Have you ever wondered why Availability is included in the Confidentially, Integrity and Availability model? I did… and wrote this blog to express my thoughts.
Wikipedia definition “Information Security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.”
Hmmm, okay. But why should I, as a security professional, be worried about the availability of the data? The way I see it, if the information is unavailable… then that is better. I believe the Payment Card Industry (PCI) standard was the first regulation to catch on to this. If you read the standard it doesn’t mention the availability, back up or recovery of data, and being a Qualified Security Assessor (QSA), I understand the PCI Council has good reasons why.
As a security professional I understand that the evolution of security. Back in the day… security meant having a firewall and making sure that network was available. However, today security has a completely different role within organization. The ability for the information to be available falls under the jurisdiction of the Chief Information Officer.
I have authored hundreds of security documents that if/when implemented would “break” the functionality of the application, system or process. However, if these controls are not implemented the application, system or process is left vulnerable to attack. Being concerned with availability, you, as the security professional cannot push the implementation of the control. As such, you have accepted the vulnerability.
Why is this important? Many organizations are unable to position Security in the right structure, meaning that security still falls under the CIO. While this can work, there are too many points of failure for security to be embraced within the organization. So, as long as security professionals continue to position themselves with the responsibility of ensuring availability of information, the ability to truly secure the data will be jeopardized.