The third part of the CIA triad — availability — often surprises people. Contrary to popular belief, being “secure” does not mean locking down your information. It’s a delicate balance between protecting your data from prying eyes and opening it up to employees, clients and other stakeholders.
Proper data availability involves allowing for adequate employee access and avoiding both natural and malicious disruptions.
The Principle of Least Privilege
Your employees need to access private and proprietary information; without it, you prevent them from doing their job.
Your organization should have a policy that governs data, application and hardware access. Agio recommends the principle of “least privilege,” which gives users the bare minimum access to properly perform their job. When a staffer needs access to something beyond the bare minimum, it will have to be approved separately.
Applications and hardware should also follow this principle. It can be tempting to approve access prematurely — especially when an employee is scheduled to work on a project in the future — but this should be avoided to maintain security. Don’t give your employees access to apps or equipment they don’t need until they need it.
Disruption of Availability
Providing availability to your data also means preventing disruption of access. There are two types of disruption: malicious and natural.
We know you have the best intentions with your security practices, but uptime of equipment, web presence or TPS machines, for example, can’t get in the way of availability. Your security and compliance policies should ensure a quick uptime so you don’t disrupt business continuity.
This is especially important for service-based businesses. For instance, if your banking website offers a 24-hour service, your policies should aid in subverting DDoS attacks. Without a security policy, the likelihood of a bad actor shutting down the site rises dramatically. This would diminish the 24-hour service and affect the client base — effects that will be felt all the way back to the company’s stakeholders.
Natural disasters — power outages, earthquakes, flooding and more — can also cause systems to go down. You can mitigate the risk of these disruptions with careful planning, starting with selecting a location for your business. If the area you choose to headquarter your organization is known to experience natural disasters, you can make smart choices around physical security, such as moving your servers to the cloud.
You should also duplicate your data at another location as part of a disaster recovery plan. Good DR is all about being proactive — you should develop this plan now and immediately begin backing up data so, should anything happen, it can be downloaded to new hardware and restored. This shows the planning and policies have created the best uptime possible for users, clients, applications and hardware.
Using the CIA Triad
As a modern business, you cannot afford to put off prioritizing cybersecurity. Adopting the CIA triad is an easy guide to establishing a strong security foundation:
- Confidentiality will keep your secrets secret.
- Integrity ensures data and software avoid becoming compromised.
- Availability will keep your services running smoothly.
Breaking down security components into three distinct areas will put any IT manager on the right path to implementing a security project. The CIA Triad is just one small piece of the professional managed IT and cybersecurity services Agio offers. For more information on how to protect your data, contact us.