Information security should be a top priority for all organisations. It involves protecting organisational data and optimising information systems. The purpose of information security is to prevent confidentiality breaches, data losses, inappropriate data deletion and inaccurate data production. The three fundamental bases of information security are represented in the CIA triad: confidentiality, integrity and availability. Put simply, confidentiality is limiting data access, integrity is ensuring your data is accurate, and availability is making sure it is accessible to those who need it. This triad can be used as a foundation to develop strong information security policies.
What is Confidentiality?
The principle of confidentiality involves restricting data access strictly to authorised personnel. Users have a responsibility to ensure they maintain secure access control systems, including both logical (e.g. PC passwords) and physical restrictions (e.g. ID cards). For this reason, it is important that all employees receive thorough training in information security awareness and best practices. It is important to limit data sharing and state availability restrictions so confidentiality is not inadvertently breached.
The importance of physical restrictions should not be underestimated. Remember, unwarranted access to your building can facilitate unauthorised data access. Door codes help to ensure your building remains secure. They should not be written down and staff should be vigilant in ensuring no one is watching or recording them input codes. Similarly, many organisations insist that their employees wear ID badges, this makes it easier to identify non-employees within your workplace. ID badges should be worn at all times within the workplace but never outside of work. Wearing them outside of work enables criminals to quote your details (e.g. name, position and organisation) in an attempt to gain access to your building. Areas containing particularly sensitive information can be protected by extra access restrictions e.g. an additional door code.
Passwords are another basic, yet vital, means of protecting your information. A strong password is at least 8 characters long, contains upper and lower case letters, numbers and special symbols. Passwords should never be shared (even with your colleagues or IT providers) and should be changed immediately if discovered. Changing your password regularly allows hackers less time to guess it and stops them from using your account if they have already obtained your password. You should change your password at least once every 90 days.
What is Integrity?
Upholding integrity means that measures are taken to ensure that data is kept accurate and up to date. The integrity of your data impacts how trustworthy and conscientious your organisation is. One of the eight Data Protection Principles (which are the foundations of the Data Protection Act 2018) is that data should be ‘kept accurate and up to date’. Users must make sure that they comply with their legal duties and fulfil this requirement. It can be useful to assign individuals specific roles and responsibilities regarding data integrity. This way employees cannot shelve the responsibility and expect someone else to pick up the slack.
What is Availability?
Availability means guaranteeing reliable access to information by authorised personnel. In order to be readily accessible, data must be stored in a logical yet secure system. High availability aids rapid business processing and ultimately benefits your organisation. It is every user’s responsibility to file desktop documents in a way that makes them easy to locate in the future. Similarly, paper copies should be filed securely and not left lying around.
Copies should be made to ensure important information is not irreversibly lost. Certain storage methods are more vulnerable to loss and theft than others. Information on portable storage devices, such a USBs, is particularly vulnerable. That’s why this information should be encrypted and backed up. Temporary displays (e.g. whiteboards and charts) are similarly vulnerable to prying eyes, and information recorded in this way should be transferred to a more permanent, confidential place at the earliest opportunity.
It is business owners’ responsibility to implement a thorough business contingency plan, allowing rapid disaster recovery. This ensures minimal disruption to service. Getting information systems up and running as soon as possible ensures that there is not an excessive interruption to information availability.
Data is often shared, not only within your organisation, but also to individuals outside of your organisation, such as customers, business partners and the general public. Emails are a quick and easy way of sharing data around the world, especially convenient when transferring big data sets. However, information sent over the internet can sometimes be intercepted and accessed by hackers, compromising confidentiality. Encrypting your information can make it harder for hackers to access, as without the decryption key the data will appear to be nonsense.
Why is the CIA Triad So Important?
Good information security practices protect the data subjects your organisations hold data about and the company’s assets. For instance, unauthorised access to personal data could result in identity theft, harm to individuals’ rights and freedoms and emotional damage.
As well as protecting data subjects, information security is crucial in protecting your organisation. Not only does it protect your business data from being exploited, it also shields you from the damaging repercussions of data breaches. Poor information security can result in: confidentiality breaches, data loss, data inaccuracies and wasted resources. This can culminate in massive reputational blows, along with disciplinary action if those involved acted mindlessly or if proper training was neglected to be offered. Possible disciplinary actions range from internal procedures to hefty fines and legal prosecution. Proper training for all staff members is essential in raising awareness of and properly implementing the information security principles.