1. Home
Feeling StupidKeyboard Layout

CIA Triad & Security Controls

Master the fundamental principles of information security through the CIA Triad (Confidentiality, Integrity, Availability) and understand how security controls protect against threats.

The CIA Triad - Foundation of Information Security

Confidentiality

Definition: Ensuring information is accessible only to authorized individuals.

Key Concepts:
  • Data classification (Public, Internal, Confidential, Secret)
  • Need-to-know principle
  • Privacy protection
  • Information disclosure prevention
Common Threats:
  • Data breaches
  • Eavesdropping
  • Social engineering
  • Insider threats
  • Unauthorized access
Protection Methods:
  • Encryption (AES, RSA)
  • Access controls (RBAC, ABAC)
  • Authentication (MFA, biometrics)
  • Data loss prevention (DLP)
  • Network segmentation

Integrity

Definition: Maintaining accuracy and trustworthiness of data throughout its lifecycle.

Key Concepts:
  • Data accuracy and completeness
  • Non-repudiation
  • Version control
  • Change management
Common Threats:
  • Data corruption
  • Unauthorized modifications
  • Malware infections
  • Human error
  • System failures
Protection Methods:
  • Digital signatures
  • Checksums and hashing (SHA-256)
  • Version control systems
  • Database constraints
  • Audit trails and logging

Availability

Definition: Ensuring information and systems are accessible when needed by authorized users.

Key Concepts:
  • Uptime and reliability
  • Service level agreements (SLAs)
  • Business continuity
  • Disaster recovery
Common Threats:
  • DDoS attacks
  • Hardware failures
  • Natural disasters
  • Power outages
  • Network congestion
Protection Methods:
  • Redundancy and failover
  • Load balancing
  • Backup systems (3-2-1 rule)
  • Uninterruptible power supply (UPS)
  • Content delivery networks (CDN)
Remember: The CIA Triad represents the three fundamental goals that should be included in every security program. Most security measures address one or more of these principles.

CIA Triad Scenario Analysis

Select a Security Scenario:
Impact Analysis:
Threat: Unauthorized access to patient records
Confidentiality Impact:

Patient data exposed to unauthorized personnel

Integrity Impact:

Medical records could be altered, affecting treatment

Availability Impact:

System shutdown prevents access to critical patient data

Security Controls Framework

Security controls are safeguards implemented to reduce risk and protect the CIA Triad. They can be categorized by function and implementation type.

Security Control Categories
CategoryAdministrative/OperationalTechnical/LogicalPhysical/Environmental
PreventiveSecurity policies, Training, Background checksFirewalls, Encryption, Access controlsLocks, Fences, Security guards
DetectiveSecurity audits, Reviews, MonitoringIDS/IPS, SIEM, Log analysisCCTV, Motion sensors, Alarms
CorrectiveIncident response, Disciplinary actionsPatches, Antivirus updates, BackupsFire suppression, Emergency procedures
RecoveryBusiness continuity, Disaster recoverySystem restoration, Data recoveryAlternate sites, Emergency power
CompensatingManual processes, Increased oversightAlternative authentication, MonitoringAdditional barriers, Enhanced security
Explore Control Types:
Preventive Controls

Purpose: Stop security incidents before they occur

Examples:
  • Firewalls blocking unauthorized network access
  • Antivirus software preventing malware installation
  • Access control systems restricting facility entry
  • Input validation preventing injection attacks
  • Security awareness training for employees

Risk Management & CIA Integration

Risk Assessment Process
  1. Asset Identification: Catalog information assets and their value
  2. Threat Identification: Identify potential threats to each asset
  3. Vulnerability Assessment: Find weaknesses that threats could exploit
  4. Risk Calculation: Risk = Threat × Vulnerability × Impact
  5. Control Selection: Choose appropriate controls to mitigate risks
  6. Residual Risk: Evaluate remaining risk after controls
Risk Treatment Options
  • Accept: Acknowledge risk and take no action
  • Avoid: Eliminate the risk by not performing the activity
  • Transfer: Share risk with third parties (insurance, outsourcing)
  • Mitigate: Reduce risk through security controls
CIA Impact Levels
LevelDescriptionExamples
LowLimited adverse effectPublic website defacement
ModerateSerious adverse effectCustomer data exposure
HighSevere or catastrophic effectCritical infrastructure failure
Risk Calculation Example:

