Information security policy is a set of policies put forward by high ranking members of an organization to assure that all information technology users within the domain of that organization is its networks adhere to the same rules and guidelines related to the security of information that is transferred or stored at any point within the organization’s boundaries of authority.
Confidentiality, integrity and availability, also known as the CIA triad is one of the models that guide information security policies within an organization. The triad provides a baseline standard for evaluating and implementing information security regardless of the size, complexity or type of the underlying organization, that’s why CIA triad has proved itself important.
The elements of the triad are considered three most essential components of information security. In this context, confidentiality is the set of rules that limits access to information, integrity is the affirmation that the data is intact and accurate, and finally, availability is the assertion that authorized people can reliably access information.
Although the triangle makes all seem equally important, when it comes to implementation of CIA triad, one of these elements may be more crucial than the others depending upon the environment, application, context or organization. For instance, confidentiality is predominant for a financial agency, so it would likely encrypt any classified document being electronically transferred in order to prevent unauthorized access. Whereas organizations like online marketplaces would be doomed if their network were down for a lengthy period, so they might better focus on strategies for guaranteeing high availability over concerns about data encryption.
In addition, it is fundamental to bear in mind that security isn’t a feature of a piece of software; it’s a property of the entire system. When your goal is to implement CIA triad, you must adopt an approach that considers parts of the system along with the big picture, the entirety of the system. You will need different tools and software to keep different parts of your system, network or processes. But also you will need those tools and software connected, to be able to work together. Cobbling together alert details to asses if a security event is a real threat or trying to navigate through multiple dashboards and screens will cost your security team time, effort, agility and efficiency.
To combine everything you need and have together in order to form strong, unified, responsive, agile and most importantly, actually safe security operations, you should consider security orchestration and automation.
Furthermore, you need to accept the fact that no set of rules is unbreakable, no software system is truly unhackable, and no security product is a hundred per cent secure. Thus, instead of asking how to get to the perfection, you need to ask how to get secure enough and decide what secure enough means. Breaches, small or big, today or the day after tomorrow, will happen. Decide what is most valuable to you and make it a priority to keep that most valuable piece of information or element of the system safe in any event and before anything else.
To sum up, while implementing CIA triad as a baseline security policy, you must consider the priorities and needs of your system and you must adopt rather a wholistic approach to ensure that everything works well and works well together.