CIA requirements

This is a posting I made from a discussion, on the LinkedIn Information Security Community Group, on which of Confidentiality, Availability and Integrity is most important.

I have been engaged in ICT risk assessments in government agencies over the last 2 years. The first stage of each is to establish the business context as the risks are always to the business. The first stage involves the business owner of a system(s) to understand what business functions a system delivers and who are its users and other “stakeholders”. We then get the business owner to identify the security requirements starting with CIA, and to prioritise them once identified.
The results vary.

An emergency management system that has a lot of variable grade input to facilitate decision making has no confidentiality requirements, the integrity of the information should be maintained once captured, but the system must be available for the duration of an emergency it’s in use for.

A Certification Authority must maintain the confidentiality of private keys while publishing public keys. The root CA The system availability, for the CA I have been involved with is business hours only (12 hours a day), but during those hours availability is critical to business processes. The integrity of all keys is paramount, as is integrity of the audit trail.

There is no simple answer and each case must be carefully analysed in its own context. The CIA ”stool” may at times have fewer than 3 legs, and the legs will generally be of unequal length.

I would expect that for a bank, client information has significant confidentiality requirements, integrity is vital and availability somewhat less so (I’d be a lot more upset if my bank had incorrect information in my accounts than if I couldn’t access it on-line after hours – or even if I turned up at a counter and the teller said the system was down). On the other hand a banks trading room will have very high availability requirements, confidentiality high until a trade made and irrelevant afterwards when the market knows who did what.
Different systems – different requirements in the same organisation.