Confidentiality, Integrity and Availability (CIA) are the three axis defined by the National Institute of Standards and Technology (NIST) to help define the level of risk associated with each type of information and information system and by extension to categorize them in terms of the level of security each needs. The process came from the Federal Information Security Management Act of 2002 (FISMA) and the Federal Information Processing Standards Publications put out FIPS PUB 200 to help agencies better understand and address the security requirements of each system that holds sensitive information. We adopted this process to help our customers assess their risk since it is widely understood and adopted.
When considering each axis, think about the risk your organization faces were any aspect of these elements to be affected and think about each axis independent from the other. To see how this works, consider a system that holds information about your organization’s finances. It likely holds many different information types: Social Security Numbers or Tax ID numbers; Payment Card Information, a myriad of different information types relating to each customer along with a host of other data types.
In another article we described how to classify the security risk for each information type. You assess the impact on the organization were it to experience some loss to the confidentiality, integrity or availability of that data type and the select the highest impact from all of these and make that your security classification. Using the FIPS 200 process, Cymetric then takes all the security categorizations for all the information types in that system and selects the highest to categorize the system. So across all the confidentiality assessments for the different information types the highest value is moderate and for integrity the assessment was none or no impact and for availability the value was also moderate, then the security categorization would be {Moderate, Low, Moderate} which would then be assigned a value of moderate. You will note that although information types can have a value of “none,” Information Systems cannot so the lowest acceptable value for an information system is “Low.”