4 The Basics of Information Security some bodies of law or regulations do make an attempt to define what secure or at least some of the steps we should take to be "secure enough."We st aari Standard pan edit ents,the Health care and patient records,the Federal Information Security Management Act (FISMA)that defines security standards for many federal agencies in the United States,and a host of others.Whether these standards are effective or not is the source of much discussion,but following the security standards defined for the industry in which we are operating is generally considered to be advisable, if not mandated. MODELS FOR DISCUSSING SECURITY ISSUES When we discuss security issues,it is often helpful to have a model that we can s us a consistent set of terminol ogy and als can refe to when security ssues arse The Confidentiality,Integrity,and Availability Triad Three of the primary concepts in information security are confidentiality,integ rity,and availability,commonly known as the confidentiality,integrity,and availability (CIA)triad,as shown in Figure 1.1.The CIA triad gives us a model by which we can think about and discuss security concepts,and tends to be very focused on security,as it pertains to data. MORE ADVANCED The notation for confidentiality,availability is CIA.In cerain those deve No cha inge to the concepts is implied in this rearra nt.but it can be confusing for thos nay also see the CIA concepts XD essed in their negative forms:disclosure,alteration,and denial(DAD). CONFIDENTIALITY Confidentiality is a concept similar to.but not the same as privacy Confidentialitv mpo yand bility to protectou data se wh are not autho to view it.Confidentiality is a concept that may As an example,if we consider the case of a person withdrawing money from an ATM,the person in question will likely seek to maintain the confidentiality of the personal identification number(PIN)that allows him,in combination with his ATM card,to draw funds from the ATM.Additionally,the owner of the aTM will hopefully maintain the confidentiality of the account number4 The Basics of Information Security Some bodies of law or regulations do make an attempt to define what secure is, or at least some of the steps we should take to be “secure enough.” We have the Payment Card Industry Data Security Standard (PCI DSS) for com￾panies that process credit card payments, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for organizations that handle health care and patient records, the Federal Information Security Management Act (FISMA) that defines security standards for many federal agencies in the United States, and a host of others. Whether these standards are effective or not is the source of much discussion, but following the security standards defined for the industry in which we are operating is generally considered to be advisable, if not mandated. Models for discussing security issues When we discuss security issues, it is often helpful to have a model that we can use as a foundation or a baseline. This gives us a consistent set of terminol￾ogy and concepts that we, as security professionals, can refer to when security issues arise. The Confidentiality, Integrity, and Availability Triad Three of the primary concepts in information security are confidentiality, integ￾rity, and availability, commonly known as the confidentiality, integrity, and availability (CIA) triad, as shown in Figure 1.1. The CIA triad gives us a model by which we can think about and discuss security concepts, and tends to be very focused on security, as it pertains to data. Confidentiality Confidentiality is a concept similar to, but not the same as, privacy. Confidentiality is a necessary component of privacy and refers to our ability to protect our data from those who are not authorized to view it. Confidentiality is a concept that may be implemented at many levels of a process. As an example, if we consider the case of a person withdrawing money from an ATM, the person in question will likely seek to maintain the confidentiality of the personal identification number (PIN) that allows him, in combination with his ATM card, to draw funds from the ATM. Additionally, the owner of the ATM will hopefully maintain the confidentiality of the account number, More Advanced The common notation for confidentiality, integrity, and availability is CIA. In certain materials, largely those developed by ISC2 we may see this rearranged slightly as CAI. No change to the concepts is implied in this rearrangement, but it can be confusing for those who do not know about it in advance. We may also see the CIA concepts expressed in their negative forms: disclosure, alteration, and denial (DAD)