An Examination of Select Controls for Enforcing the CIA Triad

Edwin Covert
8 min readNov 29, 2021
Photo by Bich Tran from Pexels

Please note: any mention of products in this article should not be construed as an endorsement.

In order to implement a cybersecurity program, organizations must protect the confidentiality, integrity, and availability of their information and data; these three concepts make up the CIA triad (Stallings & Brown, 2020). Organizations can do this by implementing various controls mapped to these concepts. Experts define controls as “measures to minimize, mitigate, and respond to the intentional and unintentional threat to protect organisational information technology resources” (Onumo et al., 2021, p. 5). Typically, they come in one of three variations: management, operational, and technical, according to the National Institute of Standards and Technology (NIST) (2020).

This article will analyze information security controls specifically related to the ideas of CIA triad; it will also discuss the concept of trusted computing. Using a standard catalog of controls from NIST (2020), it will show the application of select controls to the CIA triad covering people, processes, and technologies using the variations listed above. Because there are hundreds of controls in the standard catalog, a complete mapping and analysis of every control is beyond this article.

Information Security Technologies Mapped to Selected Control Functions

Stallings and Brown (2020) define the CIA triad as the core functions of cybersecurity. Confidentiality protects the data from exposure to individuals or entities who should not view it. Integrity ensures the data expected for processing has not changed. Availability ensures the data is there when needed. The Committee on National Security Systems (CNSS) (2014) provides an explicit mapping of controls to each of these concepts in its Security Categorization and Control Selection for National Security Systems. CNSS sets cybersecurity policies and instructions for departments and agencies within the US government, specifically for systems designated as vital to protecting the country (Committee on National Security Systems, 2016). NIST’s (2020) standard catalog that CNSS (2014) maps to is the Security and Privacy Controls for Information Systems and Organizations (Special Publication 800–53, Revision 5).

Confidentiality

Confidentiality means “preserving authorized restrictions on information access and disclosure” (Stallings & Brown, 2020, p. 25). Within CNSS’s (2014), many controls apply to confidentiality. One is the concept of account management. Account management protects confidentiality by limiting who can access information to specific accounts or types of accounts. Defined as defining and overseeing those accounts allowed and prohibited for use on an information system, this control involves management, operational, and technical aspects (NIST, 2020).

For example, organizational management should define and document account types and ensure it assigns account managers (NIST, 2020). Organizations should document specific roles and responsibilities and the associated privileges for classes of accounts (NIST, 2020). In the operational area, organizations implementing this control should have in place procedures to monitor usage of accounts and ensure those accounts possess a valid authorization (NIST, 2020). From a technological standpoint, this control requires the technology to monitor account usage via log files from the various identity and access management systems sent to a centralized security operations function (NIST, 2020).

Integrity

Integrity, as defined by Stallings and Brown (2020), means preventing “improper information modification and destruction” (p. 25). One specific control for ensuring systems do not change is through the use of standardized configurations that limit what users can change in the system. NIST (n.d.) defines a baseline configuration as “a documented set of specifications for an information system, or a configuration item within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures” (para. 1). Baseline configurations fall under the NIST (2020) defined as configuration management.

Like account management, baseline configurations also possess management, operational, and technical aspects. Organizational management should develop and publish documents that “facilitate the implementation of the configuration management policy and the associated configuration management controls” (NIST, 2020, p. 96). From a technology vantage point, the organization should have functions in place to alert on attempted changes to a particular baseline outside of those approved by change management processes. This of course implies the existence of an operational control cover change management processes that define and instantiate processes that review “proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses” (NIST, 2020, p. 98).

Availability

Stalling and Brown (2020) define availability as “[e]nsuring time and reliable access to and use of information” (p. 25). One particular control focused on availability is contingency planning, defined as making sure organizations can methodically identify, contain, and deal with those non-normal conditions that might occur (Whitman & Mattord, 2012). Much like the previous controls, contingency planning requires management, operational and technical inputs to make it successful.

Organization leadership must develop a contingency plan first that addresses what it considers essential business functions and how long those functions can be non-operational in the event a disaster strikes; this planning must also include what restoration of those functions would look like (NIST, 2020). Operationally, the organization must test its planning to ensure it effectively meets the requirements management laid out. After all, the worst time to determine a plan is inadequate for recovering from an incident is during the incident. Technologically, if the organization requires a disaster recovery site that is “hot” i.e. fully redundant with live data and they can activate with minimal disruption of services in the event of power outages, natural disasters, and telecommunication outages (Swanson et al., 2010), there are issues that require resolution. These include network routing between the two sites and physical telecommunication lines.

Trusted Computing

While not a core function of cybersecurity akin to the CIA triad, trusted computing is vital to enforcing the triad. Trusted computing is a means of ensuring that specific operating systems or applications can only open or use specific data (Seamon & Xue, n.d.). A more formal definition comes from Danidou and Schafer (2011) where trusted computing is both the hardware and software responsible for maintaining the secure state of the system and not preventing it from becoming compromised by another element of that system.

There are many controls that could apply to trusted computing in the NIST (2020) catalog. One that stands out is system and service acquisition, specifically security and privacy engineering principles (SA-8). While a detailed discussion of SA-8 is outside this article’s scope, organizations that seek to develop with a trusted computing mindset should consider key security design elements of SA-8 such as clear abstractions (SA-8.1), least common mechanism (SA-8.2), and trusted components (SA-8.9).

