This is a brief introduction to security for the layperson. First of all, we will start with a single word: “risk“. After all, this is what security is all about: it’s about managing the level of risk to our organization. We can never completely eliminate risk. No matter how good or how many controls that we put into place, there is always a degree of “residual risk”. Our goal is to reduce it to an acceptable level of risk so that the only thing keeping our leadership team up at night is the neighbour’s dog.
And here’s another very important word: “data“. You might disagree with me, but your data is almost certainly the most valuable asset your organisation has (with the possible exception of people). For example, if you lost all of your data, how long would it take for your organisation to recover? Would it ever recover? Or, would you be out of business before that happened?
The CIA Triad
Let’s start our introduction at the foundation. Information Systems Security stands on three pillars: Confidentiality, Integrity, and Availability. Therefore, no solution should ever disregard one of those three. By way of an analogy, consider a tripod. If one of the legs is not secure, we run the risk of it toppling over. And we have an expensive camera suddenly impacting the floor. That’s a big mess that nobody wants. As a result, it is important to ensure that your data is protected from all three sorts of threats.
Everyone has confidential information. For example, it might be a social insurance number, bank account number, credit card number, or your age. Regardless of the type of data, we must secure all confidential (a.k.a. “sensitive”) information. In the case of a business or other organization, the confidential information could be the financial data and related reports. Also, it might be HR data. And, in some cases, it might be confidential information belonging to your customers (like their credit card number).
This aspect of security is all about ensuring that the confidential (or “sensitive”) data stays confidential. Whether that means keeping people from stealing the data from under your nose, or making sure people are not taking it home on their laptop or portable drive. There is quite a lot of legislation regarding protecting the privacy of individuals, depending on the type of data, the type of organisation you run, where you do business, and who you do business with.
This term refers to data integrity (not personal or professional integrity). In a nutshell, integrity is the science of ensuring that our data is correct. Moreover, it is about ensuring that the data has not been modified without appropriate authorization. Understand that “unauthorized modifications” includes both external actors infiltrating the system and internal employees making changes without proper approval. On a related note, it also includes software quality. This is because bugs in software can cause data errors, or even data corruption. Furthermore, software vulnerabilities can result in unapproved changes.
Availability strives to ensure that data is accessible when it is needed to the people (or systems) that need it. This can include various technologies, such as fault tolerance and backups. It also includes procedures like business continuity and disaster recovery plans. As mentioned in the introduction, without access to our data, our entire organization’s survival is at risk. For more details, you should check out my post on availability.