Cybersecurity Requirements

CIA Triad

Confidentiality:

• Is data hidden from unauthorized access

• Data at rest: Is the data secure when not in use

  • Encrypted in database

• Data in transit: Is data secure when moved

  • Encrypted usb, broadcast in secure text, sending to the right person

• Data in use: Is data secure in use

  • Is dead data in memory? Is it secure in memory while in use?

Integrity:

• Ensure data is accurate, consistent, and trustworthy

  • Do you have a hash to ensure data has not been tampered?

  • Is it cryptographically signed that we can verify the sender?

  • Do we have a secure history of what’s changed?

Availability:

• Do the authorized users have access to tools and data to do work

  • Do have redecides built?

  • Do you have a disaster recovery plan?

  • Do you have a way to know if you’ve lost availability?

Authorization:

• You are allowed some level access to the data

  • Read vs. Write vs. Append

• Just because someone can access something, should they?

Access Control Matrix

• Defines the permissions and access levels for each user, ensuring that only authorized individuals can perform specific actions on the data.

Role-Based Access Control (RBAC)

• Organizes users & data into discrete groups and permissions

Authentication:

• You know

  • Username, password, security question

• You have:

  • Key, Security token, two-factor authn.

• You are:

  • Biometrics

    • Fingerprint

    • Iris

    • Voice

    • Typing patterns