Examples of Technology Solutions for Selected Controls

Organizations can implement each of the four NIST (2020) controls listed above. Of course, simply purchasing the technology that enables these controls does not solve the cybersecurity problem each is attempting to address. Rather, organizations require people with cybersecurity skills and processes that are followed to ensure the technology works as intended.

Account Management

Okta provides several identity and access management solutions for organizations, particularly those moving to cloud-based environments. One particular offering addresses the issues NIST (2020) specifics in account management: Lifecycle Management. The Lifecycle management solution allows organizations to automate the provisioning and deprovisioning of accounts (Okta, 2021). This user account lifecycle involves creating, managing, monitoring and ultimately removing accounts throughout the enterprise (Thycotic, 2021).

Baseline Configuration

Organizations can define baseline configurations using the Common Configuration Enumeration (CCE) process defined by NIST (2021). Solutions such as Tenable scan system configurations against the configuration settings listed in the relevant CCE file. NIST (2021) has CCEs for such systems as Red Hat Linux servers and Apache Tomcat servers and applications such as Internet Explorer and Microsoft Office. Organizations can create custom CCE files that match existing policy and standards for scanning by solutions.

Contingency Planning

Managing the entirety of a contingency plan seems daunting to many organizations. Software solutions can make the development and update of plans easier. Quantivate offers a software solution that it claims will reduce the time an organization spends on managing and maintaining its contingency plan, ultimately leading to an increase in the availability of critical systems (Quantivate, 2021). The risk of not using an integrated software solution is that current plans will become outdated and ineffective if the organization does not properly care for them. Again, finding out a contingency plan is out-of-date during an event is the worst time to make that discovery.

System and Services Acquisition

A trusted platform module (TPM) is a hardware device installed in a device that enables the trusted computing of that device. Most organizations will not develop or purchase their own unique TPM, however. They will purchase it as part of their hardware and software orders. For example, Microsoft has implemented TPM technology in their current operating systems for personal devices and servers. Their TPM technology “is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM” (Microsoft, 2021).

Conclusion

In order to implement an effective cybersecurity program, organizations must enable controls on their information systems that address the core concepts of CIA triad. Properly managing accounts, ensuring baselines configurations applied to systems have not changed, creating and maintaining a contingency plan, and enabling a trusted computing program through TPM are essential controls. While each of these depends in part on the successful implementation of technology, additional work should occur around the personnel performing the work and the processes they use. Only then can an organization assure it is holistically considering all facets of cybersecurity.

References

Committee on National Security Systems. (2014). (publication). Security categorization and control selection for national security systems. Committee on National Security Systems. Retrieved November 16, 2021, from https://www.dcsa.mil/portals/91/documents/ctp/nao/CNSSI_No1253.pdf.

Committee on National Security Systems. (2016, May 6). About CNSS. Retrieved November 24, 2021, from https://www.cnss.gov/CNSS/about/about.cfm.

Danidou, Y., & Schafer, B. (2011). ‘Trust me, I’m a computer’ — Trusted computing and the law between liability and responsibility. Information & Communications Technology Law, 20(3), 185–199. https://doi.org/10.1080/13600834.2011.603962.

Microsoft. (2021, November 12). Trusted platform module technology overview (Windows). (Windows) — Windows security | Microsoft Docs. Retrieved November 24, 2021, from https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-overview.

National Institute of Standards and Technology. (2020). (publication). Security and privacy controls for information systems and organizations. National Institute of Standards and Technologies. Retrieved November 16, 2021, from https://doi.org/10.6028/NIST.SP.800-53r5.

National Institute of Standards and Technology. (2021, April 7). CCE platform listing. National Checklist Program. Retrieved November 24, 2021, from https://ncp.nist.gov/cce/index.

National Institute of Standards and Technology. (n.d.). Baseline configuration — glossary. CSRC. Retrieved November 24, 2021, from https://csrc.nist.gov/glossary/term/baseline_configuration.

Okta. (2021). Lifecycle management. Okta. Retrieved November 24, 2021, from https://www.okta.com/products/lifecycle-management/.

Onumo, A., Ullah-Awan, I., & Cullen, A. (2021). Assessing the moderating effect of security technologies on employees compliance with cybersecurity control procedures. ACM Transactions on Management Information Systems, 12(2), 1–29. https://doi.org/10.1145/3424282.

Quantivate. (2021, November 20). Business continuity management (BCM) software. Quantivate. Retrieved November 24, 2021, from https://quantivate.com/solutions/business-continuity-software-2/.

Seamon, C., & Xue, T. K. (n.d.). Trusted Computing and You. Retrieved November 24, 2021, from https://cs.stanford.edu/people/eroberts/cs201/projects/trusted-computing/index.html.

Stallings, W., & Brown, L. (2020). Computer security: principles and practice (4th ed.). Pearson India Education Services Pvt Ltd.

Thycotic. (2021, March 10). Account lifecycle manager. Thycotic. Retrieved November 24, 2021, from https://thycotic.com/products/account-lifecycle-manager/.

Whitman, M. I. E., & Mattord, H. J. (2012). Information security governance for the non-security business executive. Journal of Executive Education, 11(1), 97–111.

--

--

Edwin Covert

Cybersecurity, guitar, jazz, bourbon, rye, enterprise security architecture, current trophy husband. CISSP-ISSAP, CISM, CRISC, SCF, PMP at www.edwincovert.com