CIA Triad

00:00

Hello, everyone. This is instructor Gerry Roberts. This is risk policies and security controls.

00:06

First of all, the Triad, it's

00:08

the CIA. A triad is also known as the aye aye See Triad. That's to avoid confusion with the actual C I A, which is the Central Intelligence Agency.

00:19

Each letter in the Triad stands for a different security concept.

00:23

C stands for confidentiality. I stands for integrity and a stands for availability.

00:30

The triad is a commonly used security model,

00:34

and again, each one stands for a different component of information security.

00:41

First, confidentiality.

00:43

Pretty much what that means is, only the people who should have access to data should have access to that data.

00:50

I eat. People who should not be able to view something should not be able to view it.

00:55

This means that data is protected from unauthorized use or access.

01:00

This also means that data in transit and stored data need to be protected.

01:06

So not just things that are stored in the database, but anything that's being transmitted, such as e mails or if you're saving back and forth from the database that does need to be protected as well.

01:19

Integrity,

01:21

integrity means information is accurate and reliable. Pretty much it means that if your data is tampered with or anything like that that it can't be accurate, it can't be correct, and it can cause issues.

01:34

So you should protect against tampering, including deletion and editing.

01:40

Any outside interference of the data can compromise data integrity

01:45

That also could be data loss, which could be really bad in some cases,

01:51

availability

01:53

availability means reliable and timely access to data

01:57

data's just not any good if anybody who needs access it cannot access it or use it when they need to.

02:02

Good example of that could be customer service, where someone needs to access an account for a client to help them with a billy issue.

02:10

If that person is unable to access set account, they're unable to help that person, which would mean that could be a timely issue because they're trying to help that person in a timely and efficient manner.

02:23

Data access issues can bring a company to a screeching halt and mean billions in losses, and we have actually seen that before,

02:35

So some examples of controls that map to the C I A components on. We stay controls. We just mean different things that we can use to control access and editing and everything like that. So a couple of controls for confidentiality

02:51

encryption helps us with data at rest and in transit

02:54

access controls, physical and digital help us a lot, so that could be a C. L's or access control lists, door locks, all that good stuff.

03:04

Integrity.

03:05

Integrity can be protected, too. Using digital signing

03:08

Max's controls could also help with integrity hashing and see our seas, which checked the data to make sure that they're correct for one point to another

03:19

availability.

03:21

You can use raid configurations if you're used to those. Those are the redundant array of independent discs.

03:28

They're different configurations available. Most of them do help with availability. You can also use other technologies like clustering. They do that a lot with servers as well as load balancing redundancy. Redundancy actually is one of those things that helps greatly with availability.

03:45

So if something fails and you have redundancy,

03:49

it can fall back to that redundant item. So the access is not, uh, actually interrupted.

03:55

Also, backups air really good for availability off, say, for example, your data center burned to the ground. If you had a backup of the data, you could go back to your site that you're rebuilding

04:10

and put that data back in, and you would have that available again.

04:16

Post assessment Question time.

04:18

An example of a data integrity issue might be

04:24

Adam's shoulder serfs and finds out Married account is in collections

04:28

or

04:30

the accounting department cannot access their share. Dr.

04:33

Or someone decided to delete part of the customer database using a drop table command.

04:41

Or lastly, Mary looks up Adam's account in retaliation for his shoulder surfing.

04:46

I'll give you a moment to figure out which one of those scenarios fit with data integrity,

04:51

and then we'll come back and have the answer. As always, you may pause,

05:00

answer. See someone deleted part of the customer database using a drop table command.

05:05

Now, this is an issue of data integrity, because that means that the data has been tampered with and is no longer accurate. You're missing pieces of the data