Confidentiality, integrity, and availability comprise the CIA triad, a model used to guide the areas of focus for computer security. These three foundational objectives drive the development of policies, form the basis for information security plans, and are the principles for developing benchmarks to assess security.
Confidentiality ensures that only authorized users have access to data. Integrity means assuring that data remains in its intended state and is only edited by authorized personnel. Availability is defined as providing the right access to systems and data when and where needed. Together, the CIA triad provides a solid baseline for computer security.
There are two additional objectives that are often included in security evaluations and plans: authentication and nonrepudiation. Authentication is the process by which credentials are presented and validated to enable access. Nonrepudiation ensures authenticity such that the originator cannot deny identity.
Resources
For longer definitions, read:
The impact of breaches of any of the five is discussed in FIPS PUB 199 Standards for Security Categorization of Federal Information and Information Systems on pages 2–6.
Check Your Knowledge
Choose the best answer to each question:
Question
1
The CIA triad is a major concept for cybersecurity professionals. Which of the following parts of the triad defines availability?
prevention of unauthorized disclosure of sensitive data
prevention of unauthorized changes to systems and data
prevention of disruption of service and productivity
prevention of lawsuits from contractors and other parties
The prevention of unauthorized disclosure of sensitive data defines the confidentiality component of the CIA triad. Try again.
The prevention of unauthorized changes to systems and data defines the integrity component of the CIA triad. Try again.
Correct. The prevention of disruption of service and productivity defines the availability component of the CIA triad.
The prevention of lawsuits from contractors and other parties deals with the concept of nonrepudiation. Try again.
Question
2
The CIA triad concept that relates to appropriate access to sensitive information is which of the following?
confidentiality
integrity
availability
nonrepudiation
This statement is true. Confidentiality is a set of rules that limits access to information.
Integrity is the assurance that the information is trustworthy and accurate. Try again.
Availability guarantees reliable access to the information by authorized people. Try again.
Nonrepudiation ensures authenticity such that the originator cannot deny identity. It is not a component of the CIA triad. Try again.
Question
3
Hardware maintenance, redundancy, network communications, backups, and upgrades are significant to systems. Which of the following parts of the CIA triad is concerned with these tasks?
confidentiality
availability
nonrepudiation
authentication
Confidentiality is a set of rules that limits access to information with no reference to tasks listed. Try again.
This statement is true. Availability guarantees reliable access to the information by authorized people that includes all the tasks listed.
Nonrepudiation does not apply to the listed tasks; it only relates to data integrity, origin, and assurance that the data is genuine. Try again.
Authentication is any process that a system verifies the identity of a user who wishes to access it and does not address the topics listed. Try again.
Question
4
Several security models relate to different components of the CIA triad. Which of the models below address the three goals of integrity?
The Clark–Wilson model
Biba model
Bell-LaPadula security model
Lattice model
This statement is true. The Clark–Wilson Integrity Model provides a foundation for specifying and analyzing an integrity policy for a computing system and includes the three goals of integrity.
The Biba model emphasizes ensuring data integrity through the use of access controls. Try again.
The Bell–LaPadula security model emphasizes confidentiality and provides a framework for the protection of sensitive or classified information. Try again.
The Lattice model is an access control model that uses a lattice to define the levels of security of a given object and the authorized accesses of an individual. It then determines access based on an alignment between authorized levels of the object and the individual. This model does not address the three goals of integrity. Try again.
Question
5
Classification categories for access control are based on evaluation of sensitivity or criticality. The generalized format for expressing the security category, SC, of an information type is:
confidentiality, integrity, availability
confidentiality, integrity, assurance
confidentiality, integration, availability
confidentiality, integration, assurance
This statement is true. The generalized format for expressing the security category of an information type is as follows: SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}
The generalized format for expressing the security category of an information type does not include assurance. Try again.
The generalized format for expressing the security category of an information type does not include integration. Try again.
The generalized format for expressing the security category of an information type does not include integration or assurance. Try again.
Question
6
Asymmetric key encryption, which uses public and private keys to encrypt and decrypt data, is advantageous due to which of the following:
confidentiality, authentication, nonrepudiation
confidentiality, integration, availability
confidentiality, integrity, nonrepudiation
confidentiality, integrity, authentication
This statement is true. Due to the asymmetric key encryption process, confidentiality, authentication, and nonrepudiation are addressed.
Integration and availability are not addressed during the asymmetric key encryption process. Try again.
Integrity is not addressed during the asymmetric key encryption process. Try again.
Integrity is not addressed during the asymmetric key encryption process. Try again.
Question
7
What are two of the main security goals of the CIA triad?
commercial and federal infrastructure
confidentiality and integrity
availability and refutability
analysis and development
The CIA triad is a model of the main information security goals for organizations. This model includes confidentiality, integrity, and availability, and often extends to authentication and nonrepudiation. Commercial and federal infrastructure are not present on this list of security goals. Try again.
This statement is true. The CIA triad is a model of the main information security goals for organizations. This model includes confidentiality, integrity, and availability, and often extends to authentication and nonrepudiation.
The CIA triad is a model of the main information security goals for organizations. This model includes confidentiality, integrity, and availability, and often extends to authentication and nonrepudiation. Refutability is not present on this list of security goals. Try again.
The CIA triad is a model of the main information security goals for organizations. This model includes confidentiality, integrity, and availability, and often extends to authentication and nonrepudiation. Analysis and development are not present on this list of security goals. Try again.
Question
8
Which of the following part of the CIA triad defines integrity?
prevention of the use of private information
prevention of unauthorized changes to company data
prevention of destruction of physical services
prevention of litigation of users
The prevention of the use of private information deals with confidentiality. Try again.
This statement is true. The definition of integrity is the assurance that the information is trustworthy and accurate, which would include the prevention of unauthorized changes to company data.
The prevention of the destruction of physical services deals with availability. Try again.
The prevention of the litigation of users deals with nonrepudiation. Try again.