The CIA triad – Confidentiality, Integrity, Availability – is often referred to in cyber-security as a model or guide to create and implement your organisational policies. Addressing all three aspects should be your goal when engaging in a Data Protection programme. Seeing as though today is International Data Privacy Day, I thought it would be a great idea to go through this model with some practical examples for your business. Given how closely related the triad is, you will see overlap across all three in any good programme.
Confidentiality, in essence, relates to the privacy of information. It is the process of keeping information that should be private and confidential, private and confidential. There are a number of technological methods that you can put in place to ensure that confidentiality remains in tact.
Encryption is security 101 when it comes to your information. Computers on your network, particularly notebook/laptop computers, should be encrypted. This way, anyone getting their hands on the computer in question cannot access the data, and the information remains confidential. I wrote a small piece on securing a computer some time ago, and the methods stand true today!
Coupled with encryption is the use of a strong password. Passwords shorter than 8 characters or less complex than using letters, numbers and special characters, should simply be outlawed! Consider using passphrases of 4 words or more, and don’t use the same passwords on multiple services!
Lastly (for the purposes of this article), access control and file permissions in an organisation are critical. Access to information should be limited to only those individuals that need access to it, and this should be part of your Privacy by Design methodology.
Integrity refers to the information in your systems being unchanged by outside parties or influence. The information sent from one side must match the information that lands on the other side. Access control is again a key component. This ensures that there is minimal exposure to information – thereby reducing the risk of it being modified by a party that shouldn’t be viewing it.
From an e-mail point of view, one of the methods you can implement to aid in integrity is DMARC. This system (also a system of 3 components) adds validations to your outgoing emails that they originated from your organisation and that the sender was indeed someone within your organisation.
Very importantly, backups are key to both integrity and availability. If something should change and the integrity of a file or system is compromised, you need to have something from which you can restore the compromised information.
Availability ensures that all systems and data that should be available, stay available. There are a number of pre-emptive measures you can put in place to ensure availability.
Intrusion Prevention / Detection Systems are tools that can detect attacks such as Denial-of-Service, hacking, and other anomalies in your network. This allows for a proactive response from your IT teams to (hopefully) prevent a disaster. A great combination to add to your IDS / IPS is that of regular vulnerability assessment and annual (at least) penetration testing.
Coupled with this is an Incident Response Policy, how do you respond effectively to an issue? It should cover aspects such as identification of an issue, containment, investigation, response, notification and remediation.
Even further down the chain, suppose there has been a disaster, you then need a disaster recovery plan in order to get back to an available state as soon as possible. These plans are often neglected and need to actually be carefully planned and tested in order for them to be effective in any way.
These are just a few of the methods and recommendations that you can put in place to address the CIA triad. In order to comply with international data privacy law and best practices of data protection, many more components need to be in place. To find out more about these components, please reach out to me for a quick Zoom call. I’d be happy to give you a short consultation to assist!
Ross G Saunders Consulting is a niche data protection consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection. Why not reach out to find out how they can help you gain a competitive advantage while simultaneously garnering support from your existing and potential customers.