Confidentiality, Integrity and Availability (CIA) are the three axis defined by the National Institute of Standards and Technology (NIST) to help define the level of risk associated with each type of information and information system and by extension to categorize them in terms of the level of security each needs. The process came from the Federal Information Security Management Act of 2002 (FISMA) and the Federal Information Processing Standards Publications put out FIPS PUB 199 to help agencies better understand and address the security requirements of the types of information each system holds. We adopted this process to help our customers assess their risk since it is widely understood and adopted.
When considering each axis, think about the risk your organization faces were any aspect of these elements to be affected and think about each axis independent from the other. To see how this works, consider a system that holds information about your employees and one of the information types is salary. Look at each element of the CIA assessment separately.
Confidentiality: If the organization lost confidentiality on this information, what risk does it face? Would it result in the closure of the company? Would it be serious but survivable? Would it have only a minor impact? Or maybe it would have no impact at all. A company that reasonably expects to go out of business from a loss of confidentiality would likely assign a risk level of “high” for this type of impact on confidentiality. The assessment would likely be moderate if it were serious and low if it had minor impact. If the disclosure of this information would have no impact that the assigned level would be none.
Integrity: Integrity looks at situations where the information is either destroyed or improperly modified. To look at the impact a loss of integrity might have on the organization consider what would happen if somehow the compensation levels were incorrectly altered. Could the information be recovered from old payment slips or personnel files somewhere else? If it can’t be, would the loss of that information result in huge consequences for the organization? If the answer is yes, then likely you would want to assign a risk level of high. A moderate, low or “none” designation would be appropriate if the risk were less to non-existent.
Availability: Availability addresses information where the information is accurate and exists, but for some reason is not available in a timely and reliable manner. This could be because of a power outage or computer failure. What impact would this have on the organization? Would it make it impossible for the organization to complete its mission? If so, the answer may be yes. If the impact would be serious, but survivable, than the risk is moderate and the risk would be low if the impact would only be minor. You would assign none if there were no associated risk with loss of availability.
To determine the security categorization for this data type as a whole, you simply look at the highest risk level for each axis and select that value. So if the information type had a CIA assessment of {Moderate, Moderate, High} the security categorization for that data type would be High.
If all of this seems a bit daunting, the nice folks at NIST have a publication, SP 800-60, where they take a initial stab at categorizing a lot of document types that the federal government uses. The link to this publication is: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-60v2r1.pdf. Hopefully this helps.