The AIC Myth

Sunil Bakshi
Author: Sunil Bakshi, CISA, CRISC, CISM, CGEIT, CDPSE, AMIIB, MCA
Date Published: 20 July 2020

When I joined a banking and finance company as chief information security officer (CISO), I was focused on using the availability, integrity and confidentiality (AIC) triad to secure information. It had been almost 20 years since I started working in the information security field that would later become cybersecurity. Since its conception, we have been told that information security is all about the AIC triad—the availability, integrity and confidentiality of information.

In my new role as CISO, after reviewing the controls already in place to secure information, I realized that 1 network segment providing service to a critical business function where most stakeholders were connected had not been protected by a firewall. In fact, there was no firewall in place throughout the entire segment. Surprised, I proposed a firewall be implemented on this segment, but the suggestion was promptly dismissed by the business’s owners. “A firewall? That will introduce latency in communication and we may not be able to meet promised service levels,“ they responded. I could not argue about the business’s requirements; ultimately, security cannot be at any cost. After considering the requirements, I checked for compensating controls because securing information was my role. There was a compensating control built into the design of the network segment. The entire network segment was isolated from other network segments and traffic other than the authorized stakeholders’ communication requirements. Needless to say, the company had invested much more than the cost of implementing a firewall in securing this network segment.

This shattered my strong belief that security is nothing but AIC. Here I was facing a situation where I needed to consider the efficiency and effectiveness of technology and systems to meet the business’s requirements.

When an organization considers the implementation of information technology, it focuses on attributes of information identified by COBIT®: efficiency, effectiveness, reliability, compliance, confidentiality, availability and integrity. These attributes are captured in requirements both functional and technical. The information security manager needs to consider the organization’s goals, objectives and requirements while designing security procedures. Since an organization’s requirements primarily focus on business and services, the organization needs to consider all 7 attributes for information technology. The information security manager must also consider all additional attributes, not just AIC.

While developing a security program, the security manager should understand the organization’s objectives and goals related to the following attributes:

  • Efficiency—Controls have a tendency to introduce latency and reduce efficiency.
  • Effectiveness—Timely communicating and processing of accurate information should not be impacted by security controls.
  • Reliability—Users of information must rely on the information received from systems.
  • Compliance—Security managers need to consider business compliance requirements.
  • Confidentiality—This is the basis for security.
  • Availability—Information should be available to authorized users when required.
  • Integrity—Information captured, stored, processed and disseminated must be complete and accurate.

In other words, it is important to not only focus on AIC, but instead consider all attributes of information while developing a security program.

Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.