communicate the needs of information security to the managers and users we interact with – and create a greater understanding of how we can all work towards the protection of information and business processes.


4. Mar 2020

by Kevin Henry

Kevin Henry

Senior Instructor Readynez

Kevin Henry has served for many years as an authorized instructor for (ISC)2 and he is renowned for his 20 year contribution to learners training for IT security skills- and certifications such as the CISSP, CISM, CISA and CCSP everywhere in the world.

Readynez uses cookies to improve your website experience. To learn more please read our policy.

Privacy policy OK