Basic principles[edit]

Key concepts[edit]
The CIA triad of confidentiality, integrity, and availability is at the heart of
information security.[12] (The members of the classic InfoSec triad
confidentia
lity, integrity and availability are interchangeably referred to in the literatu
re as security attributes, properties, security goals, fundamental aspects, info
rmation criteria, critical information characteristics and basic building blocks
.) There is continuous debate about extending this classic trio.[3][citation nee
ded] Other principles such as Accountability[13] have sometimes been proposed fo
r addition it has been pointed out[citation needed] that issues such as non-repu
diation do not fit well within the three core concepts.
In 1992 and revised in 2002, the OECD's Guidelines for the Security of Informati
on Systems and Networks[14] proposed the nine generally accepted principles: awa
reness, responsibility, response, ethics, democracy, risk assessment, security d
esign and implementation, security management, and reassessment. Building upon t
hose, in 2004 the NIST's Engineering Principles for Information Technology Secur
ity[15] proposed 33 principles. From each of these derived guidelines and practi
ces.
In 2002, Donn Parker proposed an alternative model for the classic CIA triad tha
t he called the six atomic elements of information. The elements are confidentia
lity, possession, integrity, authenticity, availability, and utility. The merits
of the Parkerian Hexad are a subject of debate amongst security professionals.[
citation needed]
In 2011, The Open Group published the information security management standard O
-ISM3. This standard proposed an operational definition of the key concepts of s
ecurity, with elements called "security objectives", related to access control (
9), availability (3), data quality (1),compliance and technical (4). This model
is not currently widely adopted.
In 2013, based on a thorough analysis of Information Assurance and Security (IAS
) literature, the IAS-octave was proposed as an extension of the CIA-triad.[16]
The IAS-octave includes Confidentiality, Integrity, Availability, Accountability
, Auditability, Authenticity/Trustworthiness, Non-repudiation and Privacy. The c
ompleteness and accuracy of the IAS-octave was evaluated via a series of intervi
ews with IAS academics and experts. The IAS-octave is one of the dimensions of a
Reference Model of Information Assurance and Security (RMIAS), which summarizes
the IAS knowledge in one all-encompassing model.
Confidentiality[edit]
In information security, confidentiality "is the property, that information is n
ot made available or disclosed to unauthorized individuals, entities, or process
es" (Except ISO27000).
Integrity[edit]
In information security, data integrity means maintaining and assuring the accur
acy and completeness of data over its entire life-cycle.[17] This means that dat
a cannot be modified in an unauthorized or undetected manner. This is not the sa
me thing as referential integrity in databases, although it can be viewed as a s
pecial case of consistency as understood in the classic ACID model of transactio
n processing. Information security systems typically provide message integrity i
n addition to data confidentiality.
Availability[edit]
For any information system to serve its purpose, the information
le when it is needed. This means that the computing systems used
ocess the information, the security controls used to protect it,
cation channels used to access it must be functioning correctly.

must be availab
to store and pr
and the communi
High availabili

ty systems aim to remain available at all times, preventing service disruptions

due to power outages, hardware failures, and system upgrades. Ensuring availabil
ity also involves preventing denial-of-service attacks, such as a flood of incom
ing messages to the target system essentially forcing it to shut down.[18]
Non-repudiation[edit]
In law, non-repudiation implies one's intention to fulfill their obligations to
a contract. It also implies that one party of a transaction cannot deny having r
eceived a transaction nor can the other party deny having sent a transaction. No
te: This is also regarded as part of Integrity.
It is important to note that while technology such as cryptographic systems can
assist in non-repudiation efforts, the concept is at its core a legal concept tr
anscending the realm of technology. It is not, for instance, sufficient to show
that the message matches a digital signature signed with the sender's private ke
y, and thus only the sender could have sent the message and nobody else could ha
ve altered it in transit. The alleged sender could in return demonstrate that th
e digital signature algorithm is vulnerable or flawed, or allege or prove that h
is signing key has been compromised. The fault for these violations may or may n
ot lie with the sender himself, and such assertions may or may not relieve the s
ender of liability, but the assertion would invalidate the claim that the signat
ure necessarily proves authenticity and integrity and thus prevents repudiation.