Nov 10, 2017Just for fun,
Tom has the key to IT security
For anyone that hasn’t had the pleasure of meeting Tom, our Technical Solutions Architect, he’s singlehandedly keeping the Welsh language alive with a fluent mother tongue. But other than baffling colleagues with his bi-lingual skills he’s massively passionate about IT security. Therefore, when Tom said he wanted to create a feature on the CIA, it left us all a little perplexed. OK, so not to be confused with the Central Intelligence Agency, what Tom wanted to discuss was the CIA Triangle, a business model that’s been designed to support organisational information security.
‘C’ in the triangle stands for confidentiality, and the measures that a business should take to ensure their information deemed as confidential remains this way. It focuses on making sure sensitive information doesn’t reach the wrong people, while also making sure the right people can still access it. This will include processes and policies on user access control, and making sure the right people have authorised access. It will also include role and responsibility based access to information, rather than a company wide access, to avoid information getting into the wrong hands. Data privacy goes hand in hand with confidentially, although there is a clear distinction between the two. Generally, what a business considers as ‘confidential’ would be determined at board level, and might be different for each business. It’s likely to contain information like key clients, sales leads and information that if it got into the wrong hands, could cause the business damages or losses. Privacy though, is something that is determined from government legislation such as the Data Protection Act and the GDPR. All businesses have a responsibility by law to protect this information from unauthorised access.
When safeguarding data, special training and in some instances security clearance checks for people who are privy to sensitive documents might be required. This would highlight any security risks that could compromise information confidentially. In addition, having a robust password policy with recommendations for best practices is also relatively common.
Extra measures might be required in some situations, online banking is a great example of this. In these situations data encryption or two-factor authentication may be required. This would be to provide a second form of authentication such as a phone call or an email. Users also have a part to play in keeping information secure, as they can control the number of times information is used to make a transaction for example or considering how the information is stored.
‘I’ in the triangle stands for Integrity, and involves data accuracy and consistency of information throughout its entire existence. Such measures include steps that are taken to ensure data cannot be tampered with or changed by unauthorised people. In some cases file permissions and user access control would be a good way of maintaining information integrity and many businesses will utilise version control for important documentation, to prevent inaccurate changes being made or information being deleted. Integrity also includes the use of data backups and redundancies, specifically in the context of corruption or malicious intent, in order to maintain an effective restoration of the information.
Another key area that ‘integrity’ relies on is effective auditing and accountability. By making sure information is audited regularly, any inconsistencies can be picked up and investigated or rectified accordingly.
‘A’ stands for Availability, and the ability to ensure that all hardware is performing correctly, to ensure maximum uptime and minimum disruption. This includes the implementation of a robust system upgrade management plan, to ensure that all equipment is up to date and fully optimised.
A disaster recovery plan will also play a significant role to the overall availability. This will take into consideration the various ways that a business could experience any loss to services, such as inadequate bandwidth and communication bottlenecks, or an unexpected disaster such as a fire or food. In such cases a focus on redundancy and failover could be used to protect the business with an additional layer of availability. In addition, part of the disaster recovery plan will also centre on backups and ensuring that you have a secure off-site backup to prevent data loss.
It goes without saying that Tom considers the CIA triangle when he’s developing client recommendations. This is because he knows that if every business did the same when they are scoping out their information security and data loss prevention methods, it would certainly aid achieving a better level of data integrity and safeguarding.