I have spent the last ten years researching and working in privacy, leading privacy programs and leading privacy teams. I spent the previous twenty years doing similar in cybersecurity, across the financial sector. The two subjects make excellent bedfellows and provide a hybrid understanding of not just the ‘what must be done to be compliant’…but also the ‘how and why’.

Data protection and privacy specialists (let’s use the term privacy professionals for simplicity) are some of the most well-qualified people I know – many with robust legal or compliance backgrounds. However, I wonder how many are really clear on the key technical controls and models in cybersecurity and how and when to apply them? One may know what the term VPN means, but what about when a VPN should be used and more importantly – not used, and what are the risks of using a VPN versus the benefits. Similarly, a firewall, network access control, privileged identity management, SSL, TLS etc. I’m not advocating that privacy professionals rush out and get industry qualified to CISSP or CISA!! and I appreciate that most global privacy laws are typically technology agnostic – however their interpretation and implementation is not. Consequently, the need to know and understand information security at this level is an increasing requirement for privacy professionals. In fact, GDPRs Article 32 states that:

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”

But how to measure that risk and what are the key security-related organisational and technical measures that are being referred to here? Is there a compendium to choose from? How does one know what controls should or should not be in place? The idea of this series is to present some of the key concepts and frameworks in information security and highlight areas of intersection with privacy and data protection. The aim is to help the privacy professional take a critical step back when completing activities such as a Records of Processing Activity (ROPA) or a Data Protection Impact Assessment (DPIA) – and to evaluate the risks and the controls in place, rather than relying on the IT department or security team. As privacy professionals we have much to learn from the school of information security and it is my intention throughout this 3-part series to bring that knowledge to the reader.

Definitional Clarity?

There are debates abound as to whether information security and cybersecurity are synonymous. Gartner argue that ‘cybersecurity’ is a superset of information security; a broader term that encompasses a range of practices, tools and processes than spans information and operational security. For the purpose of this blog – we are going to use the term information security to mean both cyber and information security.

NIST defines information security as the protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

The CIA Triad

These key information security components (confidentiality, integrity, and availability) are traditionally referred to in information security circles, as the CIA Triad. The CIA Triad provides a simple yet comprehensive high-level checklist for the evaluation of your security procedures and tools. While I appreciate the CIA Triad is an old model (and many have called for it to be updated to include principles of resilience) – it’s a pretty robust model that has been around for more than 30 years. An effective system satisfies all three components of the triad, and the triad is also valuable in assessing and reflecting on what went wrong/what worked – after a negative incident or breach. For example, perhaps availability was compromised after a malware attack such as ransomware, but the systems in place were still able to maintain the confidentiality of important information. This data can be used to address weak points and replicate successful policies and implementations.

It is important to note that the CIA Triad does not refer specifically to ‘personal data’, and in this way has a broader scope than a compliance one – to include operations, resilience and reputation. Interestingly GDPR’s Article 32 specifically calls out the CIA Triad (although not by name): “…the ability to ensure the ongoing confidentiality, integrity, availability …. of processing systems and services”.

Given its relevance and importance in privacy and data protection, I would contend that the CIA Triad of Information Security has today become the CIA Triad of Data. Let’s take a closer look at all three components of the CIA Triad and how they might apply to the work of privacy professionals. Let us also ask ourselves how comfortable we are in the intersection between privacy and information security– as presented by the CIA Triad:

• Confidentiality

Confidentiality involves the efforts of an organisation to make sure data is kept secret or private. To accomplish this, access to information must be controlled to prevent the unauthorised sharing of data—whether intentional or accidental. A key component of maintaining confidentiality is ensuring that people without proper authorisation are prevented from accessing certain assets, and that those who need to have access have the necessary privileges.

While this component of the triad refers to the confidentiality of ‘data’ – it is not specifically referring to ‘personal data’, as it is also referring to non-personal data that may be highly sensitive or critical data such as board papers, network information, systems information, minutes of meetings, strategy documents, trade secrets, corporate announcements, merger and organisation plans etc. Where there is unauthorised or accidental access to data – this can result in a breach of confidentiality e.g., identity theft following the disclosure of the payslips of all employees of a company.

