The CIA Triad and Security Fundamentals

Confidentiality means that information reaches only those who are supposed to have it. The definition sounds simple but the enforcement is not. Confidentiality requires knowing who is authorised (identity and access management), preventing eavesdropping in transit (encryption), preventing unauthorised reading at rest (encryption and access controls), and preventing authorised users from leaking data outside the approved boundary (data loss prevention and classification).

Common threats to confidentiality include: credential theft (phishing, brute force, credential stuffing), man-in-the-middle interception of unencrypted traffic, insider disclosure (accidental or malicious), shoulder surfing and physical access to unlocked screens, and misconfigured cloud storage that exposes data publicly. Each of these threats maps to a different control category. Credential theft is addressed by multi-factor authentication and strong password policies. Interception is addressed by TLS/SSL on all communications. Insider threats are addressed by least-privilege access and monitoring.

Regulatory requirements for confidentiality appear across jurisdictions. The EU General Data Protection Regulation (GDPR) Article 5(1)(f) requires personal data to be processed with appropriate security, including protection against unauthorised access. India's Digital Personal Data Protection Act 2023 (DPDP Act) imposes a similar obligation on data fiduciaries under Section 8(5). The US Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to protect the confidentiality of electronic protected health information. PCI-DSS Requirement 3 requires that stored cardholder data be protected. All of these are confidentiality controls expressed in domain-specific language.

Integrity means that data is what it claims to be: accurate, complete, and unaltered without authorisation. Integrity failures are often harder to detect than confidentiality breaches because the data is still present and accessible; it is simply wrong. A medical record with an altered dosage, a financial ledger with manipulated entries, or a software binary with injected malicious code all represent integrity failures. The harm may not be apparent until the compromised data is acted upon.

Threats to integrity include: unauthorised modification by external attackers (SQL injection modifying database records), insider manipulation (an employee altering financial records), accidental corruption from storage failure or software bugs, and man-in-the-middle modification of data in transit. Supply chain attacks, where software dependencies or firmware are modified before delivery, are a form of integrity attack on software that has grown significantly since 2020.

Controls for integrity include: cryptographic hashing (SHA-256, SHA-3) to detect modification, digital signatures to bind data to an identity, write-once storage for audit logs, version control for code and configuration, database transaction controls (ACID properties), and change management procedures that require approval and record of all changes. In regulated environments, integrity controls often have specific form: HIPAA requires audit controls to record and examine access activity; PCI-DSS Requirement 11 requires integrity monitoring of critical files.

Availability means that authorised users can access systems and data when they need to. It is the property most directly threatened by operational disruptions. A hospital system that is unavailable during an emergency, a financial trading platform that goes down during market hours, or a government benefits portal that is unreachable during a natural disaster all illustrate why availability is a security property with direct human consequences, not just an IT operations concern.

Threats to availability include: distributed denial-of-service (DDoS) attacks that flood systems with traffic, ransomware that encrypts data and demands payment, hardware failure, power outages, misconfigurations that cause unplanned downtime, and natural disasters affecting physical infrastructure. The SolarWinds compromise of 2020, while primarily an integrity and confidentiality attack, also demonstrated how a single point of failure in update infrastructure can affect thousands of organisations simultaneously.

Controls for availability include: redundant systems and load balancing, automatic failover and disaster recovery plans, immutable and offsite backups with tested restoration procedures, DDoS mitigation services, uninterruptible power supplies and generator backup, and incident response plans with defined recovery time objectives (RTO) and recovery point objectives (RPO). ISO/IEC 22301 is the international standard for business continuity management and maps directly to availability protection. Many compliance frameworks including HIPAA, PCI-DSS, and India's DPDP Act impose availability requirements implicitly through breach notification and data protection obligations.

The CIA triad defines what to protect. Several additional concepts explain how protection works in practice. Authentication answers the question: who are you? It verifies identity before granting access. Common mechanisms include passwords, smart cards, biometrics, and one-time codes. Multi-factor authentication (MFA) combines two or more factors from different categories (something you know, something you have, something you are) to reduce the impact of any single mechanism being compromised.

