CIA TRIAD

CIA Triad

• Focus on three core security concepts: integrity, availability, and confidentiality (the CIA triad).

• Context from transcript: securing data so it cannot be unauthorizedly or unintentionally altered, and ensuring data and systems are accessible when needed by authorized users.

Integrity

• Definition from transcript: data should not be altered by unauthorized or unintentional means; even a simple mistake (e.g., typing an extra zero) can undermine integrity.

• Practical example: If Jamie intended to send $10 and someone could alter the amount (e.g., add zeros), the data would lack integrity.

• Safeguards mentioned: security controls to prevent passing through data without authorization; example given is two-factor authentication (2FA) as part of integrity protection.

• Exam-style prompt from transcript:

  • Scenario: Alice logs into an online grading portal and can change all grades to a high mark (e.g., A+ in Computer Science). This questions which CIA component is at risk.

  • Answer given: Integrity is at risk because unauthorized modification of grades violates data accuracy and trust.

  • Note: Availability could also be argued in some cases (e.g., access to data), but the core issue here is integrity (unauthorized modifications).

• Additional nuance: sometimes questions feel like more than one option is correct, but the material emphasizes that accuracy and integrity of data are the primary concern in such a scenario.

• Related implication: if someone creates a backdoor to alter data, integrity is compromised and raised alarms about authorization controls.

Availability

• Definition from transcript: systems and data must be accessible at any time by authorized users.

• Significance: loss of availability can be dangerous in critical domains like medical records or banking data.

• Example risk: if authorization to data is lost entirely, users cannot access essential information when needed.

• Interaction with integrity: protections that ensure integrity can also contribute to availability (e.g., robust access controls prevent outages caused by unauthorized changes).

Confidentiality (mentioned in context)

• Note from transcript: RMS (Risk Management) considers risks to integrity, access (availability), and confidentiality.

• While not expanded upon in depth in the lecture excerpt, confidentiality remains a core component of the CIA triad in risk management discussions.

RMF / RMS: Acronyms and Key Players

• RMF = Risk Management Framework (core framework referenced for risk management in security, privacy, and supply chain contexts).

• RMS = Risk Management Steps (the practical workflow used to apply RMF and assess risk). The term RMS is used in the lecture to describe the step-by-step process.

• ITG = International Technology Group (organization mentioned as focusing on measuring risk in security, privacy, and cyber supply chain).

• RMS focus areas: risk measurement and management across security, privacy, and cyber supply chains.

• Acronym awareness: the speaker emphasizes that there will be a large number of acronyms (e.g., 375 acronyms mentioned) and stresses the importance of learning them for the course.

• Practical takeaway: knowing RMF and RMS concepts helps you understand how to assess and mitigate risk systematically, not just reactively.

RMF / RMS: The Eight Steps (Risk Management Framework)

• The eight steps described (collectively referred to as RMF/RMS steps):

  1. Prepare: ensure readiness for security and privacy risk management.

  2. Categorize: determine where information is processed, stored, and transmitted.

  3. Select: choose the appropriate controls to protect the information and systems.

  4. Implement: deploy the selected controls.

  5. Document: record what was done so everyone understands the processes.

  6. Assess: determine whether controls are operating as intended and producing the desired results.

  7. Authorize: make risk-based decisions on whether to proceed or adjust controls.

  8. Monitor: continuously observe the risk environment and the effectiveness of controls.

• Emphasis in class: the current focus is on the Assess step, with the assumption that the other steps have already been handled by the school board and administration (e.g., Mr. Mushery, Doctor Hoffman, Mr. Hyatt, Officer Parker, Mr. Ranallo, principals).

• Practical application: students will engage in an assessment project on campus and, potentially, audit a local business to perform a risk assessment. Success could lead to real-world opportunities (e.g., a small group audit project).

• Documentation importance: without proper documentation, changes and procedures are not knowable or repeatable for others (e.g., if someone else takes over, they won’t know the steps).

• Decision-making: risk-based decisions are part of the overall RMF process and require authorization and ongoing monitoring.

Roles, Examples, and Real-World Connections

• Instructor’s practical anecdote about a classroom exercise:

  • Students audit a local hotel setup to test risk management concepts.

