Information and the CIA
- Details
- Created on 27 July 2017
- Written by Steve Burrows
A long, long time ago, and a long way from here, I used to work in one of those organisations where every office had a safe for locking away sensitive documents, the clean desk policy was mandatory, the whiteboards and wallcharts had curtains (which were kept closed to prevent you from seeing them), the barred windows were triple-glazed to inhibit eavesdropping using “laser microphones”, and the building was repeatedly “swept” for electronic “bugs”. Before I was allowed to work there somebody visited my known family, acquaintances, past schoolteachers et. al. and quizzed them to make sure I was trustworthy.
There were no computers in the organisation (did I say it was a long time ago?). At one end of a long corridor was a large secure room called the Registry. The Registry had a stable door, with a serving counter affixed to the top of the lower section, and stored all of the the organisation’s sensitive files. Anyone who was entitled to view one of these files would request, and be issued with, the appropriate file by the Registry staff and would sign the Register for it. The Register would be counter-signed by the Registry staff when the file was returned. Files were classified according to their sensitivity - “Classified”, “Secret”, Top Secret” etc. and numbered - as were the document pages within. If there were multiple copies of files or documents then each might have its own numbering for traceability purposes.
The point of all this bureaucracy? Information Security. The Registry was the repository for all the organisation’s sensitive documents. The security measures ensured that files were only seen by authorised persons who were required to keep them secure. When a file was not in the registry the current authorised holder of the file was known. If an unauthorised copy was made or information was removed, changed or leaked there was a record of who had had access to the file. The methods of keeping files ensured Confidentiality, Integrity and Availability - known in Information Security as the CIA triad (nothing to do with the American intelligence agency sharing the same initials).
If all this sounds similar to the principles encompassed in Cyber Security, it is. Cyber Security is about keeping digital records safe - the CIA triad principles apply but the threats to each of Confidentiality, Integrity and Availability are different, and the threat landscape evolves more quickly. Many people lose sight of the objectives of Cyber Security, it is often difficult to see the wood from the trees in the forest of digital threats - hackers, spyware, ransomware etc., but the game is the same - Cyber Security is about keeping digital information systems secure, intact and available. The Registry serving counter was the equivalent of the firewall on a computer system, the File Request chit was the equivalent of the computer access credentials and the Register was the equivalent of the computer log files recording who has seen or changed what information or data.
Cyber Security is at heart nothing more than a subset of Information Security, although keeping paper files safe seems a lot less complex than securing data stored in computers. Access to both paper and digital files needs to be restricted to those people who are entitled to see the contents, the ability to change the contents needs to be restricted to those who have authority to make changes and the authorship of changes must be identified, and both paper and digital files need to be available for use when required. All the rest of the sometimes obstruse cyber security vocabulary is simply a reflection of the different technologies used to protect against the different forms of threats in the digital landscape.
With the CIA model in mind it is quite easy for most people to envisage the operation of a secure library or “Registry”, and “Registers” or log files, in order to understand the basic principles of both Information Security and Cyber Security. The technicalities of each are for the technical specialists - I am not an expert on the types of lock considered most secure, nor the grades of steel bars which should be used to reinforce the walls or prevent intrusion through the windows and doors, when considering the construction of a secure room. I am quite good on computer technologies so I feel more comfortable in my technical knowledge when specifying the firewalls, servers, networks etc. to inhibit unauthorised access to computer data or to detect intruders than I would when specifying the construction of a bank vault.
With the basic principle established that Cyber Security is simply the application of Information Security (“InfoSec”) into the digital domain, the higher consideration is what information are we protecting, from what risks, why and how? This is where Information Assurance comes into play. Information Assurance is relatively new as a distinct discipline, recognising that with the burgeoning range of types of information, the complexity and criticality of the processes and contexts in which information is used, and the particular inventiveness of cyber criminals in devising new ways to access and exploit digital information, the simpler Information Security mechanisms applied to paper files are insufficient.
In the dim and distant past an unauthorised intrusion into the secure document Registry was unlikely and easily detected, and the most sensitive documents were often transported from place to place by a trusted courier, sometimes in a locked briefcase chained to his wrist; today it is comparatively easy to break into a computer network undetected, and copy or modify information without leaving obvious signs of intrusion, unless the Information Assurance policies and practices of an organisation have been designed with a sophisticated understanding of today’s information systems and technologies.
The first step in developing a robust Information Assurance framework is to understand what information you hold, how sensitive it is, and what the potential risks to it might be. Only when you have determined these can you set about designing systems and controls to mitigate the risks appropriately. For example a workplace with a staff restaurant will probably publish a menu each day, circulated by email or displayed on the Intranet: Is it likely to be commercially confidential? Probably not. Would it much matter if someone made unauthorised changes, not much. If the digital version of the menu were lost the staff restaurant manager would probably just write up another and display it by the serving counter. Is it worth considerable effort either to steal or to protect the menu? Unlikely. The Confidentiality, Integrity and Availability of the staff restaurant menu are all non-critical. Apply the same tests to the business’s Customer Relationship System, the Purchase Order Processing system or the Directors’ emails pertaining to the proposed takeover of a competitor and a different picture emerges. Each is stored in a different mechanism and used differently.
A customer database will rarely be transmitted across the Internet and there is little to be gained in modifying its contents, but it may be attractive to unscrupulous competitors and must be protected from exposure for data protection purposes.
The procurement system data is unlikely to be transmitted en-masse over a public network, and unlikely to be very attractive to a data thief or to cause data protection concerns, but more likely at risk from modification of its individual orders for financial fraud to cause an organisation to pay money to a non-existent supplier or to over-pay an ostensibly legitimate supplier.
The directors’ emails may contain little personal or transactional data, but will necessarily be transmitted over networks, likely including the Internet, and may be massively valuable to a wide range of external parties including competitors and financial speculators.
Each therefore requires different forms of protection. For the customer database the primary concern is in protecting the data “at rest” in the company’s own systems from theft by hackers, Confidentiality is paramount, although Integrity and Availability will also be relevant. For transactional records such as the procurement data Integrity is probably the highest priority, followed by Availability and Confidentiality, again with the main focus being protecting the data at rest in the company’s systems. Protection of the directors’ emails is likely more about Confidentiality and Integrity, with Availability being a lower priority, and must include protection of the data in-flight across public networks as well as at rest on the company’s email servers.
A robust Information Assurance process will ensure that the risks and threats associated with each type of data held by the company are appropriately assessed, and the appropriate controls and protections imposed. In today’s world this is a very necessary process; Cyber Security technologies are complex and expensive and there are many types of threat to defend against. There is no value in locking away the staff restaurant menu in a secure vault, and little value in securing the email server behind expensive firewalls if the directors’ emails can be easily read by someone who has placed a tap on the Internet outside.
