Lesson 3: The CIA Triad & Security Controls
The CIA triad — Confidentiality, Integrity, and Availability — is the foundation on which every security decision is built. In this lesson we go deeper into each of the three pillars, meet the three types of controls (technical, administrative, and physical) that protect them, and understand the RTO
Every security control serves at least one of three goals: keeping information confidential (C), accurate (I), and available (A).
- Confidentiality
- Restricting access to information to authorized parties only. Means: encryption and access control (ACL, MFA, OTP).
- Integrity
- Preserving the accuracy of information and preventing unauthorized modification. Means: digital signatures, checksums, and version control.
- Availability
- Ensuring information and services are reachable by authorized parties when needed. Means: backups, redundant servers, and a DRP.
- Security Control
- A measure, policy, or technology that reduces risk and protects the CIA triad. Three types: technical, administrative, and physical.
- MFA (Multi-Factor Authentication)
- Verifying identity with two or more factors, e.g. a password plus a one-time code (OTP).
- DRP (Disaster Recovery Plan)
- A plan for restoring systems and services after an incident, supporting the availability principle.
- RTO (Recovery Time Objective)
- The maximum acceptable time to restore a system after a failure.
- RPO (Recovery Point Objective)
- The maximum amount of data we can afford to lose, measured as the time between backups.