Ubeo Blog

Assessing your company's security with "CIA"

Posted by Ronnie Hay on Oct 3, 2019 9:06:43 AM

Young businessman having a serious discussion with two female co-workers as they stand together discussing a hand written flip chart

 

As a leader auditing your company's plan to deal with security threats, it can be helpful to have a framework. One of the risks when auditing security protocols and systems is that we tend to focus on tactics rather than the impacts of security on the organization as a whole.

"CIA" is a simple framework that can be helpful to keep a high level view of your company's security protocols.

Confidentiality

First and foremost, your system must be confidential. This is obvious. Team members and others who need access to information should have access, and those that should not access that information should be locked out. Organizations don't have unlimited resources. We tend to invest heavily in this area of security as we should, but it shouldn't be the only consideration.

Integrity

We don't often think about data integrity, but compromised data can be as damaging as stolen data. The information residing in your database is what runs your business. Without trustworthy data, your business operations cannot function without major disruption. Corruption of data could come from a hacker, or a virus that makes it onto the network. It could be intentional or unintentional. Data loss falls into this bucket as well. Disasters such as floods, fires, or earthquakes can destroy infrastructure, damage servers and wreak havoc on your operations. Back-up solutions should be an essential part of your security plan because they affect business continuity.

 

fire-backup

 

Availability

The last piece of this framework is availability. Availability often doesn't get much consideration, but it is essential for any good security plan. Availability means that users to be able to access their data at the exact moment they need it all while maintaining the highest level of security possible. Many times, IT will highly favor confidentiality over availability, because they are ultimately responsible for the security of the network. If availability isn't considered from the users' perspective, users will find ways to circumvent the system. If users cannot perform their duties with expediency within the security framework, they will find ways to work around the system making the net result less secure. Finding ways to facilitate user workflow through secure systems should be the end goal for all stakeholders when it comes to security planning.

Remember CIA - Confidentiality, Integrity, and Availability when auditing your team's security and you will have the right framework to secure your networks.