Skip to content

Page012

Large and small organizations need to keep data confidential. One U.S. law, the Health Insurance Portability and Accountability Act (HIPAA), requires that medical providers keep the personal and medical information of their patients private. Can you imagine the potential damage to a medical business if patients’ medical and personal data were somehow released to the public? That would not only lead to a loss of confidence but could expose the medical provider to possible legal action by the patients or government regulators.

Integrity

Integrity seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data.

There are two types of integrity: data integrity and system integrity. Data integrity seeks to protect information against unauthorized modification; system integrity seeks to protect a system, such as a Windows 2022 server operating system, from unauthorized modification. If an unethical student compromises a college grade database to raise his failing grades, he has violated the data integrity. If he installs malicious software on the system to allow future “back door” access, he has violated the system integrity.

Availability

Availability ensures that information is available when needed. Systems need to be usable (available) for normal business use. An example of attack on availability would be a Denial of Service (DoS) attack, which seeks to deny service (or availability) of a system.

Tension Between the Concepts

Confidentiality, integrity, and availability are sometimes in opposition: locking your data in a safe and throwing away the key may help confidentiality and integrity, but harms availability. That is the wrong answer: our mission as information security professionals is to balance the needs of confidentiality, integrity, and availability, and make tradeoffs as needed. One sure sign of an information security rookie is throwing every confidentiality and integrity control at a problem, while not addressing availability. Properly balancing these concepts, as shown in Fig. 2.3, is not easy, but worthwhile endeavors rarely are.

Fig. 2.3 Balancing the CIA triad.

Disclosure, Alteration, and Destruction

The CIA triad may also be described by its opposite: Disclosure, Alteration, and Destruction (DAD). Disclosure is unauthorized release of information; alteration is the unauthorized modification of data; and destruction is making systems or data unavailable. While the order of the individual components of the CIA acronym sometimes changes, the DAD acronym is shown in that order.