Information security is fundamentally about securing valuable information.
By valuable information, we simply mean important information. Information that you neither want to lose nor allow your competitors or the public to access. In most cases, this includes drawings, personal data, strategies, and plans that are either owned by your organization or entrusted to you by a supplier or subcontractor.
When discussing information security, it is common to refer to a well-known guiding principle, the so-called CIA triad. The triad consists of three components that together form a foundation and starting point for how information can be protected.
CIA stands for Confidentiality, Integrity, and Availability.
Confidentiality means ensuring that information is protected from being disclosed or shared with unauthorized individuals. This involves safeguarding information assets from external threats, such as cyberattacks, as well as protecting them internally by preventing employees from accessing information they are not authorized to see.
Examples of protection: firewalls, encryption, policies, employee training, two-factor authentication, biometric identification (fingerprints), access control, penetration testing, vulnerability scanning.
Integrity, or correctness, refers to ensuring that information is accurate and reliable. The attack on the cybersecurity company SolarWinds is an example of when the integrity of files was compromised. Hackers attacked and infected the update files of SolarWinds’ Orion software. The infected files were later distributed to 80,000 organizations worldwide, including U.S. security agencies. Protection in this context is related to confidentiality but, in the CIA triad, integrity focuses more on protecting information from unauthorized modification or manipulation.
Examples of protection: version control, file permissions, backups.
Availability is the final component of the CIA triad and focuses on ensuring access to information when needed. This involves examining all aspects of availability, from the ability to access information via software and servers to file transfer speed. A fundamental principle is to ensure access so that authorized users do not resort to alternative (and potentially less secure) methods to retrieve the information. Establishing business processes to ensure high availability is critical for achieving high and secure productivity within organizations.
Examples of protection: systems, processes for recovery from backups, disaster recovery, redundancy, servers.
Before implementing protective measures, we recommend first conducting an information classification. This involves assessing your information based on the CIA model and estimating the potential consequences if the information is exposed, manipulated, or becomes unavailable. If you want to learn more about how to work with information classification, you can either read more on ENISA’s page on information security guidelines or contact us.