Threat: Insider threat (Medium probability)

Vulnerability: Weak access controls (High)

Impact: Financial data breach (High)

Risk Level: Medium × High × High = HIGH RISK

Security Frameworks & Standards

NIST Cybersecurity Framework
Five Core Functions:
  1. Identify: Asset management, business environment
  2. Protect: Access controls, awareness training
  3. Detect: Anomaly detection, monitoring
  4. Respond: Incident response, communication
  5. Recover: Recovery planning, improvements
Maps directly to CIA principles and security controls
ISO 27001/27002
Control Categories:
  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • Incident management
Industry-Specific
Common Frameworks:
  • PCI DSS: Payment card industry
  • HIPAA: Healthcare information
  • SOX: Financial reporting
  • GDPR: European data protection
  • FERPA: Educational records
  • FISMA: Federal information systems
All frameworks emphasize CIA principles

Practical Implementation Guide

Confidentiality Basics
  • Strong passwords policy
  • Multi-factor authentication
  • File encryption for sensitive data
  • Secure Wi-Fi configuration
  • Employee training on data handling
Integrity Essentials
  • Regular data backups (3-2-1 rule)
  • Antivirus and anti-malware
  • Software patching schedule
  • Change management process
  • Digital signatures for documents
Availability Fundamentals
  • Uninterruptible power supply (UPS)
  • Cloud backup solutions
  • Internet service redundancy
  • Basic disaster recovery plan
  • Regular system maintenance

Advanced Confidentiality
  • Zero-trust architecture
  • Data loss prevention (DLP)
  • Privileged access management
  • Network segmentation
  • End-to-end encryption
Robust Integrity
  • Blockchain for critical records
  • Advanced threat protection
  • Configuration management
  • Database integrity monitoring
  • Immutable audit logs
High Availability
  • Clustered systems and failover
  • Geographic redundancy
  • Load balancing and CDN
  • Hot/warm/cold site recovery
  • Real-time replication

Step-by-Step Process:
  1. Asset Classification: Identify and classify information assets
  2. Threat Modeling: Identify potential threats and attack vectors
  3. Vulnerability Assessment: Scan for technical and procedural weaknesses
  4. Risk Analysis: Calculate risk levels for each asset-threat pair
  5. Control Mapping: Map controls to CIA principles and risks
  6. Cost-Benefit Analysis: Evaluate control effectiveness vs. cost
  7. Implementation Plan: Prioritize and schedule control deployment
  8. Monitoring & Review: Continuously assess control effectiveness
Control Selection Criteria:
FactorConsiderations
EffectivenessHow well does it mitigate the risk?
CostImplementation and operational expenses
ComplianceRegulatory and legal requirements
UsabilityImpact on user experience
ScalabilityAbility to grow with organization
IntegrationCompatibility with existing systems

CIA Triad & Security Controls Quick Reference

Confidentiality
  • • Encryption
  • • Access controls
  • • Authentication
  • • Data classification
  • • Privacy protection
Integrity
  • • Digital signatures
  • • Checksums/hashing
  • • Version control
  • • Input validation
  • • Audit trails
Availability
  • • Redundancy
  • • Load balancing
  • • Backup systems
  • • Disaster recovery
  • • Monitoring
Control Types
  • • Preventive
  • • Detective
  • • Corrective
  • • Recovery
  • • Compensating

Knowledge Check Questions

Scenario-Based Questions:

Q1: A company's database was modified by an attacker, changing employee salary records. Which principle of the CIA Triad was violated?

Answer: Integrity - the accuracy and trustworthiness of data was compromised.

Q2: What type of control is a firewall that blocks unauthorized network traffic?

Answer: Preventive control - it stops security incidents before they occur.

Q3: A DDoS attack brings down a company's web server. Which CIA principle is affected?

Answer: Availability - authorized users cannot access the system when needed.

Technical Implementation:

Q4: Which control type would SHA-256 hashing be classified as?

Answer: Detective control - it can detect if data has been modified by comparing hash values.

Q5: A company implements additional manual reviews when automated controls fail. What type of control is this?

Answer: Compensating control - provides alternative protection when primary controls cannot be implemented.

Q6: What are the three implementation types for security controls?

Answer: Administrative/Operational, Technical/Logical, and Physical/Environmental.