1. Source: http://www.brighthub.com/computing/smb-security/articles/29153.aspx
Information Security Concepts: Confidentiality, Integrity, Availability & Authenticity
Article by Lee Clemmer; Edited & published by Brett on May 5, 2010; (Edited version for class)
In information security theory we encounter the acronym CIA which stands for Confidentiality,
Integrity, and Availability. We will examine each of these concepts, and discover how we may use
them. Also identified and added is a 4th concept Authenticity.
Introduction
In information security theory we encounter the acronym CIA--which does not stand for a governmental
agency--but instead for Confidentiality, Integrity, and Availability. So why are these concepts important?"
Well, without any one, or in fact all of them, business operations, transactions, and communications can
become unreliable, untrustworthy, and uncertain.
Confidentiality
This means, at the core of the concept, that the data is hidden from those that are not supposed to see
it. We can accomplish Confidentiality in a number of ways. These methods are complementary. First,
require strong authentication for any access to data. Second, use strict access controls. In
communications only the sender and intended recipient should be able to access the data. In file
systems and data repositories, only the creator and intended users can access the data. Third, ensure
encryption of the data so that it cannot be intercepted, and cannot be accessed during transmission or
transport. Encryption is frequently what students of confidentiality think of first. While encrypting data is
surely a way of keeping it confidential, it's not the only way.
Integrity
Integrity as a concept means that there is resistance to alteration or substitution of data, and/or that such
changes are detected and provable. The information should not be changed except by an authorized
agent. This usually involves the use of checksums, one-way hashes, or other algorithmic validation of
the data. Whether the data might be changed by accident or malice, preventing that change is the
foremost concern, and detecting if it has changed is second. Integrity can be maintained at many levels,
from the hardware all the way to the application logic.
Availability
For our data to be of use to us, it has to be accessible when and where we need it. Therefore part of the
puzzle is how to keep our data available. Attacks or accidents can bring down systems. Data can be
overwritten, deleted, or destroyed. Denial of Service attacks can make otherwise fast-access systems
run like cold molasses. High Availability solutions, including load balancing, fail-over, and quick backup
and restoration are all involved. In my opinion these topics are network and systems architecture
concerns, operations concerns, and not truly a primary security component. I think we ought to, when
considering security issues, place Authenticity as a higher priority than Availability! If my data is
available 24/7 but it's not the data I believed it was, then having it available is pointless.
Authenticity
At first glance it might seem that Authenticity is included in the concept of Integrity. Integrity is more
specifically about the content of the data itself. Authenticity means that when I get an order from Bob, it's
verifiably Bob that's placing the order. The order (the data) is of no value if Bob didn't want to place it.
So, Authenticity involves assurance that the data was created or sent by the source it appears to be
from. Not verifying authenticity is tied to current problems with spam, e-mail phishing, web site
redirection, browser hijacking, or other attacks such as man-in-the-middle attacks.
2. Risk Assessment and Risk Mitigation
http://misqe.org/ojs2/index.php/misqe/article/viewFile/31/26
http://www.wikihow.com/Develop-a-Risk-Management-Plan
http://security.isu.edu/ppt/pdfppt/RiskAssessandMitigate.pdf