In the course of giving my security presentations over the past year, I've learned that quite a few folks have never seen the C-I-A triad before. The C-I-A triad stands for:
It's often illustrated using a triangle like so:
The C-I-A triad forms the basis of how to start thinking about information/data security. The three words mean the following when applied to security:
In security we often focus on the first two items and forget about the last, availability. To do this, however, is a mistake. Typically I find business users and development staff focused on the last, availability, and not so worried about the first two. again, this is a mistake. Good information security balances all three to ensure a reasonably secure system. What do I mean by reasonably secure? It depends on the data. If we're talking about who brought what to the bake sale, there's probably not a lot of security required there. But then again, if we're talking about intellectual property, such as something for which a patent, copyright, or registered trademark hasn't been filed on yet, we may want very good measures in place with respect to confidentiality and integrity.
With all that said, when looking at the initial architecture for a system or application, a good starting point from a security perspective is the C-I-A triad. It's high level enough to start asking the right questions to bake security into the system. And if security is baked in from the beginning, it's a lot cheaper than trying to retrofit a system later to fix security holes. Therefore, when talking with folks about initial development, I make sure they understand the C-I-A triad.