When most people hear ‘CIA’ they think of the same thing; however, this article has nothing to do with the US Central Intelligence Agency. Instead, it is looking at confidentiality, integrity and availability – guiding principles when talking about organisational information security. Specifically, in this case, we are looking at the ‘I’ and the ‘A’. Many organisations place a high degree of importance (and spend) on the ‘C’ part of the model and do not apply the same stringent approach (or spend) to the other constituent parts. To be sure, confidentiality, or the protection of information assets, requires understanding, planning and budget, but the lack of attention to integrity and availability can reduce the effectiveness of any strategy and actually end up costing companies money and damaging reputations.

First, let us establish what we mean by this model. Confidentiality is not a complex concept; we are talking about protecting information assets in an appropriate and proportionate manner. This means a combination of hardware, software, education and training, and policy and procedure. It also means that regular updates and careful management of a company’s software and systems must be maintained in order to get the full benefit of the protection they offer. Using an operating system that is no longer supported, for instance, means it will not receive security patching and so represents a risk. Confidentiality, then, represents what many of us think about when we consider the topic of information security. We think firewalls, anti-malware, security awareness training and clear policies on managing devices, etc.

Apr-Jun 2016 Issue

Advent IM Ltd