CIA Triad & Security Concepts

Tam giác CIA & Khái niệm Bảo mật

The CIA Triad

The CIA Triad is the foundational model of information security. All security controls, policies, and decisions map back to one or more of these three properties.

Confidentiality

Bảo mật

Prevent unauthorized disclosure

Integrity

Toàn vẹn

Ensure data accuracy & completeness

Availability

Sẵn sàng

Systems accessible when needed

Property	Threat Example	Controls
Confidentiality	Unauthorized user reads loan applicant PII	AES-256-CTR encryption, access control, data classification, mTLS
Integrity	Attacker modifies loan amount in transit	Hashing (SHA-256), digital signatures, checksums, input validation, HMAC
Availability	DDoS attack takes down KYC service	Redundancy, load balancing, backups, DDoS protection, multi-AZ deployment

CIA Trade-off: More security controls often reduce availability (e.g., adding MFA adds friction and latency). Security decisions must balance all three properties based on business context.

Beyond CIA — Additional Security Properties

Property	Tiếng Việt	Definition	Mechanism
Authenticity	Tính xác thực	Data is genuine and from the claimed source	Digital signatures, certificates
Non-repudiation	Không thể phủ nhận	Cannot deny having performed an action	Asymmetric digital signatures + audit logs
Accountability	Trách nhiệm giải trình	Actions can be traced to a specific individual	Audit trail, logging, identity management

AAA Framework

Authentication

Xác thực danh tính

"Who are you?" — password, biometric, MFA

Authorization

Phân quyền

"What can you do?" — RBAC, ACL, policies

Accountability

Trách nhiệm

"What did you do?" — logs, audit trail

Key Terms

Term	Tiếng Việt	Core Idea
Confidentiality	Bảo mật / Tính riêng tư	Only authorized users can access information
Integrity	Toàn vẹn dữ liệu	Data has not been altered in an unauthorized way
Availability	Tính sẵn sàng	Authorized users can access systems when needed
Non-repudiation	Không thể phủ nhận	Proof of action that cannot be denied — requires asymmetric crypto
Authenticity	Tính xác thực	Verified that data or identity is genuine, not forged

Exam Tips

1. Availability for financial systems: For banks and fintech, availability is often the most critical CIA property. A 99.9% SLA means at most 8.7 hours of downtime per year — exam questions about banking systems usually prioritize availability.
2. Non-repudiation requires ASYMMETRIC crypto: Symmetric keys are shared — either party could have generated the signature, so it cannot prove who acted. Only a private key (held by one party) can produce non-repudiable signatures. This is a common exam trap.
3. CIA is a triad, not a hierarchy: All three matter equally. The exam asks "which is MOST important in this context" — read the scenario carefully (confidentiality for medical data, availability for emergency services, integrity for financial transactions).
4. Encryption protects Confidentiality primarily — not integrity (use hashing) and not availability (use redundancy).

Work Application — FinTech Company X

Mapping CIA to Platform C platform:

Confidentiality: AES-256-CTR encryption for all PII at rest (loan applications, ID documents, biometric references); mTLS for all service-to-service communication; Vault for secrets management — no plaintext credentials in code.
Integrity: HMAC-SHA256 on Partner D B2B API requests to detect tampering; parameterized SQL queries to prevent injection; eSign Vendor eSign ensures document integrity with legally binding signatures for Partner A loan contracts.
Availability: 99.9% SLA commitment with Bank A means <8.7hr downtime/year; Kafka async processing ensures loan disbursement events survive temporary outages; GCP multi-AZ deployment for Partner A VN (live production).
Non-repudiation: JWT RSA signing (RS256) means only the server's private key could have issued a token — the customer cannot claim they never authenticated. eSign Vendor creates non-repudiable loan agreements.

Practice Questions

Q1. A PostgreSQL database hosting Platform C loan records goes completely offline due to a hardware failure. No data was accessed or modified. Which CIA property was violated?

A) Availability — authorized users cannot access the system when needed

Rationale: No unauthorized disclosure (Confidentiality intact) and no data modification (Integrity intact). Only the ability to access the system was compromised, which is an Availability violation. This is a classic exam scenario that tests whether you can distinguish the three properties.

Q2. A Partner A loan agreement is signed via eSign Vendor using digital signatures. Which two security properties does this primarily provide?

A) Integrity (document has not been altered) and Non-repudiation (signer cannot deny signing)

Rationale: A digital signature uses the signer's private key, creating a cryptographic binding between the signer and the document. This ensures the document hasn't changed (Integrity) and proves who signed it in a way that cannot be denied (Non-repudiation). Note: Non-repudiation requires asymmetric cryptography — the private key is unique to the signer.

Q3. AES-256-CTR is used to protect customer PII stored in the Platform A database. Which CIA property does this primarily protect?

A) Confidentiality — encryption prevents unauthorized parties from reading the data

Rationale: Encryption transforms readable data into ciphertext, preventing unauthorized disclosure — which is the definition of Confidentiality. AES-256-CTR does not verify that the data is unmodified (Integrity requires hashing/HMAC) and does not ensure the system is online (Availability requires redundancy).

Q4. A system requires non-repudiation for loan disbursement authorization. Which type of cryptography is required?

A) Asymmetric cryptography — only the private key holder can generate the signature, proving identity

Rationale: Symmetric keys are shared between parties, meaning either party could have created the message — you cannot prove which one acted. Non-repudiation requires a private key known only to one party (asymmetric crypto). The public key allows anyone to verify the signature, but only the private key holder could have created it.

Q5. Adding mandatory MFA for all Platform C users improves security but increases login time by 15 seconds. Which CIA trade-off does this represent?

A) Confidentiality improved at the cost of some Availability (user friction/accessibility)

Rationale: MFA prevents unauthorized access by verifying identity more strongly — this is a Confidentiality control. However, requiring an extra step reduces ease of access, which is an Availability consideration (systems should be accessible when needed, without excessive friction). Security is always a balance between the three CIA properties.

← 01 ISC2 Ethics 03 Governance & Policy →