How NIST’s Cybersecurity Framework Protects the CIA Triad

What is the CIA triad?

The NIST CIA triad is a model that helps organizations implement information security programs to protect their confidential and sensitive data.

Typically, this is carried out through policies, processes, and procedures.

The CIA triad comprises:

1) Confidentiality: Access to information should be restricted to only those who need it.

2) Integrity: Information should be accurate, reliable, and protected from unauthorized modification, destruction, and loss.

3) Availability: Authorized persons should be guaranteed access to information when necessary.

Organizations need to ensure that all three elements of the CIA triad are addressed, as protecting confidentiality alone does not constitute security.

After all, information is only useful if you know it is correct and can access it.

Unfortunately, confidentiality is the element that is focused on the most, leading many organizations to overlook availability and, in particular, integrity.

NIST warns that it’s a mistake to undermine the importance of integrity

The importance of integrity is often underestimated, particularly in a security context.

Ron Ross, a fellow at the National Institute of Standards and Technology (NIST), says that an integrity-related incident could undermine an organization’s holistic CIA approach.

“If you have a compromise of integrity, it can affect both availability and confidentiality. The malicious code can wreck confidentiality by getting access to things it shouldn’t have access to and seeing things it shouldn’t.

“Alternatively, compromising key components of a system through an integrity violation can make the system crash and the capability go away.”

Cyber criminals are targeting data and IT system integrity at an ever-increasing pace.

According to NIST’s draft Special Publication 1800-11A, Data Integrity – Recovering from Ransomware and Other Destructive Events, data integrity attacks have already compromised confidential business information including emails, employee records, financial records, and customer data.

It lists the following risks that can alter or destroy data:

  • Destructive malware
  • Ransomware
  • Malicious insider activity
  • Honest mistakes (human error)

Ransomware is a menacing threat to information integrity

Ransomware attacks to organizations see criminal hackers infiltrate their computer systems, encrypt their data, and hold it for ransom, demanding payment to decrypt the data.

Organizations must ensure that their data is accurate and safe – before and after a data breach or hack.

NIST’s Cybersecurity Framework can help prevent security incidents, or else successfully recover from one, should one have occurred.

This Framework is promoted as a US framework for critical infrastructure organizations, but can be implementable by organizations of all sizes and complexity.

NIST’s Cybersecurity Framework takes a risk-based approach to managing cybersecurity

The Framework can be used to tackle ransomware and other cybersecurity threats and vulnerabilities. Through the Framework, an organization can:

  • Expedite cybersecurity strategy creation efforts
  • Reduce internal miscommunications and human error by implementing an information security program
  • Heighten its awareness of cyber threats
  • Implement security controls to mitigate or reduce risks, and manage data breaches and other cybersecurity incidents

The Framework can also increase board members’ awareness of key cybersecurity areas.

According to Ross, integrity must be considered at board level. Once the board takes its importance to the organization seriously, this will trickle down to the operational and/or development levels. He says:

“So, if you’re developing a system or a product, that development work has to have high integrity, too, because management wants to make sure that what they’re producing is what the customer gets and they can be trusted to be giving customers what they expect.”

Combined with other control sets, NIST’s Framework can protect against threats to your integrity

Organizations can pair the Framework with NIST SP 800-53, the Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense (CSC), and other information security frameworks or control sets.

You may also integrate ISO 27001, the international standard that outlines best practices for implementing an information security management system (ISMS).

Obtaining ISO 27001 certification sends a clear message that your organization has taken reasonable measures to ensure the CIA of your sensitive and confidential data.

Testing and assessing your ISMS is essential to learn whether or not it is functioning as it should and make improvements as necessary.

Achieving ISO 27001 compliance requires a risk assessment, which can help you to better understand your organization’s cybersecurity posture.

Free Green Paper – Risk Assessment and ISO 27001

An ISO 27001 ISMS that follows a risk acceptance/rejection criteria will find itself organized and ready for the next step towards implementation, but the risk assessment process can be a complex, difficult aspect to manage.

Risk Assessment and ISO 27001 explains the issues and technical details surrounding the risk assessment process. You will discover:

  • The three stages of the ISO 27005 risk assessment process: risk identification, analysis, and evaluation
  • Risk assessment and the ISO 27001 Statement of Applicability
  • How to use risk assessments to achieve maximum benefits from minimum security costs
  • How risk assessments fit into the continuous improvement cycle