Header
Confidentiality, Integrity & Availability
Operational Risk is the set of practices and procedures your business uses to ensure:
  • Confidentiality. Privacy or the ability to control or restrict access so that only authorized individuals can view sensitive information. One of the underlying principles of confidentiality is "need-to-know" or "least privilege". In effect, access to vital information should be limited only to those individuals who have a specific need to see or use that information.
  • Integrity. Information is accurate and reliable and has not been subtly changed or tampered with by an unauthorized party. Integrity includes:
  • Availability. Information and other critical assets are accessible to customers and the business when needed. Note, information is unavailable not only when it is lost or destroyed, but also when access to the information is denied or delayed (i.e. information is available on a web site, but the server is overwhelmed by a denial of service attack and no one can access it).

Why are these three elements important? While a business' assets may be measured in terms of its employees, buildings or cash on hand, the vast majority of its assets are stored in the form of information, whether it be electronic data or written documents. If this information is disclosed to unauthorized individuals, is inaccurate or deceptive, or is not available when required, the business may suffer significant harm such as the loss of customer confidence, contract damages, regulatory fines and restrictions, or a reduction in market share. In the worst case, a failure to control information could lead to significant financial losses or regulatory restrictions on the ability to conduct business.

It is important to note that confidentiality, integrity and availability are not the exclusive concern of information security. Business continuity planning places a significant emphasis on protecting the availability of information as part of the overall objective of business recovery. Common back office procedures, such as maker/checker, quality assurance, change control, etc. along with such regulatory areas as SOX 404 focus on ensuring the integrity of information.

CIA
Risks
Controls
Primary Focus
Confidentiality Loss of privacy. Unauthorized access to information. Identity Theft Encryption, Authentication, Access controls
Information Security
Integrity Information is no longer reliable or accurate. Fraud Maker/Checker, Quality Assurance, Audit Logs
Operational Controls
Availability Business disruption, Loss of customer confidence, Loss of revenue BCP Plans and Tests, Back-up storage, Sufficient capacity
Business Continuity Planning

©2009 ISRMC, LLC