Authorisation answers the question: what are you allowed to do? Once identity is verified, the system determines which resources the authenticated identity may access and which actions they may perform. The principle of least privilege requires that each user and process has only the access necessary for their legitimate function. Role-based access control (RBAC) assigns permissions to roles rather than individuals, making management scalable. Attribute-based access control (ABAC) makes access decisions based on attributes of the user, the resource, and the context (for example, time of day or device type).

Accountability means that actions can be traced to the individual or process that performed them. It requires audit logging: a tamper-evident record of who did what and when. Accountability deters insider abuse (people behave differently when they know their actions are recorded) and supports investigation after an incident. Non-repudiation goes further: it provides cryptographic proof that a specific authenticated identity performed a specific action. Digital signatures on transactions, time-stamped audit records signed by a trusted authority, and certified email delivery receipts all provide non-repudiation. This matters in legal contexts, including contract disputes, financial transactions, and regulatory investigations, where a party denying an action must be contradicted by evidence they cannot plausibly claim was fabricated.

Security practice is ultimately risk management. The foundational model has three components: a threat (a potential harmful event or actor), a vulnerability (a weakness that the threat could exploit), and risk (the product of the likelihood that the threat exploits the vulnerability and the impact if it does). Controls reduce risk by reducing likelihood, reducing impact, or both. Understanding this model is essential for audit work, because auditors evaluate whether controls are appropriate to the risk, not whether they exist in isolation.

Risk can be expressed qualitatively (high/medium/low) or quantitatively (annualised loss expectancy). Qualitative methods are more common in governance and audit contexts because they are faster to produce and easier to communicate to non-technical stakeholders. A simple 5x5 risk matrix places likelihood on one axis and impact on the other, assigning each cell a risk rating. Quantitative methods, including FAIR (Factor Analysis of Information Risk), express risk in monetary terms and are used in board-level reporting and insurance contexts. Both methods appear in real audit engagements; auditors should understand the logic of each.

Risk treatment options are fixed in number: accept the risk (document and monitor), avoid it (stop the activity that creates it), transfer it (insurance, contractual shift to a third party), or mitigate it (implement controls). Every security control decision is a risk treatment decision. An organisation that chooses not to encrypt laptop drives is accepting the risk of data exposure if a laptop is stolen. An organisation that buys cyber insurance is partly transferring that risk. A mature security programme documents each risk treatment decision so that auditors and regulators can assess whether the organisation's risk appetite is appropriate and whether accepted risks have remained within acceptable bounds.

For a structured approach to identifying and classifying assets and assigning risk ownership, see Risk Identification and Asset Classification. For the methodologies used to quantify and prioritise risk, see Risk Assessment Methodologies.

Defence in depth is the practice of layering multiple independent controls so that the failure of any single control does not result in a complete security failure. The term originates in military strategy, where defence in layers means an attacker who breaches the outer perimeter still faces inner defences. In information security, a layered model might include: network perimeter controls (firewall, IDS), endpoint controls (antivirus, disk encryption), application controls (input validation, session management), identity controls (MFA, least privilege), and data controls (encryption at rest, DLP). An attacker who bypasses the network perimeter still faces endpoint and application controls.

Controls are classified by purpose and by mechanism. By purpose: preventive controls stop an attack before it succeeds (firewalls, access controls), detective controls identify attacks that are occurring or have occurred (intrusion detection, audit logs), corrective controls reduce harm after an attack (backup restoration, incident response), and deterrent controls reduce the likelihood of attack by making it less attractive (legal warnings, visible cameras). By mechanism: technical controls are implemented in systems (encryption, authentication), administrative controls are implemented in policy and procedure (acceptable use policy, training), and physical controls protect physical assets (locks, badge readers, CCTV).

Audit work always considers all three control categories. A technically strong environment with weak administrative controls (no training, no policies, no access reviews) remains vulnerable to insider threats and social engineering. A strong policy framework with no technical enforcement is equally fragile. Auditors assess controls across all three categories and identify gaps where one category is absent or weak.