Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Cybersecurity and Privacy Law Handbook

You're reading from   Cybersecurity and Privacy Law Handbook A beginner's guide to dealing with privacy and security while keeping hackers at bay

Arrow left icon
Product type Paperback
Published in Dec 2022
Publisher Packt
ISBN-13 9781803242415
Length 230 pages
Edition 1st Edition
Languages
Arrow right icon
Author (1):
Arrow left icon
Walter Rocchi Walter Rocchi
Author Profile Icon Walter Rocchi
Walter Rocchi
Arrow right icon
View More author details
Toc

Table of Contents (18) Chapters Close

Preface 1. Part 1: Start From the Basics
2. Chapter 1: ISO27001 – Definitions and Security Concepts FREE CHAPTER 3. Part 2: Into the Wild
4. Chapter 2: Mandatory Requirements 5. Chapter 3: Data Protection 6. Chapter 4: Data Processing 7. Chapter 5: Security Planning and Risk Management 8. Part 3: Escape from Chaos
9. Chapter 6: Define ISO 27001 Mandatory Requirements 10. Chapter 7: Risk Management, Controls, and Policies 11. Chapter 8: Preparing Policies and Procedures to Avoid Internal Risk 12. Chapter 9: Social Engineering, Password Guidance, and Policy 13. Chapter 10: The Cloud 14. Chapter 11: What about the US? 15. Index 16. Other Books You May Enjoy Appendix

Confidentiality, integrity, and availability

One of the main components of ISO 27k is something called the CIA triad (of course, this has nothing to do with either the Mafia and/or the US Central Intelligence Agency).

In information security, the CIA triad is widely accepted as a model. It’s not a single doctrine, and there is no single author of it either. On the contrary, the model seems to have evolved over time, with roots that go back as far as modern computing. It appears that Ben Miller, vice president of Dragos, is the only one who has done any research into the triad’s origins. When he went looking for the origins of this model, more than a decade ago, he couldn’t find anything. Concepts appear to have been pulled from a variety of sources, including a 1976 Air Force report and a paper from the 1980s comparing commercial and military computer systems.

It’s mostly based on a triangle made of confidentiality, integrity, and availability, which are the main pillars of IT security.

Figure 1.1 – CIA triad

Figure 1.1 – CIA triad

Whatever the case may be, the CIA triad includes the following three elements:

  • A company’s data must be kept private to maintain confidentiality. This usually means that data should only be accessed or modified by processes and users who have been granted permission to do so.
  • Integrity is the quality of being able to have confidence in one’s data. An accurate and authentic record should be kept in a safe place where it cannot be changed or tampered with.
  • Authorized users should be able to access data at any time (availability), just as it is critical to keep unauthorized users out of an entity’s data in the first place. Maintaining a stable network of computers, servers, and other devices is to be considered an integral part of availability.

Let’s see an example to better understand these concepts.

You are sending an email to me because you’d like me to clarify some concepts you don’t understand (probably because they were badly explained by me – who knows). While preparing the email, you also attach a document in which there’s the part you don’t understand. Finally, you send the email.

In this case, confidentiality means that you sent this email to me and to me only. Unless a third party was involved in our email exchange, this email is sent exclusively to me.

If you send me a message with a few words, including Dear Mr., some sort of body text, some salutation at the end, and an attachment, I will receive exactly that message body and that attachment (this is integrity; if we want, we can measure the number of kilobytes used to send that message and you can bet that the body text and attachment are the same size).

Finally, we can log in to an email server at any time, 24/7, using our email client, and check whether there are new messages: that’s availability.

But, of course, this is just an example of how to adopt the CIA triad.

Access control methods such as two-factor authentication and passwordless sign-on are examples of confidentiality. However, it’s not just about allowing authorized users access; it’s also about preventing certain files from being accessed. Both accidental disclosure and malicious attacks can be prevented by using encryption.

Access control and encryption can help maintain data integrity, but there are many other ways to protect data integrity, both from attacks and corruption. It can be as simple as making a file read-only at times. In some cases, data can be audited using hashing or data checksums, which ensure the integrity of the data. In some cases, the integrity of a system may be shielded from external influences.

Availability refers to the ability of your systems to remain operational in the event of an attack. Distributed Denial of Service (DDoS) attacks, for example, are based on a lack of resources. You can ensure uptime by building redundancy into your systems to combat DDoS attacks. In the absence of an attack, systems can still fail and become unavailable, so load balancing and fault tolerance can be used to prevent systems from failing.

It is important for security professionals of all kinds to understand these concepts. For information security professionals, the triad of these three concepts makes it easier to think about the interrelationships, overlaps, and conflicts between them. Security professionals can use the tension between the triad’s three legs to determine their information security priorities and procedures.

You have been reading a chapter from
Cybersecurity and Privacy Law Handbook
Published in: Dec 2022
Publisher: Packt
ISBN-13: 9781803242415
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image