The CISO Den
Published in

The CISO Den

Can you prove Confidentiality, Integrity and Availability are fundamental security concepts?

I don’t think so

Can you?
  1. C-I-A is ambiguous. Many professionals and even published standards give different definitions of Confidentiality, Integrity and Availability. This adds more undesirable variance. Consequently, Threats, Incidents, Vulnerability and Weakness among other concepts can’t be reliably defined in terms of Confidentiality, Integrity and Availability reliably, increasing the ambiguity of definition.
  2. C-I-A doesn’t have units of measurement. This makes it impossible to manage information security quantitatively. Bye, bye, optimization of resources.

I have been waiting since 2014…what do you think that means?

And, what is the alternative? It looks like this:

TEST USE CASE

Ambiguous Ltd is a travel agency located in Madrid, Spain. Their business is selling retail travel packages both online and through their offices, which are street level on a main street. The most important system they own and operate is the Package Sales System, which they use for advertising, sales, and bookings. This system interfaces with the Amadeus GDS system (checking availability and bookings), with VISA (payments), and with an equivalent system of a Moroccan partner (MTravel), as it is a popular destination for Spanish tourist and represents a significant part of the company’s business.

  • Sell Travel Packages both online and at the office.
  • Receive feedback from customers and the public in general.
  • Send Travel Package offers to subscribers.
  • Manage Claims and Issues.
  • Sales Archive
  • Feedback Archive
  • Offers Archive
  • Claims, Feedback and Incidences Archive
  • Sales Archive: Book, Release, Sell, Refund, Update.
  • Feedback Archive: Create, Update, Close.
  • Offers Archive: Create, Update, Retire, Publish.
  • Claims, Feedback and Incidences Archive: Create, Update, Close
  • Sales Statistics Report Archive: Create, Close
  • Each salesperson can only view the personal information of his or her own clients.
  • Only the sales manager and the person assigned to Feedback and Claims can view the personal information of all clients.
  • Only the owner of the company can access the Sales Statistics Report.
  • Only the sales manager can create Offers

To learn more

This article is part of a series that starts here: Principles of Evidence Based Cybersecurity Management

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store