Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

The Magic Triangle of IT Security

Michael Oberlaender looks at a practical approach to confidentiality, integrity and availability in the business world

By Michael Oberlaender, MS, CISSP, ACSE, GSNA

October 27, 2009CSO

The myths of the CIA triad
Have you ever considered taking a role as the most senior person for information security working at a large corporation? Then you must be prepared to understand the key principles of information security—and how they really apply to life and business.

We all understand the typical C-I-A triad (written in this sequence because it's so easy to remember with the 3-letter agency acronym), where C stands for Confidentiality, I for Integrity and A for Availability. But, what I have realized and seen from many people during my professional life—people who are well-educated about security and who are really committed to keeping secure the information of the company they are working for—is this: They all overstate the importance of confidentiality.

Sure, I don't need to tell you that confidentiality is in fact important. But, if you really think about it, what is the true business impact if some confidential information leaks? It certainly depends on the specific circumstances. Has intellectual property been compromised? Have marketing plans been shared with another sales department? Or even price lists? Or has a major planned acquisition been become public knowledge and suddenly the stock price of the acquisition target goes through the roof? Maybe you will have to deny any such plans, wait until the stock price has normalized and perform the acquisition afterwards. Or sue the thief who stole and/or used your intellectual property. Or make your clients aware of unfair business practices of the competitor who uses that price information. Anyway, the immediate (please note the emphasis) business impact in most cases is not as high as you may have thought.

Even after a competitor has gained that extra knowledge which may take away an edge of your competitiveness (there are in fact fair-playing competitors who might give it back to you without using a copy of it)—before this really arrives into your balance sheet, months and years can go by, and you have time to respond and react to it.

But now, realize why IT is used today in almost all businesses, industries, and organizations of any size. And realize that the availability of the IT systems and data is of utmost importance. Let's say your major ERP system goes down for a day or two. What kind of outcry from the business, board room attention, and extra money (available to fix the issue immediately) would be guaranteed?

CIA and the impact of breaches

It is because this kind of "breach" is an immediate, measurable, direct loss, which impacts—or in the worst case interrupts—the companies' ability to make money. You will be amazed, that suddenly there is no more RO(S)I discussion, budget restriction, or similar pain we all have been through. Because everyone up to the board level immediately understands that this kind of loss needs action—because it is a direct foundation of the company's stability and even existence.

Once you have realized this, the next most important security parameter is integrity.

Yes, the systems and data must not only be available, they must in fact store and produce reliable, accurate data which allows for good business decision making, correct financial reporting and proper forecasts.

A single integrity fault is not as bad, and it will be (under typical circumstances) recognized quickly and there are procedures in place to verify integrity and "guarantee" it. However, going back to the model described above, you realize that any impact on your data and system integrity will have an impact within the near term, at the latest during your next SOX (Sarbanes Oxley Act) audit (or SEC trial for that matter, as SOX is a law with teeth), but it can be as early as your next sales proposal getting rejected because of wrong price information or bad contact data (i.e. fax number—the delivery report shows probably "OK" in many cases, regardless if the fax number used was "123" (for correct) or "124" (for wrong)). Several integrity faults (following the Gaussian error propagation rule) will create an even bigger and more immediate business problem, so the integrity parameter becomes number 2 on the immediate business impact scale.

RESOURCE CENTER