(06) 877-0992 info@govern.co.nz
R.I.P. CIA Triad

R.I.P. CIA Triad

by | Sep 30, 2023 | Governing Cybersecurity

 

Is it Time to Retire the CIA Triad?

In the world of information security, the CIA Triad (Confidentiality, Integrity, and Availability) has been the cornerstone principle, guiding organisations in their pursuit to safeguard their data. However, as the digital landscape has evolved, with its myriad complexities and nuances, there is a growing sentiment that this triad might need to be improved. Enter the Parkerian Hexad.

Devised by Donn B. Parker in the 1990s, the Parkerian Hexad augments the traditional three principles with an additional trio: Possession or Control, Authenticity, and Utility. This expansion aims to provide a more holistic framework for understanding and addressing the multifaceted security challenges of the 21st century. Let’s delve into the advantages of the Parkerian Hexad over its predecessor:

Comprehensive Coverage

The Hexad covers areas that the CIA Triad potentially overlooked. Adding Possession, Authenticity, and Utility broadens the scope of security considerations, ensuring that every potential vulnerability or threat vector is acknowledged and addressed. Where the CIA’s focus is on the concept of what information needs, the Hexad recognises how that information is vulnerable and needs protection. For instance, the Parkerian Hexad recognises that even if data is confidential and integral, it may become useless if it’s not available when needed (or if someone else has possession of it).

Compliance and Regulatory Requirements

The Parkerian Hexad also aligns better with current compliance and regulatory requirements. As organisations strive to meet stringent data protection standards, such as in GDPR or ISO, the Hexad’s comprehensive coverage ensures that all aspects of security are adequately addressed. The CIA Triad, on the other hand, may not provide sufficient guidance for organisations to meet these evolving regulatory demands.

Real-Life Application

While the CIA Triad may be an effective theoretical concept, its implementation can be challenging in real-world scenarios. The Parkerian Hexad offers more practical guidance for implementing security controls and measures as it considers the broader context of information systems and their usage. With a better understanding of how data is used and accessed, organisations can tailor their security strategies to best fit their specific needs.

The Human Element

One crucial aspect of the Parkerian Hexad is its recognition of the human element in information security. Unlike the CIA Triad, which focuses primarily on technical solutions, the Hexad acknowledges that humans are often the weakest link in a company’s security posture. By including Possession and Authenticity, the Parkerian Hexad recognises the importance of considering human behaviour and motivations in securing information.

As technology continues to advance, and with cyberattacks becoming increasingly sophisticated, organisations must constantly assess their security strategies. While the CIA Triad has been a valuable framework for decades, it may be time for organisations to embrace the more comprehensive Parkerian Hexad as their guiding principle

Emphasis on Control

Possession or Control focuses on the idea of who has access to information. In today’s interconnected world where data can be accessed from multiple devices and locations, determining control over sensitive information can be challenging. By considering control as a core element of security, the Parkerian Hexad helps organisations better manage and monitor access to data, reducing the risk of unauthorised access or theft.

Emphasis on Data

Sitting between Confidentiality and Integrity, the principle of ‘Possession or Control’ shines a light on the significance of owning and effectively controlling data. In an era of cloud computing and distributed systems, mere possession isn’t enough; having decisive control over where data resides and who can access it becomes paramount. Without this, data is at risk of being compromised or manipulated. By including this principle in the Hexad, organisations can ensure that their data remains secure and protected against unauthorised access.

Ensuring Data Authenticity

Linking Integrity and Availability, ‘Authenticity’, accentuates the importance of verifying the genuineness of data. As cyber-attacks become sophisticated, it’s no longer just about protecting data but ensuring it hasn’t been tampered with. This principle underlines the necessity for robust authentication mechanisms and validation processes.

Acknowledging Data Relevance

Finally, connecting Availability and Confidentiality, the principle of ‘Utility’ recognises that data must be useful and relevant to its intended purpose. It’s not enough for data to be available; it must be in a usable format, free from encryption or other barriers that may render it useless.

