Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
Kenneth F. Belva

The CIA Triad: Theory and Practice

Take the following three cases:

  • Publishing publicly available information such as telephone records in the form of a telephone book
  • A public messaging service such as twitter
  • Medical records at a doctor’s office

Each case will give pragmatic priority to one aspect of CIA over the others. In the first case it’s about integrity, not confidentially or availability. If we publish telephone records we want them to have integrity and be accurate most of all. We are not concerned about the confidentiality of the records (since they are public) and the availability of the book is dependent on the household resident.  In the second case it’s about availability over confidentiality and integrity. Most all twitter accounts are public (confidentiality) and tweets are user supplied input (integrity). In terms of the CIA triad, as an information security professional at twitter we’re probably most concerned with availability; since we do not want people to change other’s tweets, integrity is second. In the final case it’s about confidentiality over availability and integrity. Sure, if we’re in an emergency we would like our medical records to be instantly available to the doctors treating us. That’s a rare circumstance. The reality is that confidentiality of my dental records is more important than availability at a moments notice. And, I hope the doctor recorded his analysis correct and that they are not taken out of the file cabinets and altered (integrity).

Neither article addresses the aspect of context and it’s my professional opinion that this is the source of a disagreement that should not be. Information security professionals would do well to pragmatically consider the situation and context of the entity they are protecting. Even through all members of the CIA triad deserve representation and consideration, the situation and context will determine which member of the CIA triad should deserve more focus than the others.

2 Comments

  1. Maureen Robinson Aug 6, 2012 at 9:42 am | Permalink

    This article does a great job of summarizing the aspects regarding CIA Triad. However, it’s important that security objectives are derived from examining every functional requirement in an application through the lens of confidentiality, integrity, and availability (CIA). More about the link between security objectives and CIA Triad: http://blog.securityinnovation.com/blog/2010/12/identify-security-objectives.html

  2. Anuj Sharma Jan 10, 2013 at 11:20 pm | Permalink

    Excellent write up. Context is not just important in security testing but in other non functional and functional testing as well.

    Context helps the stakeholders to take the right decision.

    Regards,
    Anuj Sharma

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*