This includes information security’s two big As:

• Authentication, which encompasses processes that allows systems to determine if a user is who they say they are. These include passwords, biometrics, security tokens, cryptographic keys, etc.

• Authorisation, which determines who has the right to access which data: One of the most important ways to enforce confidentiality is establishing need-to-know mechanisms for data access. Most operating systems enforce confidentiality in this sense by having many files only accessible by their creators or an admin, for instance.

There is an obvious link between this component and data protection. However, as a privacy professional, how much do you know about asset management, authentication and key management, and authorisation and control management? How much do you know about MFA, data classification and handling rules, layers and levels of encryption, data in storage and in transit, single-signon, endpoint device management and mobile device management?

• Integrity

Integrity involves ensuring data is trustworthy and free from tampering. The integrity of data is maintained only if the data is authentic, accurate, and reliable.

Again, this component not only refers to the integrity of personal data and its accuracy, but also to the accuracy and integrity of other data such as digital signatures, encryption certificates, hashing algorithms, audit logs, mirrored systems, payment, accounting and financial systems, MIS systems etc. Where there is unauthorised or accidental alteration of data – this can result in a breach of integrity e.g., incorrect names or addresses on an insurance policy.

However, as a privacy professional, how much do you know about file integrity monitoring, audit logs, security information and event monitoring (SIEM), change control protocols, configuration management, version control, non-repudiation and systems hardening?

• Availability

Even where the confidentiality and integrity of data are both maintained – it is ineffective if the data is not available to those who require it e.g., employees in the organisation, the customers they serve or the data subjects themselves. This means that systems, networks, and applications must be functioning as they should and when they should. Also, individuals with access to specific data must be able to consume it when they need to, and getting to the data should not take an inordinate amount of time. Where there is a loss of data or loss of access to data – this can result in a breach of availability e.g., losing a laptop, or failing to record a telephone call between a data subject and the HR department that could be pursuant to a Data Subject Access Request (DSAR).

When I started out in Information Security – this component of the Triad was firmly established in the realm of information security. However, with the right of access enshrined in GDPR, I would argue that for personal data this component sits firmly in privacy or data protection. Particularly with the rise in ransomware attacks which essentially can render personal data inaccessible. By way of example, the HSE suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down. It was the most significant cybercrime attack on an Irish state agency and the largest known attack against a health service computer system. The data was inaccessible for all stakeholders and most importantly – if a data subject made a subject access request, the HSE would not have been able to response and the data subjects rights would have been breached.

However, as a privacy professional, how much do you know about distributed denial of service (DDOS) attacks and how to prevent them, detect them or respond to them? How much do you know about incident response management or vulnerability management? How much do you know about disaster recovery and business continuity? How much do you know about journaling, roll-back and remediation, mirroring, hot sites, cold sites, backups etc.?

Beyond the CIA Triad

The CIA triad isn’t the holy grail, but it’s a valuable tool for planning both a cybersecurity strategy AND a data protection strategy. As I noted previously however, the Triad has often been called into debate, particularly with regard to the absence of two key components. The first is ‘non-repudiation’ (ensuring that one cannot falsely deny they created, altered, observed, or transmitted data). This is crucial in legal contexts when, for instance, someone might need to prove that a signature is accurate, or that a message was sent by the person whose name is on it. The second is ‘resilience’ (the ability of an organization to withstand cybersecurity incidents and cope with the aftermath of disruptive events).

In 1998 Donn Parker proposed a six-sided model called the Parkerian Hexad, which was built on the following principles:

• Confidentiality

• Possession or control

• Integrity

• Authenticity

• Availability

• Utility

Again, It’s somewhat open to debate whether the extra three points really press into new territory, but it’s worth noting as an alternative model.

In the next article in the series, we are going to leverage control frameworks from NIST and ISO 27002 to present an outline of the mitigating controls that can be applied to each component in the CIA Triad, together with the preventative/detective controls that reduce the risk. And then the final article in the series will present a checklist of items for any privacy professional to use to assess security controls.

Dr Valerie Lyons is the Chief Operating Officer of BH Consulting.