A few years ago I went to London to sit a week long intensive course to learn all I needed to know ready to take the ISC2 CISSP exam.  Unfortunately the trip cost me more than I was expecting and I didn’t have enough money to pay for the exam.  I have decided its about time I sort something out about this and so I am studying towards it again.

So first up is one of the basic principals of security.  You can remember it as C.I.A.

• Confidentiality
• Integrity
• Availability

Confidentiality is about making sure the private information within an organisation remains private.  Whether that be whilst the information is in transit, for example an encrypted VPN tunnel or by controlling access to the resource that hosts the information, I.E. access control lists on a firewall.

Integrity is about knowing that the information you are processing has not been altered either accidentally or intentionally by any automated system or person.  This ranges from hashing techniques to ensure the data hasn’t changed to least-privileged access policies.

Availability is the defense against downtime.  And lets be clear thats not just against classic Distributed Denial Of Service attacks, thats also against users not being able to access the resources they require to fulfill the task they set out to.

The premise is, if the matter at hand doesn’t fit in at least one of these three categories, its not security.  Interestingly enough though, the reverse is also true; most people only think about the bits that fit into confidentiality.