Election Security Spotlight – CIA Triad

What it is

The CIA Triad is a benchmark model in information security designed to govern and evaluate how an organization handles data when it is stored, transmitted, or processed. Each attribute of the triad represents a critical component of information security: 

  1. Confidentiality – Data should not be accessed or read without authorization. It ensures that only authorized parties have access. Attacks against Confidentiality are disclosure attacks.
  2. Integrity – Data should not be modified or compromised in anyway. It assumes that data remains in its intended state and can only be edited by authorized parties. Attacks against Integrity are alteration attacks.
  3. Availability – Data should be accessible upon legitimate request. It ensures that authorized parties have unimpeded access to data when required. Attacks against Availability are destruction attacks.

Why does it matter

Every cyber attack attempts to violate at least one of the CIA triad attributes. Having a thorough understanding of this information security model helps election offices better identify risks and protect their networks from unauthorized activity through appropriate cybersecurity policies and mitigation measures. Additionally, this model assists with coordinating incident response by establishing common ground for administrative and technical staff to communicate an incident’s scope. It also fosters more detailed communication with the public, increasing transparency on sensitive issues.

What you can do

Evaluate your organization and identify all data you store in the context of the CIA triad to ensure that existing cybersecurity policies and protections address the appropriate risks. The CIS ControlsTM and Handbook for Elections Infrastructure Security are key tools for identifying and implementing appropriate policies. Examples of policy recommendations from these tools which address each attribute include:

Confidentiality

  • CIS Control 14 – Controlled Access Based on the Need to Know
  • Elections Best Practice 12 – Ensure critical data is encrypted and digitally signed

Integrity:

  • CIS Control 13 – Data Protection
  • Elections Best Practice 45 – Maintain a chain of custody for all core devices

Availability:

  • CIS Control 10 – Data Recovery Capability
  • Elections Best Practice 31 – Conduct load and stress tests for any transactional related systems to ensure the ability of the system to mitigate potential DDoS type attacks

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact [email protected].