Fig.1: CIA3 model (anno 2016).
Fig.1: CIA3 model (anno 2016).
In the world of Information Security: Confidentiality, Integrity and Availability (CIA) have been the key concepts for many years. This popular combination is referred to as the InfoSec CIA triad.
Beyond these key concepts, people have been extending the basic principles with additional security concepts like: non-repudiation, awareness, privacy, risk, traceability, etc. These concepts are sometimes added as additional attributes. Other attempts, to add concepts, have been made by creating revised models of the CIA triad, like: O-ISM3, Parkerian Hexad, etc. These models often extend the concepts with: design, awareness, assessment, risk management, etc. The issue with these is that most people really like the CIA triad (often for simple reasons like: easy to remember or "catchy" reference) and other models are not easy to accept because they often change the model dramatically, forcing you to start from scratch. However..., what if we can extend the model and keep our beloved CIA by simply referring to it as: CIA-cubed (or CIA3)?!
Avoiding to explain the standard CIA model here, we will provide a high level introduction of the new model and concepts that can encompass all basic security principles you require. Besides the concepts we also add relationships (and some level of hierarchy), these relations do add grey areas, just like in real life, where concepts can also live in the meaning of a relation.
The graph on the right depicts the new model, adding Accountability, Assurance and dependency relations. You will notice that every higher level depends on the lower level for proper implementation, while Integrity & Confidentiality have a mutual dependency.
Integrity is the basis of accountability; it assists you in ensuring accountability. Accountability can be defined in a RACI matrix; this depends on controls and plausible deniability to make it "stick". Accountability also may encompass segregation of duties. People may [for example] notice a document labeled "TOP SECRET" but do they know - how - to handle that document. Logon banners and awareness training are also part of accountability.
Typical items provided are: non-repudiation, authenticity. but also: design, governance and policy. Questions that should be answered are: Who did it? Who is accountable? How do we secure the systems?...
How do we know if our systems are secure? Assurance encompasses all previous concepts and should be present all the time. Assurance is about control activities and includes: securing the architecture, its processes and reducing overall complexity.
Assurance [being present all the time] is a continuous activity; periodic controls assure that all security measures (both technical and operational) work as intended to protect the system and the information that it processes. By means of: audit, KPI, continual service improvement, SWOT analysis and Deming cycles we validate, update and optimize our governance models and implementations.