Adaptable to Modern Challenges

The Parkerian Hexad provides a versatile framework that is adaptable to the unique challenges presented by contemporary technologies. Be it IoT, blockchain, or AI, Hexad’s comprehensive nature ensures that evolving security concerns are always within its view. With the increasing amount of data being generated and shared globally, having a robust security framework that can accommodate these challenges is vital.

The Parkerian Hexad offers a more comprehensive and adaptable approach to information security, making it a valuable tool for organisations in today’s rapidly evolving digital landscape. By acknowledging the complexities and nuances of modern technology and incorporating principles such as Possession or Control, Authenticity, and Utility, the Hexad provides a strong foundation for organisations to build their security strategies upon. As we continue to rely more and more on technology in our daily lives, the Parkerian Hexad will play a crucial role in ensuring the protection and integrity of our data. So, it’s safe to say that the Hexad is not just an improvement over the CIA Triad, but a necessary evolution in our approach to information security. So, rather than relying solely on the traditional CIA Triad for protection, organisations must now adopt the Hexad as their guiding principle for securing their data and systems. And with its emphasis on control, data relevance, and authenticity, the Parkerian Hexad will continue to be relevant in the ever-changing landscape of information security. After all, in today’s digital world, it’s not a question of if a cyberattack will happen, but when. And with the Parkerian Hexad as our foundation, we can be better prepared to defend against these inevitable threats.

Promotion of Proactive Thinking

By expanding upon the original triad, the Hexad encourages security professionals to think proactively to anticipate threats before they manifest. This forward-thinking approach is indispensable in today’s fast-paced digital environment, where threats evolve at a breakneck pace. Incorporating principles such as Possession or Control and Authenticity into security strategies can help organisations stay ahead of the game by taking a more proactive stance towards securing their data.

Conclusion

While it isn’t yet time to put it to rest, the CIA Triad laid a solid foundation for information security principles and remains the core today. However, the Parkerian Hexad elevates this framework to new heights, ensuring that modern enterprises are better equipped to face the ever-evolving cyber challenges of our times. In today’s interconnected world, where data is the lifeblood of organisations, understanding and implementing the Hexad’s principles is essential for maintaining a strong security posture. So, while the CIA Triad was undoubtedly a great start, it’s time for organisations to embrace the Parkerian Hexad as their guiding principle for securing their valuable information assets. Only then can we truly achieve a robust and comprehensive approach to information security. As technology continues to advance at an exponential rate, it is imperative that we adapt our security strategies accordingly, and the Parkerian Hexad provides us with the perfect framework to do just that.

 

 

 

 

 

 

 

The New Zealand Privacy Act takes centre stage in 2023

The New Zealand Privacy Act takes centre stage in 2023

by | Jan 31, 2023 | 2023, General, Governing Cybersecurity, New Zealand Business

 

The New Zealand Privacy Act takes centre stage in 2023

The New Zealand Privacy Act of 2020 is an key piece of legislation that all businesses have a responsibility to take seriously in order to better protect customer and business information from data theft or misuse.

The increased frequency of highly publicised data breaches over the past 12 months has brought the importance of the Act into sharper focus for 2023 and solidified cybersecurity as a necessary consideration for all businesses, big and small.

Under the Act, several key principles must be abided by when collecting and using personal information. These include :

1. Ensuring appropriate security safeguards are taken

2. Only using personal information for its intended purpose

3. Informing individuals about how their personal information will be handled

4. Being open and transparent with customers about how their information is collected and used.

The New Zealand Privacy Commissioner is committed to helping businesses, and individuals understand their rights and responsibilities under the Act and providing them with all the necessary information to do so. To assist organisations comply with these laws, they have created a suite of supporting resources, such as training materials and guidance documents, that offer help at both the management, and employee level. Through this support, businesses can better protect themselves from data breaches and other threats to their customer information.

The importance of the legislation and its impact on incidents were evident in two recent cases, the Mercury IT and Archives NZ breaches. In both instances a hacker was able to gain confidential customer data and then proceed to use it for fraudulent activity – all due to the organisations inadequate security measures. These two examples (of which there are many more) should serve as a warning to all.

This year promises to be a difficult one for businesses, but with the right steps taken, it is possible for those operating in New Zealand to comply with the New Zealand Privacy Act of 2020 – ultimately meaning better protection of customer data and less risk of data loss or misuse.

