Information is a business asset and adds value to an organization. Information exists in many forms. It may be printed or written on paper, stored in electronic media, transmitted by electronic means, or spoken in conversations.
Information and its associated infrastructure are accessed and used in business by employees, third-party users or by automated processes. For example, an HR Manager accessing employee profile database through a database application. Each component in this activity, that is, HR manager, employee profile database, and the database application is called entities. Other examples would be a time-based job scheduler, such as cron in UNIX, such as operating systems, or a task scheduler in Windows, such as operating systems updating information through a script in a database. Here, scheduler application, the script or application it runs, and the data being accessed are entities.
Information assets and associated entities have certain levels of CIA requirements. A level could be a numeric value or representational value, such as high, low, or medium. The CIA triad is frequently referred to as tenets of information security. Tenet means something accepted as an important truth. The CIA values of an asset are established through risk analysis, which is a part of risk management. Concepts of risk management are covered in the next chapter.
Information security is characterized by preserving CIA values of an asset. Preserving is to ensure that the CIA values are maintained all the time and at all the locations. Hence, for an effective information security management, defining and maintaining CIA values is a primary requirement.
Information needs to be disclosed to authorized entities for business processes, for example, an authorized employee accessing information about the prototype under development on the server. Confidentiality is to ensure that the information is not disclosed to unauthorized entities, for example, confidentiality is often achieved by encryption.
Information has to be consistent and not altered or modified without established approval policies or procedures. Integrity is to maintain the consistency of the information internally as well as externally. This is to prevent unauthorized modification by authorized entities, for example, an update to the database record is made without approval.
Integrity is also to prevent authorized modification by unauthorized entities, for example, when malicious code is inserted in a web application by an unethical hacker. In this scenario, a hacker (an unauthorized entity) may modify an application through an established procedure (authorized update).
Availability is to ensure that information and associated services are available to authorized entities as and when required. For example, in an attack on the network through Denial-of-Service (DoS). Sometimes, an authorized update to an application may stop certain essential services and will constitute a breach in availability requirements, for example, inadvertently tripping over a server power cable may constitute as an availability breach.