Posted by Andrew Rose on March 13, 2014
The information security profession is built on three fundamental tenets, those of confidentiality, availability, and integrity. Increasingly, however, I see two things happening:
- Organizations are reprioritising these to reflect their significance within their organization, with confidentiality often trailing to availability and integrity; or
- Additional aspects such as authentication, authorization, non-repudiation etc. are supplementing the CIA triad.
It seems that there may be a growing group of S&R professionals who are dissatisfied with these concepts, feeling that they are ambiguous or incomplete, and some find it troublesome that they lack standard units of measurement.
It was with interest, therefore, that I noted a competition issued by the O-ISM3 Consortium, an organization that focuses on fostering alignment between security objectives and business goals. Their challenge lays out a use case for participants to navigate. It involves a mock audit on a travel company and presents entrants with the audit findings. The participants are then challenged to create a set of audit questions that would lead to these responses, but they have to choose one of two alternative paths – either their questions must all include references to C, I, and A, or none of them may.
How well this will work is difficult to say; however, it is an interesting thought experiment and encourages S&R professionals to think about information risk management from a slightly different perspective. The prize for those who pay the €5 entrance fee and pass the challenge by proving that confidentiality, availability, and integrity are wholly applicable (or the opposite!), is a chance to win €500 and a free spot in an information security management course. Unfortunately, sign-up for the competition closes on 14th of March, so be quick if you are interested, but I’ll be interested to see what conclusions the O-ISM3 Consortium derive from the entries.