The CIA Framework
The CIA Framework
Confidentiality, integrity and availability, components of the CIA framework, is a structure and model used to provide guidance on policies for organizational information security. Confidentiality denotes the guidelines or rules limiting access to information. Integrity provides assurances that information available is accurate and trustworthy. Lastly, availability is the guarantee of reliability of access to organizational information by authorized parties.
Confidentiality
The process through which an organization strives to keep its data private or out of the public eye is known as confidentiality. In practice, it entails putting access controls on data in order to prevent illicit disclosure of the information. In most cases, this means taking precautions to ensure that only those who have been granted the appropriate authority may access certain resources and that unauthorized individuals are actively prevented from having access to these resources. For example, the database containing employee payroll information should only be available to authorized Payroll staff members. In addition, within a set of authorized users, there may be further constraints that are more stringent on the particular information to which authorized users are granted access.
In September of 2016, Yahoo disclosed some of the first information of a large data breach. Late in 2014, the business disclosed that hackers had gained unauthorized access to the personal information of 500 million individuals (Trautman & Ormerod, 2016). There was a total of eight million accounts in the United Kingdom that were distributed to various third parties after being auctioned off. Yahoo was aware of the breach, but at the time, the company was unaware of the full extent of the leak’s implications. While looking into a different data breach in July 2016, the company made the startling discovery that the user account information of more than 200 million of its customers was being offered for sale on a website that served as a darknet market.
Integrity
The capacity of anything to fulfill or satisfy all of its demands is referred to as its integrity. “Integrity” in the context of information security refers to the process of validating that data has not been changed and is hence trustworthy. Integrity denotes that information provided is truthful, trustworthy, and accurate. For example, when making an order, online shoppers want product and pricing information to be correct, as well as all other information, such as quantity, price, and availability, to be consistent. Customers of financial and e-commerce services must have confidence that their personal information and account balances will be kept confidential. Integrity assurance protects data whether it is utilized, transferred, and stored, whether on a personal computer or a portable storage device such as a tablet, whether in data centers, or in the electronic or cloud platforms.
Enron utilized accounting mistakes to disguise bad debt and inflate earnings in 2001. As Enron’s value collapsed, investors lost billions in investments (Eckhaus & Sheaffer, 2018). Enron executives misused their power and privilege, fabricated papers, treated internal and external constituents unjustly, placed their personal interests ahead of employees and the public, and failed to exercise effective supervision or take responsibility for unethical conduct. Enron’s internal and external connections were inconsistent. Ordinary employees were compelled to buy in Enron stock and then barred from selling when the price fell.
Availability
If an organization’s systems, programs, and data are not accessible when needed by authorized users, then both the business and its clients will get little benefit from them. The operational and active states of networks, systems, and applications are simply referred to as being available. It guarantees that whenever they are needed, authorized users will have prompt and dependable access to these resources. Availability may be compromised by a variety of things, including errors made by humans, faulty hardware or software, power outages, and natural disasters. One of the most frequent types of assaults that jeopardize a system’s availability is the denial-of-service attack. A system, website, online application, or web service may be purposefully and maliciously compromised in this kind of assault, or the system may become entirely unreachable.
Wells Fargo was the victim of many serious distributed denial-of-service attacks in 2012. Wells Fargo customers reported being unable to access the bank’s website, mobile apps, and other critical channels for accessing personal and financial information (Alsadhan et al., 2022). The denial-of-service attack caused server failures, resulting in financial losses and a great deal of stress for the organization’s professionals working to restore offline resources.
References
Alsadhan, A., Hussain, A., Liatsis, P., Alani, M., Tawfik, H., Kendrick, P., & Francis, H. (2022). Locally weighted classifiers for detection of neighbor discovery protocol distributed denial‐of‐service and replayed attacks. Transactions on Emerging Telecommunications Technologies, 33(3), e3700.
Eckhaus, E., & Sheaffer, Z. (2018). Managerial hubris detection: the case of Enron. Risk Management, 20(4), 304-325.
Trautman, L. J., & Ormerod, P. C. (2016). Corporate directors’ and officers’ cybersecurity standard of care: The Yahoo data breach. Am. UL Rev., 66, 1231.
