How NIST can protect the CIA triad, including the often overlooked ‘I’ – integrity

The CIA triad is a model that helps organizations implement information security programs to protect their confidential and sensitive data. Typically, this is carried out through an entity’s policies, processes, and procedures. The CIA triad comprises:

  • Confidentiality – access to information should be restricted to only those who need access to it
  • Integrity – assurance that information is accurate, and reliable – in other words, protected from unauthorized modification, destruction, and loss
  • Availability – guarantee of access to information by authorized persons as and when necessaryNIST cybersecurity framework, CIA

Organizations need to ensure that all three elements of the CIA triad are addressed, as protecting confidentiality alone does not constitute security. After all, information is only useful if you know it is correct and are able to access it. Unfortunately, confidentiality is the element that is focused on the most, leading many organizations to overlook availability and, in particular, integrity.

 

NIST warns that it’s a mistake to undermine the importance of integrity

The importance of integrity is often underestimated, particularly in the context of security. Ron Ross, a fellow at the National Institute of Standards and Technology (NIST), says that an integrity-related incident could undermine an organization’s holistic CIA approach.

“If you have a compromise of integrity, it can affect both availability and confidentiality. The malicious code can wreck confidentiality by getting access to things it shouldn’t have access to and seeing things it shouldn’t. Alternatively, compromising key components of a system through an integrity violation can make the system crash and the capability go away.”

Cyber criminals are targeting data and IT system integrity at an ever-increasing pace. According to NIST’s draft Special Publication 1800-11A, Data Integrity – Recovering from Ransomware and Other Destructive Events, data integrity attacks have already compromised confidential business information“ including emails, employee records, financial records, and customer data.” It lists the following risks that can alter or destroy data:

  • Destructive malware
  • Ransomware
  • Malicious insider activity
  • Honest mistakes (human error)

Ransomware is a menacing threat to information integrity

Ransomware attacks to organizations see criminal hackers infiltrate their computer systems, encrypt their data, and hold it for ransom, demanding payment to decrypt the data. According to Cybersecurity Ventures’ Ransomware Damage Report, the cost of ransomware worldwide has multiplied by 15 over the course of two years, and is likely to have surpassed $5 billion in 2017. The Cisco 2017 Annual Cybersecurity Report, meanwhile, says that ransomware attacks are increasing 350% annually.

Organizations must make sure that their data is accurate and safe – before and after a data breach or hack. NIST’s Cybersecurity Framework can help prevent security incidents, or else successfully recover from one, should one have occurred. This Framework is promoted as a US framework for critical infrastructure organizations, but can be implementable by organizations of all sizes and complexity.

NIST’s Cybersecurity Framework takes a risk-based approach to managing cybersecurity

The Framework can be used to tackle ransomware, as well as other cybersecurity threats and vulnerabilities. Through the Framework, an organization can:

  • Expedite cybersecurity strategy creation efforts
  • Reduce internal miscommunications and human error by implementing an information security program
  • Heighten its awareness of cyber threats
  • Implement security controls to mitigate or reduce risks, and manage data breaches and other cybersecurity incidents

The Framework can also increase board members’ awareness of key cybersecurity areas. According Ross, integrity must be considered at board level. Once the board takes its importance to the organization seriously, this will trickle down the operational and/or development levels. He says:

“So, if you’re developing a system or a product, that development work has to have high integrity, too, because management wants to make sure that what they’re producing is what the customer gets and they can be trusted to be giving customers what they expect.”

Combined with other control sets, NIST’s Framework can protect against threats to your integrity

Organizations can pair the Framework with NIST SP 800-53, the Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense (CSC), and other information security frameworks or control sets. You may also choose to integrate ISO 27001, the international standard that outlines best practice for implementing an information security management system (ISMS).

Obtaining ISO 27001 certification sends a clear message that your organization has taken reasonable measures to ensure the CIA of your sensitive and confidential data. Testing and assessing your ISMS is essential to learn whether or not it is functioning as it should, and make improvements as necessary. Achieving ISO 27001 compliance – requires a risk assessment, which can help you to better understand your organization’s cybersecurity posture.

Free Green Paper Download – Risk Assessment and ISO 27001

An ISO 27001 ISMS that follows a risk acceptance/rejection criteria will find itself organized and ready for the next step towards implementation, but the risk assessment process can be a complex, difficult aspect to manage.

This green paper explains the issues and technical details surrounding the risk assessment process. You will discover:

  • The three stages of the ISO 27005 risk assessment process: risk identification, analysis, and evaluation
  • Risk assessment and the ISO 27001 Statement of Applicability
  • How to use risk assessments to achieve maximum benefits from minimum security costs
  • How risk assessments fit into the continuous improvement cycle