Confidentiality, Integrity, and Availability (CIA) triad

The CIA (Confidentiality, Integrity, and Availability) triad is a well-known model for security policy development. The model consists of these three concepts:

• Confidentiality – ensures that sensitive information are accessed only by an authorized person and kept away from those not authorized to possess them. It is implemented using security mechanisms such as usernames, passwords, access control lists (ACLs), and encryption. It is also common for information to be categorized according to the extent of damage that could be done should it fall into unintended hands. Security measures can then be implemented accordingly.

• Integrity – ensures that information are in a format that is true and correct to its original purposes. The receiver of the information must have the information the creator intended him to have. The information can be edited by authorized persons only and remains in its original state when at rest. Integrity is implemented using security mechanism such as data encryption and hashing. Note that the changes in data might also occur as a result of non-human-caused events such as an electromagnetic pulse (EMP) or server crash, so it’s important to have the backup procedure and redundant systems in place to ensure data integrity.

• Availability – ensures that information and resources are available to those who need them. It is implemented using methods such as hardware maintenance, software patching and network optimization. Processes such as redundancy, failover, RAID and high-availability clusters are used to mitigate serious consequences when hardware issues do occur. Dedicated hardware devices can be used to guard against downtime and unreachable data due to malicious actions such as distributed denial-of-service (DDoS) attacks.