What Is the CIA Triad?

In the information security (InfoSec) community, “CIA” has nothing to do with a certain well-recognized US intelligence agency. These three letters stand for confidentiality, integrity, and availability, otherwise known as the CIA triad.

Together, these three principles form the cornerstone of any organization’s security infrastructure; in fact, they (should) function as goals and objectives for every security program. The CIA triad is so foundational to information security that anytime data is leaked, a system is attacked, a user takes a phishing bait, an account is hijacked, a website is maliciously taken down, or any number of other security incidents occur, you can be certain that one or more of these principles has been violated.

Security professionals evaluate threats and vulnerabilities based on the potential impact they have on the confidentiality, integrity, and availability of an organization’s assets—namely, its data, applications, and critical systems. Based on that evaluation, the security team implements a set of [security controlsto reduce risk within their environment. In the next section, we’ll provide precise and detailed explanations of these principles in the context of InfoSec, and then look at real-world applications of these principles.