  • The facilitator conducted a physical audit at a hotel with permission from management.

  • A critical finding: an unlocked server room and access to the full power grid of the building.

  • Potential consequences observed if the vulnerability were exploited: power shutdowns could damage appliances, disrupt customer service, lose customers, damage communication and reputation, and possibly trap people in elevators if security systems failed.

  • Backup power access was also implicated—indicating multiple layers of critical infrastructure vulnerability.

  • Corporate response: hotel’s corporate team was contacted and systems were reset to address the gaps.

• Educational takeaway: such audits build situational awareness and illustrate how real-world systems can fail or be compromised if proper controls are not in place.

• Safety and ethics note: ethical considerations are highlighted (permission from hotel management, planning, and responsible disclosure). The instructor emphasizes open-minded interviewing and interviewing with permission to gather an honest risk assessment.

• The instructor emphasizes the value of an audit checklist and the need for interviewing skills to uncover risks that a simple documentation review might miss.

• The real-world relevance: risk assessments are not just theoretical; they influence internal changes within organizations and can prompt corporate-level risk mitigation actions.

Example Scenarios and Exam Preparation

• Scenario 1: Integrity breach risk

  • Situation: Alice can change grades for all her assignments in an online grading portal.

  • Which CIA component is at risk? Integrity (unauthorized modification of data).

• Scenario 2: Availability risk consideration

  • Situation: Access to data is available to authorized users, but whether it remains available can be questioned if access is compromised.

  • The instructor notes that availability could be at stake if access is improperly granted or blocked.

• Scenario 3: Ambiguity in exam questions

  • The instructor notes that sometimes multiple choices may seem plausible, but one is identified as correct based on the CIA triad discussion.

• Exam-oriented reminder: Memorize and understand the RMF/RMS terminology and steps, as well as the relationship between the triad components and practical controls like two-factor authentication.

Practical Implications, Ethics, and Real-World Relevance

• Security design implications:

  • Use of two-factor authentication as a safeguard to protect integrity and prevent unauthorized data manipulation.

  • The need for robust physical and digital controls to prevent unauthorized access to critical infrastructure (server rooms, power grids).

• Governance and accountability:

  • Documentation ensures continuity and accountability when staff changes occur.

  • Risk-based decision-making requires authorization and monitoring to adapt controls over time.

• Educational and career relevance:

  • The course emphasizes acronyms and structured risk management practices (RMF/RMS) to prepare for real-world cybersecurity roles.

  • There is an emphasis on hands-on risk assessment through campus projects and potential local business audits.

• Ethical considerations:

  • Conducting audits with permission and a clear scope to avoid legal and ethical issues.

  • Balancing transparency with responsible disclosure when vulnerabilities are found.

Key Takeaways for the Exam and Beyond

• Understand the CIA triad and how integrity, availability, and confidentiality interact in security design and risk assessment.

• Know the RMF steps and the practical focus on the Assess step in this course context.

• Recognize the roles of acronyms like RMF, RMS, and ITG in the risk management lifecycle.

• Appreciate the value of formal documentation, authorization, and ongoing monitoring in maintaining secure systems.

• Be prepared to analyze scenarios (like the grading portal and hotel audit) to identify which CIA components are at risk and why.

• Remember real-world implications of lax controls, including potential cascading effects on safety, reputation, and operations.

• Acknowledge the ethical dimension of conducting risk assessments and audits, including permissions, scope, and responsible reporting.

References and Nomenclature (from lecture)

• CIA Triad: Confidentiality, Integrity, Availability

• RMF: Risk Management Framework

• RMS: Risk Management Steps (practical workflow)

• ITG: International Technology Group (organization focusing on risk measurement in security, privacy, and cyber supply chain)

• Notable numbers mentioned:

  • Example monetary figure in the scenario: $10$ (and the idea of adding zeros)

  • Two-factor authentication: $2$-factor

  • Acronym count mentioned: $375$ acronyms

  • RMF/RMS steps: eight steps

• Core instructional messages:

  • Protect data from unauthorized or unintentional alteration (integrity)

  • Ensure systems/data are accessible to authorized users when needed (availability)

  • Recognize the importance of various controls, documentation, and risk-based decision making in security programs