Here’s what you can do:

Create a Privacy Policy

To protect your business, creating a comprehensive and up-to-date privacy policy is essential.

Many businesses may be unsure how to do this, so here are some tips:

  1. Understand Your Obligations – Take the time to read through the New Zealand Privacy Act of 2020 in detail and make sure you understand what it requires you to do. Check the supporting material on their website, to help explain any grey areas or questions.
  2. Establish a Process – You should set up an internal process for handling customer information and data, with clear rules about who has access and how it is used. This process should be regularly reviewed to ensure that it remains compliant with the Act.
  3. Regularly Audit Your System – It’s important to review your systems regularly to identify any vulnerabilities that could lead to a breach of privacy or data loss. Check for things such as a lack of encryption, weak passwords, or outdated security software that could put customer data at risk.
  4. Update Your Policy – Whenever there are changes to the New Zealand Privacy Act of 2020, or if you make changes to your own internal processes, you should update your privacy policy as soon as possible. This will ensure that customers are kept up-to-date on how their data is being used and protected.

Employee Training

Time and again we see the weakest link in the cybersecurity chain to be employees.

Upskilling your staff on how to be cyber-safe is an imperative action in order to protect your business.

Start this process by :

  1. Setting Clear Guidelines – Make sure your employees receive training on their obligations under the Privacy Act and are aware of their roles in protecting customer data. Ensure that any guidelines you set out are clear and easy to understand so everyone knows what’s expected of them. The New Zealand Privacy Commissioner has a short training program of 30 minutes or less on their website that offers a digital certificate that businesses can save as proof to the Commissioner of compliance should there be a breach.
  2. Provide Resources – Ensure that employees have the resources they need to stay up-to-date on changes in data protection laws around the world and other relevant regulations. This can include access to specific training materials such as videos or e-learning programs, as well as providing in-person seminars with experts. Ensure your staff is also aware of the Australian Privacy Act or the GDPR if you work with or store data overseas.

The Australian Privacy Act

Changes to the Australian Privacy Act, which took place late last year, have a dual impact on New Zealand.

First, New Zealand Businesses doing business in Australia will fall under the country’s penalties for data breaches. As such Bellgully advises that, “New Zealand business entities doing business in Australia should take note of the coming changes.”

Secondly, the New Zealand legislation for data sovereignty will undergo similar changes to strengthen our responsibilities. If a New Zealand business is providing services to an Australian customer, they will have to abide by the same regulations as if they were in Australia. It is important that businesses understand these changes and take appropriate measures to ensure compliance.

As part of the new changes, there is also a requirement for organisations only to store personal information in Australia unless it is absolutely necessary to store it overseas. This ensures that the country’s data sovereignty remains in place and that user information is kept safe and secure. The Australian Privacy Act has also strengthened its enforcement powers, allowing for greater financial penalties for organisations in breach of the Act. It is important that businesses understand their obligations and ensure they are compliant with the new rules. The Privacy Act also includes provisions for individuals to complain about privacy breaches and for organisations to be held accountable for any such breaches. This strongly incentivises companies to reinforce their data security policies and practices.

Overall, these changes represent an important shift in how we protect the privacy of Australians and New Zealanders alike. The changes to the Australian Privacy Act are a positive step forward in ensuring our data remains secure and protected. It is essential that businesses understand their responsibilities under this new legislation and take the necessary steps to ensure compliance. This will protect customers’ personal information and give organisations peace of mind.

In addition, businesses must also remain aware of the changing landscape of privacy regulations in other countries they may be doing business with or providing services to. This includes understanding European GDPR legislation, which provides even stricter data sovereignty and user privacy rules.

Conclusion

In conclusion, businesses need to be vigilant in protecting their customers’ data.

The laws for data protection are constantly changing, so business owners must stay up-to-date on the most recent changes and take steps to ensure that their employees receive training and have access to resources on data privacy regulations. Taking these measures will help protect customer information and keep businesses compliant.

If you need assistance navigating this legislation, or cybersecurity policies in general, contact us today.