The CIA Triad: Establishing a Common Baseline for User Access to Company Data (Written by Wes Blackwell, Forsyte I.T. Solutions)
One issue that many organizations, government or private, need to face eventually is what to do with their data and systems. How does one begin to evaluate their practices and the needs of their clients? One trusted method of establishing a common baseline for user access to company data is the CIA Triad. This method of evaluation helps to bring about concepts of confidentiality, integrity, and availability. Let’s take a closer look at this.
Confidentiality is protecting the company data that means the most to your organization. Nobody wants their data to be exposed to the public, especially if it is sensitive. Data breaches are unfortunately more common than they should be in today’s atmosphere.
Some simple ways to increase the confidentiality of data are:
Properly training employees on the handling of company data.
Strengthening the physical security of any company facilitates.
Implementing company policies for data protection such as Azure Information Protection.
The next practice of the CIA Triad is Integrity. This practice is the act of keeping all company data secure from outside tampering and logging all changes. Audits and access logs are critical if an organization is keeping sensitive information especially if that data is highly valued or holds customer information that could be violating laws if it is released (such as medical information). If users access any critical/sensitive information for your business logs should be kept and stored in a secure location for future review. If any transportation or physical access of systems are to happen audits should be conducted by data custodians and reviewed by the security team. The integrity of data, insurance that nothing has been tampered with, always needs to be kept.
The last bit of the CIA Triad is Availability. It is making sure that company data is available when it is most needed — redundancy and consistent fail-overs in place in case of catastrophic failure. Sysadmins should also make sure that all hardware is maintained, and all upgrades are inspected, approved, and applied. If important information is necessary for company success and developing trust between its clients, then it is crucial that this information is available whenever it is needed.
One thing I would personally recommend is looking at moving to the cloud for easy application of all the above-mentioned practices. Systems like Azure allow for establishing clear and consistent company policies quickly and accurately across a trusted platform with one of the largest companies in the world. Azure can create RBAC and group membership so only authorized personnel can access sensitive information. Azure information protection can establish clear company policies for classifying company data and encrypting the most sensitive of information. Redundancy can be set up in minutes for any server, and custom schedules are easy to build. And the best part is that audit logs are automatically kept and can be easily exported for physical log keeping.
Analyzing and accessing an environment is a crucial part of an organization’s evolution throughout the course of their lifetime. Evaluating the needs of the organization and how to better handle its data between its workers and customers will remain a constant process for any company.
The CIA Triad is an easy and proven model of analysis. It is really a floor plan for creating a better security posture overall. Any potential threats or concerns for an organization can be weighed against this model to appropriately determine a risk assessment and contingency plans to mitigate any potential loss to critical functionality.
Contact Forsyte I.T. Solutions to discuss your user access settings and IT operations: firstname.lastname@example.org.