By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
The CIA Triad is the foundational model for information security, defining the three core objectives every security program must address: Confidentiality (keeping data private), Integrity (ensuring data is accurate and unaltered), and Availability (ensuring data is accessible when needed). Without balancing these three, systems are vulnerable to breaches, fraud, or downtime.
Real-world example:In 2023, a misconfigured AWS S3 bucket (a cloud storage service) exposed 10 million customer records (including PII like SSNs) because access controls were not properly set. This violated Confidentiality. Later, attackers encrypted the data (ransomware), violating Availability. Had the company enforced least privilege access (Confidentiality) and immutable backups (Availability), the breach could have been prevented.
Example: Encryption (Confidentiality), hashing (Integrity), redundancy (Availability).
Confidentiality: Ensuring data is only accessible to authorized users/systems. Prevents unauthorized disclosure.
Attack Example: Phishing (stealing credentials), Man-in-the-Middle (MITM) (eavesdropping on unencrypted traffic).
Integrity: Ensuring data is accurate, complete, and unaltered unless modified by authorized parties.
Attack Example: SQL Injection (modifying database records), DNS Spoofing (redirecting traffic to malicious sites).
Availability: Ensuring systems and data are accessible to authorized users when needed.
Attack Example: DDoS (Distributed Denial of Service) (overwhelming a server with traffic), Ransomware (encrypting data until a ransom is paid).
Non-Repudiation: Ensuring a party cannot deny performing an action (e.g., sending a message, approving a transaction).
Tools: Digital Signatures, Audit Logs, MITRE ATT&CK (T1552 – Unsecured Credentials).
Least Privilege: Users/systems get only the minimum access needed to perform their function.
Standard: NIST SP 800-53 (AC-6).
Defense in Depth: Using multiple layers of security controls (e.g., firewall + IDS + encryption) to protect against threats.
Example: A bank uses MFA (Multi-Factor Authentication) (Confidentiality), file integrity monitoring (Integrity), and offsite backups (Availability).
Risk = Threat × Vulnerability × Impact: A formula to quantify risk. If any factor is zero, risk is zero.
Example: A threat (hacker) exploits a vulnerability (unpatched software) to cause impact (data breach).
Single Loss Expectancy (SLE): SLE = Asset Value × Exposure Factor (e.g., $1M server with 50% loss = $500K SLE).
Annualized Loss Expectancy (ALE): ALE = SLE × Annualized Rate of Occurrence (ARO) (e.g., $500K SLE × 0.1 ARO = $50K ALE).
Business Impact Analysis (BIA): Identifies critical systems and the impact of their unavailability (used for disaster recovery planning).
Standard: ISO 22301, NIST SP 800-34.
Recovery Time Objective (RTO): Maximum acceptable downtime before a system must be restored.
Example: A hospital identifies patient health records (PII/PHI) as Restricted (high Confidentiality + Integrity).
Assess Risks to CIA
Example:
Select & Implement Controls
Example Controls: | CIA Objective | Control | Tool/Standard | |-------------------|------------|-------------------| | Confidentiality | Encryption | AES-256, TLS 1.3 | | Confidentiality | Access Control | RBAC, MFA (NIST AC-6) | | Integrity | Hashing | SHA-256, HMAC | | Integrity | Digital Signatures | PGP, X.509 Certs | | Availability | Redundancy | RAID, Failover Clusters | | Availability | DDoS Protection | Cloudflare, Akamai |
Monitor & Detect Violations
Deploy SIEM (Security Information and Event Management) (e.g., Splunk, IBM QRadar) to detect:
Respond & Recover
Follow incident response steps (NIST SP 800-61):
Continuous Improvement
A company’s database is encrypted at rest, but an attacker modifies the database records without detection. Which CIA objective was violated, and what control could have prevented this?
✅ Answer: Integrity was violated. File Integrity Monitoring (FIM) (e.g., Tripwire) or digital signatures could have detected unauthorized changes.
During a Business Impact Analysis (BIA), a security team determines that a critical payroll system must be restored within 2 hours and can tolerate no more than 30 minutes of data loss. What are the RTO and RPO?
✅ Answer:- RTO = 2 hours (maximum acceptable downtime).- RPO = 30 minutes (maximum acceptable data loss).
A hospital implements MFA (Multi-Factor Authentication) for all EHR (Electronic Health Record) systems. Which CIA objective does this primarily address, and what is a secondary benefit?
✅ Answer:- Primary: Confidentiality (prevents unauthorized access).- Secondary: Integrity (reduces risk of unauthorized modifications).
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.