An effective cybersecurity program is designed to protect the Confidentiality, Integrity and Availability of the organizations’ information systems and digital assets. What does that mean exactly? Well, to start, it means we should discuss the CIA Triad.
The CIA Triad is an information security concept that consists of three core principles, (1) Confidentiality, (2) Integrity and, (3) Availability. These core principles become foundational components of information security policy, strategy and solutions. Cybersecurity professionals and executives responsible for the oversight of cybersecurity programs should have a deep understanding and appreciation for each of the three core principles.
Ultimately, all vulnerabilities and risks should be evaluated based on the threat they pose to one or more of the CIA Triad core principles. In addition, all security controls, or countermeasures, should be evaluated on how well they address the core principles of the CIA Triad.
Starting with this post, we will be diving into more detail about each of the three principles of the CIA Triad. The first principle we’re going to focus on is Confidentiality:
This core security principle is defined as the ability to restrict unauthorized subjects from accessing data, systems, objects or resources. In more general terms, confidentiality means that only certain people should have access to certain information or systems. Imagine an employee punches the time clock and goes home for the evening but forgets to shut down or lock their computer. Even worse, they are still logged into the client database that contains all sorts of Personally Identifiable Information (PII) like your client’s names, addresses, and social security numbers. What happens if the janitorial service shows up to clean the office space and one of the cleaners notices the unlocked computer and helps themselves to the valuable info? This example illustrates the importance of Confidentiality.
There are many cyberattacks used to violate confidentiality including social engineering, theft of credentials or passwords, eavesdropping, and network sniffing. Your cybersecurity program should absolutely be influenced by the confidentiality principle. Here are a few controls that you should consider incorporating into the program:
1. Inventory of Devices and Software
It is very difficult to manage access to devices, applications and systems unless you have an accurate inventory of those assets. Once you understand what assets you own, only then can you begin to think about who is authorized to access and use them.
2. Data Classification
You must understand what data or information resides on your information systems. More importantly, you have to classify this data so that it can be protected according to value, sensitivity, and regulatory compliance.
3. Access Controls
Systems and information should be physically and / or logically segregated based on data classification efforts. Access to systems and information should be granted to authorized users on a need to know basis. Procedures for granting and revoking access should be documented and enforced. Strong password policies should be implemented and enforced. Privileged accounts should be minimized and monitored very closely using logging and notification technologies. Multi-Factor Authentication (MFA) should be used by authorized users when accessing systems and data according data classification efforts and regulatory requirements.
Information should be encrypted at rest and in transit according to data classification, regulatory requirements and the annual risk assessment. There are a variety of encryption solutions that range in price and functionality. The objective is to keep information confidential by encrypting it!
5. Personnel Training
Many confidentiality breaches occur by accident or mistake. Authorized users need to be properly trained. They should understand your data classification policy and acceptable use policy. They should understand why certain security controls are in place, how to properly use them, and why they should never attempt to circumvent them. Lastly, they should understand the threat landscape as it relates to confidentiality and what their actions and behaviors can do to help mitigate those risks.