Using the CIA For Better Data Security
How to Utilize the FISMA CIA Framework to Greatly Improve your Data Security Posture.
When it comes to data security, the (concept of) CIA offers a framework for practices and policies that ensure your cyber-defenses are strong in every area. We aren’t talking about the Central Intelligence Agency. CIA, in this case, refers to confidentiality, integrity, and availability of information.
Cyber-Defenses are Only as Good as Your Weakest Link
The reason the CIA approach is so strong is that it gives equal weight to all parts of the triad, touching every area of security practices. If you put too much focus on one area and ignore another, your cyber-defenses weaken as a whole.
Much like a chain will snap if there is one weak link, your security can be easily breached if you neglect one ‘link’ of your cyber-defenses.
1. Looking at the CIA approach, confidentiality comes first.
This means ensuring that only authorized people have access to and knowledge of your company’s information. Information security revolves around only sharing what has to be shared. All data should be classified and categorized to easily sort out who can and should access it. In practice, this could look like encrypting data so only people with the key can access it, file permissions, and password protection.
2. Next is integrity, or keeping information whole and unaltered.
Only authorized individuals should be able to modify data, and these may be a subset of those who are allowed to access it.
Integrity is also important when transferring data, both at the source and at the destination. If integrity is compromised, your company needs to know what changed, and have a way to restore the information to the source accuracy.
3. Finally, availability means keeping data accessible to those who need it.
This is different from confidentiality in that it refers to keeping the data in a place that can be accessed (virtually or in real life), versus looking at who can access it.
Data backups, disaster recovery practices, and security from hacks and attacks fall under the umbrella of availability.
The Importance of Defense in Depth
Confidentiality, integrity, and availability are guiding principles for every part of your data security practices. Defense in depth means taking these principles and applying them to create a multilayered, customized approach to your security, using several methods and measures to ensure that data is protected on every level.
If you took a blanket approach to data security, you would give every piece of information equal treatment, completely securing the most mundane data up to the information that requires restrictive security. This is clearly not the best way to do things; it uses up a lot of resources and creates unnecessary work.
With defense-in-depth, you are not only tailoring your security practices to the requirements of each piece of data, but you are also set up multiple lines of defense. While it is nice to think that we can protect ourselves from a data breach fully, there is always a risk of breach. The multilayered approach offers additional protection so if one line of protection fails, there are still others in place.
Network security is one part of this approach, with policies and controls in place within both hardware and software technology. The key is to restrict and manage access to the network and identify and stop any threats from getting on the network and wreaking havoc.
Cloud security is also important. For companies using cloud computing or cloud services, data breaches are a huge concern. It’s vital to know how your data is being stored, to ensure proper data isolation, which is part of confidentiality.
Similarly, there has to be a way to access the data on the cloud in the event of outages or other similar issues, to mitigate data loss.
Application security keeps data protected as it moves between the user and the application itself. Data is processed, transmitted and stored by applications and the CIA framework must be applied as this happens.
Security testing, regular updates and upgrades, and making sure executable programs cannot be opened are just a few of the many ways to add security on this level.
If people are accessing your company’s network through remote devices, endpoint security is another area of concern. Everywhere a remote device connects to your network, there’s a potential door to compromising confidentiality, integrity, and access.
Physical security on-site is similarly concerning, as only authorized users should be able to get into the places and spaces where resources exist.
User/social awareness and training play into all of these areas and the overall security of your company, too. Even the best policies won’t work to protect data and information if users are not on board with strong data security practices.
Using the [FISMA] CIA Framework, defense-in-depth approach, and buy-in from users, your company can keep its cyber-defenses strong.