The information security profession is built on three fundamental tenets, those of confidentiality, availability, and integrity. Increasingly, however, I see two things happening:
- Organizations are reprioritising these to reflect their significance within their organization, with confidentiality often trailing to availability and integrity; or
- Additional aspects such as authentication, authorization, non-repudiation etc. are supplementing the CIA triad.
It seems that there may be a growing group of S&R professionals who are dissatisfied with these concepts, feeling that they are ambiguous or incomplete, and some find it troublesome that they lack standard units of measurement.
It was with interest, therefore, that I noted a competition issued by the O-ISM3 Consortium, an organization that focuses on fostering alignment between security objectives and business goals. Their challenge lays out a use case for participants to navigate. It involves a mock audit on a travel company and presents entrants with the audit findings. The participants are then challenged to create a set of audit questions that would lead to these responses, but they have to choose one of two alternative paths – either their questions must all include references to C, I, and A, or none of them may.