Confidentiality, Integrity, and Availability

Question 1

What is Confidentiality?

Answer 1

The first principle of the CIA Triad is confidentiality. Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. The goal of confidentiality protection is to prevent or minimize unauthorized access to data.

Question 2

Passive element

Answer 2

An object is the passive element in a security relationship, such as files, computers, network connections, and applications.

Question 3

Active element

Answer 3

A subject is the active element in a security relationship, such as users, programs, and computers.

Question 4

Events that lead to confidentiality breaches

Answer 4

Failing to properly encrypt a transmission, failing to fully authenticate a remote system before transferring data, leaving open otherwise secured access points, accessing malicious code that opens a back door, misrouted faxes, documents left on printers, or even walking away from an access terminal while data is displayed on the monitor. Confidentiality violations can result from the actions of an end user or a system administrator. They can also occur because of an oversight in a security policy or a misconfigured security control.

Question 5

Aspects of confidentiality

Answer 5

Sensitivity, Criticality, Discretion, Concealment, Secrecy, Privacy, Seclusion, Isolation

Question 6

What is sensitivity

Answer 6

Sensitivity refers to the quality of information, which could cause harm or damage if disclosed. Maintaining confidentiality of sensitive information helps to prevent harm or damage.

Question 7

What is criticality

Answer 7

The level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality of the information.

Question 8

What is Discretion

Answer 8

Discretion is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage.

Question 9

What is concealment

Answer 9

Concealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction. A related concept to concealment is security through obscurity, which is the concept of attempting to gain protection through hiding, silence, or secrecy.

Question 10

What is secrecy

Answer 10

Secrecy is the act of keeping something a secret or preventing the disclosure of information.

Question 11

What is privacy

Answer 11

Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.

Question 12

What is seclusion

Answer 12

Seclusion involves storing something in an out-of-the-way location. This location can also provide strict access controls.

Question 13

What is isolation

Answer 13

Isolation is the act of keeping something separated from others.

Question 14

What is Integrity

Answer 14

Integrity is the concept of protecting the reliability and correctness of data. It ensures that data remains correct, unaltered, and preserved.

Question 15

Three perspectives of Integrity

Answer 15

1. Preventing unauthorized subjects from making modifications
2. Preventing authorized subjects from making unauthorized modifications, such as mistakes
3. Maintaining the internal and external consistency of objects so that their data is a correct and true reflection of the real world and any relationship with any child, peer, or parent object is valid, consistent, and verifiable

Question 16

Events that lead to integrity breaches

Answer 16

Modifying or deleting files; entering invalid data; altering configurations, including errors in commands, codes, and scripts; introducing a virus; and executing malicious code such as a Trojan horse. Integrity violations can occur because of the actions of any user, including administrators.

Question 17

Aspects of integrity

Answer 17

Accuracy, Truthfulness, Authenticity, Validity, Nonrepudiation, Accountability, Responsibility, Completeness, Comprehensiveness

Question 18

What is accuracy

Answer 18

Being correct and precise

Question 19

What is truthfulness

Answer 19

Being a true reflection of reality

Question 20

What is authenticity

Answer 20

Being authentic or genuine

Question 21

What is validity

Answer 21

Being factually or logically sound

Question 22

What is nonrepudiation

Answer 22

Not being able to deny having performed an action or activity or being able to verify the origin of a communication or event

Question 23

What is Accountability

Answer 23

Being responsible or obligated for actions and results

Question 24

What is responsibility

Answer 24

Being in charge or having control over something or someone

Question 25

What is completeness

Answer 25

Having all needed and necessary components or parts

Question 26

What is comprehensiveness

Answer 26

Being complete in scope; the full inclusion of all needed elements

Question 27

What is availability

Answer 27

Availability means authorized subjects are granted timely and uninterrupted access to objects. It also implies that the supporting infrastructure—including network services, communications, and access control mechanisms—is functional and allows authorized users to gain authorized access.

Question 28

Availability breaches include

Answer 28

Accidentally deleting files, overutilizing a hardware or software component, under-allocating resources, and mislabeling or incorrectly classifying objects.

Question 29

Aspects of availability

Answer 29

Usability, Accessibility, Timeliness

Question 30

What is Usability

Answer 30

The state of being easy to use or learn or being able to be understood and controlled by a subject

Question 31

What is accessibility

Answer 31

The assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations

Question 32

What is timeliness

Answer 32

Being prompt, on time, within a reasonable time frame, or providing low-latency response