Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everybody, welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back here with us today. And today we are actually going to jump into the CIA triad that is in every single book, practically every single security paper in everything that you talk about security.
But we're going to take it a step further today and actually talk about what we look at, the CIAPS, the additional privacy and safety issues that we look at in everything and why that's so important and why you want to make sure you're not forgetting to do that as part of your information security program. Very, very important things. So before we jump in, please click that like, click that subscribe, hit that button, tell your friends, tell everybody about us, get more people over here, and we'd love to hear your comments wherever you're listening to us, Spotify, Apple, YouTube.
Very happy you're here with us today. So let's jump in. So we've talked about it in other podcasts.
We actually talked about it a little bit in last week's podcast, but I want to go over the CIA triad. This is really security 101. It's what everything's built on.
It's what everything is looking to support. And it's very, very important. So the CIA triad begins with confidentiality, integrity, and availability.
So let's dive into each of those and see exactly what each of those mean, what we're looking to protect, what we're looking to make sure is in place. So with confidentiality, that's really making it simple is just making sure that there's no unauthorized access. The people that are supposed to have access to things are the only people that can gain access to them.
That's basically it. That's confidentiality. What's important and why we're going to look at privacy in a little bit is the difference between that and accessing client information, accessing personal information.
We'll get to that, but that's more of a privacy issue. But right now, confidentiality, it's just making sure there's no unauthorized access, and it's really the crutch of data breaches. That's confidentiality is what got breached.
The next one we look at is integrity. Now, integrity looks at a few things. One, it's making sure that the data that we have is accurate, making sure that any change was authorized and expected.
So not only are we looking to make sure that there's no unauthorized tampering, which would also be a confidentiality issue, but we're also making sure that there's no data corruption, that when we need that data, it's going to be in the state that we expect it to be in. What we're also looking at with integrity is non-repudiation. We want to make sure that we can identify who did what, which person or which entity made a change or accessed documents, assets, anything.
Are we able to tie activities to an actual person? And we're in a real world where you see this breakdown is typically with shared passwords. People are sharing accounts, they're sharing passwords. And at that point, I have no ability, we have no ability to identify who did what.
That completely breaks down that non-repudiation. And if you ever try to do any type of prosecution or take things into kind of a more serious legal approach, if you don't have that non-repudiation, if you can't definitively say who did what, the entire case falls apart. Because now you're introducing all of the reasonable doubt.
The next part of the CIA triad, we've gone through confidentiality and integrity. The next part is availability. And this really looks to make sure that we have data, assets, people, resources, whatever, available when we need them and to the degree that we need them.
So that could mean that our internet may be up and running, but we don't have enough bandwidth to support the entire office. That would be an availability issue, even though the system is up and running, even though the internet is available, it's not to the degree that we need it. And things that can affect that are definitely DDoS attacks, different types of malware, but a lot of times what affects availability is poor planning.
There's just not enough capacity management. We haven't put enough in place to be able to support all the resources that we need. Now, I went through that very quickly because we've talked about it before.
And if you've read any security book, it's in there like crazy. And the CIA triad really isn't the main point of this conversation of today's episode. What really is, is adding that P and the S, the privacy and the safety.
And I want to dive into why that's so important. Now, when you're looking at information security, when you're going for any type of information security certification, the P privacy is at this point practically implied. It's really CIA and privacy.
It's just assumed. So we put it on there to make it easy and at the forefront. But privacy really comes down to protecting data subject identification.
Are data subjects being identified when they're not supposed to be? So you can have, say, a confidentiality issue where unauthorized access of data happens, but not have a privacy event because no data subjects were identified. You can also have a privacy event, but no confidentiality issue where somebody did have access to those databases, but they identified a whole lot of data subjects that perhaps they weren't directly working with at that time, like a HIPAA violation, violating that need to know. So that's where you can have that difference of a privacy issue and a confidentiality issue.
And these seem like they can be small things, but where it's really important is that with a privacy issue, if you're identifying data subjects, if data subjects information is being exposed, PII, PHI, cardholder data, if that's being exposed, that's where you have a serious data breach. Confidentiality issues, they suck. But ultimately, if it's just my company data, it's not any client data.
Well, even though that could be a major confidentiality breach, if I don't have any type of privacy breach, I don't typically have a reportable event. I don't, I'm not typically as deep in the muck as I am when I have a privacy breach, and that's why it's so important to split these up so that you can look at your risk appropriately. If I have a data breach of this database or these systems, do I have to worry about confidentiality issues? Do I have to worry about privacy issues or do I have to worry about both? And that's where it becomes a very serious issue when a data breach is concerned.
The next one is safety. Now, safety is, interestingly enough, starting to be talked about more, but it, it just hasn't been. And even when it's talked about, it's almost as an afterthought, which there is so much overlap now with data systems, information systems, with systems that could affect the health, the well-being of people, of patients, of clients, that safety has to be concerned, has to be evaluated in everything.
And we have these listed on all of our risk assessments, the CIAPS, we can, we can look at those and a lot of times there's no safety concern. It's, it's a lot of zeros. It's a lot of does not apply and that's okay, but there are situations where it makes a significant impact.
And some of those are, say with phone systems, if we have a fire system or we have an elevator in our building, we take out our POTS lines, those emergency systems may not work. That could cause actually a life threatening situation. Other situations where safety can become a serious concern is tied in with availability.
What if we don't build in enough backup, battery backup, or redundant systems for our surgical systems and our power goes out or a system goes offline? If we're in the middle of a surgery, that could be a major issue. Even more real world examples is with some of the healthcare breaches. It brought healthcare systems offline for weeks and months and delayed patient care.
People couldn't get in to see their doctors. They couldn't get in to get the care that they needed, which can create very serious safety issues, especially in those situations where maybe I'm going to push back this ultrasound or I'm going to push back this procedure because it's not life threatening. I'm not bleeding.
I don't need to go to the ER, but now I've waited months and whatever was going on has progressed and now it's a major issue. And we've had situations like that very close to our own family. It's a very real, real issue and it's why safety has to be considered with all of your information systems, all of our information systems, all of our data support, everything that we are developing, that we are protecting is all there for a reason and that reason is typically making people's lives better, keeping them healthier, and when those systems aren't there, that falls apart.
So when you are considering all of your risk, when you're considering your typical CIA triad or you have your risk register, make sure that you are also considering for every risk point, what type of privacy impact would this have and what type of safety impact would this have? What I'd like to open up from here is I would really like in the comments to hear why you think that privacy safety weren't really part of the original triad, why there's been such a slow adoption and also what type of things are you doing to make sure that your systems are helping to keep people safe and helping to support the data privacy? That is all the time that I've got for today, but you can definitely check out our blog, which has tons of information on the CIA triad and all of our policy examples, everything that we have also ties in that entire CIAPS framework. If you'd like to hear more, if you'd like to dive into it, please leave us some comments, reach out to us. Thank you for listening today and until next time.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.