Chapter 1

Security principles

Module 1: Understand the Security Concepts of Information Assurance

The CIA Triad

To define security, it has become common to use Confidentiality, Integrity and Availability,
also known as the CIA triad. The purpose of these terms is to describe security using
relevant and meaningful words that make security more understandable to management
and users and define its purpose.

Confidentiality
Confidentiality relates to permitting authorized access to information, while at the same
time protecting information from improper disclosure.
Integrity
Integrity is the property of information whereby it is recorded, used and maintained in a
way that ensures its completeness, accuracy, internal consistency and usefulness for a
stated purpose.
Availability
Availability means that systems and data are accessible at the time users need them.

Confidentiality is a difficult balance to achieve when many system users are guests or
customers, and it is not known if they are accessing the system from a
compromised machine or vulnerable mobile application. So, the security professional’s
obligation is to regulate access—protect the data that needs protection, yet permit
access to authorized individuals.

Personally Identifiable Information (PII) is a term related to the area of confidentiality.

It pertains to any data about an individual that could be used to identify them. Other
terms related to confidentiality are protected health information (PHI) , which is
information regarding one’s health status, and classified or sensitive information,
which includes trade secrets, research, business plans and intellectual property.

Another useful definition is sensitivity, which is a measure of the importance assigned

to information by its owner, or the purpose of denoting its need for protection. Sensitive
information is information that if improperly disclosed (confidentiality) or modified
(integrity) would harm an organization or individual. In many cases, sensitivity is related
to the harm to external stakeholders; that is, people or organizations that may not be a
part of the organization that processes or uses the information

Integrity measures the degree to which something is whole and complete, internally

consistent and correct. The concept of integrity applies to:

● information or data
 ● systems and processes for business operations
● organizations
● people and their actions

Data integrity is the assurance that data has not been altered in an unauthorized
manner. This requires the protection of the data in systems and during processing to
ensure that it is free from improper modification, errors or loss of information and
is recorded, used and maintained in a way that ensures its completeness. Data integrity
covers data in storage, during processing and while in transit.

Information must be accurate, internally consistent and useful for a stated purpose. The
internal consistency of information ensures that information is correct on all related
systems so that it is displayed and stored in the same way on all systems. Consistency,
as part of data integrity, requires that all instances of the data be identical in form,
content and meaning.

System integrity refers to the maintenance of a known good configuration and

expected operational function as the system processes the information. Ensuring
integrity begins with an awareness of state, which is the current condition of the system.
Specifically, this awareness concerns the ability to document and understand the state
of data or a system at a certain point, creating a baseline. For example, a baseline can
refer to the current state of the information—whether it is protected. Then, to preserve
that state, the information must always continue to be protected through a transaction.

Going forward from that baseline, the integrity of the data or the system can always be
ascertained by comparing the baseline with the current state. If the two match, then the
integrity of the data or the system is intact; if the two do not match, then the integrity of
the data or the system has been compromised. Integrity is a primary factor in the
reliability of information and systems.

The need to safeguard information and system integrity may be dictated by laws and
regulations. Often, it is dictated by the needs of the organization to access and use
reliable, accurate information.

Availability can be defined as (1) timely and reliable access to information and the

ability to use it, and (2) for authorized users, timely and reliable access to data and
information services.

The core concept of availability is that data is accessible to authorized users when and
where it is needed and in the form and format required. This does not mean that data or
systems are available 100% of the time. Instead, the systems and data meet the
requirements of the business for timely and reliable access.

Some systems and data are far more critical than others, so the
security professional must ensure that the appropriate levels of availability are provided.
This requires consultation with the involved business to ensure that critical systems are
identified and available. Availability is often associated with the term criticality,
 because it represents the importance an organization gives to data or an information
system in performing its operations or achieving its mission.

Authentication
When users have stated their identity, it is necessary to validate that they are the rightful
owners of that identity. This process of verifying or proving the user’s identification is known
as authentication. Simply put, authentication is a process to prove the identity of the
requestor.

There are three common methods of authentication:

● Something you know: Passwords or paraphrases

● Something you have: Tokens, memory cards, smart cards
● Something you are: Biometrics , measurable characteristics

Methods of Authentication
There are two types of authentication. Using only one of the methods of authentication
stated previously is known as single-factor authentication (SFA) . Granting users access
only after successfully demonstrating or displaying two or more of these methods is known
as multi-factor authentication (MFA) .

Common best practice is to implement at least two of the three common techniques for
authentication:

● Knowledge-based 
● Token-based 
● Characteristic-based 

Knowledge-based authentication uses a passphrase or secret code to differentiate between

an authorized and unauthorized user. If you have selected a personal identification number
(PIN), created a password or some other secret value that only you know, then you have
experienced knowledge-based authentication. The problem with using this type of
authentication alone is that it is often vulnerable to a variety of attacks. For example, the
help desk might receive a call to reset a user’s password. The challenge is ensuring that the
password is reset only for the correct user and not someone else pretending to be that user.
For better security, a second or third form of authentication that is based on a token or
characteristic would be required prior to resetting the password. The combined use of a user
ID and a password consists of two things that are known, and because it does not meet the
requirement of using two or more of the authentication methods stated, it is not considered
MFA.

Non-repudiation
Non-repudiation is a legal term and is defined as the protection against an individual falsely
denying having performed a particular action. It provides the capability to determine whether
a given individual took a particular action, such as created information, approved information
or sent or received a message.
In today’s world of e-commerce and electronic transactions, there are opportunities for the
impersonation of others or denial of an action, such as making a purchase online and later
denying it. It is important that all participants trust online transactions. Non-repudiation
methodologies ensure that people are held responsible for transactions they conducted.

Privacy
Privacy is the right of an individual to control the distribution of information about
themselves. While security and privacy both focus on the protection of personal and
sensitive data, there is a difference between them. With the increasing rate at which data is
collected and digitally stored across all industries, the push for privacy legislation and
compliance with existing policies steadily grows. In today’s global economy, privacy
legislation and regulations on privacy and data protection can impact corporations and
industries regardless of physical location. Global privacy is an especially crucial issue when
considering requirements regarding the collection and security of personal information.
There are several laws that define privacy and data protection, which periodically change.
Ensuring that protective security measures are in place is not enough to meet privacy
regulations or to protect a company from incurring penalties or fines from mishandling,
misuse, or improper protection of personal or private information. An example of a law with
multinational implications is the European Union’s General Data Protection Regulation
(GDPR) which applies to all organizations, foreign or domestic, doing business in the EU or
any persons in the EU. Companies operating or doing business within the United States
may also fall under several state legislations that regulate the collection and use of
consumer data and privacy. Likewise, member nations of the EU enact laws to put GDPR
into practice and sometimes add more stringent requirements. These laws,
including national- and state-level laws, dictate that any entity anywhere in the world handling
the private data of people in a particular legal jurisdiction must abide by its
privacy requirements. As a member of an organization's data protection team, you will
not be required to interpret these laws, but you will need an understanding of how they apply
to your organization.