Understanding CIA

All computer security will start from the CIA. This is not the Central Intelligence Agency. It stands for confidentiality, integrity, and availability.

Confidentiality looks at ensuring that the only people allowed access to certain information systems (IS) have the authority and have need access the data (need to know). To help with this part of CIA many things could happen: background checks, information classification, safe storage of data, encryption data, and training end users to assist in verifying someone has the need to know and authorization are some examples.

The integrity part of CIA looks at making sure the data is uncorrupted. For example, think of a time you download something from the Internet. Most likely, somewhere around the download link there was a string of text labeled hash, MD5Sum or equivalent. This allows end users to test and verify the integrity of whatever data was transferred.

The last part of CIA, availability, deals with ensuring the data is available in useable forms. Going back to the Internet download example, think of the annoyance when a download link does not work. Whenever you are looking at CIA though this does not mean that anyone can access the data. Combined with the other parts it can be seen that availability now means there is only a concern to make data available to people who have pasted the confidentially part.

With storage security you will find this important. You want to verify that all the data you are storing has not been tampered with so you create hashes. You setup scheduled times to compare the hashes originally generated with newly generated ones from the data. If these do not match then the data has been changed by someone. This covers the integrity part. Next you would want to setup permissions to the data. This will allow for control over who can see the data and what they can do with the data they see. This will take care of the confidentiality portion since unless you give that certain person access to the data they will not know it is there. Lastly, the you will want to make sure the permissions work. Create test users and place them in groups with different permissions. This will verify everything is working correctly before pushing you give real users access. Before placing users into groups, verify with others about their requirements to ensure the data they need is available to them. This will take care of the availability part of CIA.