Cyber Risk Highlights The Importance Of The CIA Security Triad

Posted by Philip Bindley

Cyber security is hitting the headlines again following what’s being cited as the largest breach of government employee data in recent years. Officials at the Office of Personnel Management (OPM) in the US have confirmed that the breach, discovered in April using new tools, may have compromised the personal data of about 4 million current and former federal employees.

Cyber risk highlights the importance of the CIA security triad

The intruders in the OPM case are believed to be an agency in China that gained access to information including employees’ Social Security numbers, job assignments, performance ratings and training information. This breach comes hot on the heels of reports that Russia compromised White House and State Department email systems.

Certainly, incidents of state-sponsored hacking of Western networks are on the rise, and it’s not just Government systems being targeted, with hackers targeting corporate systems in search of sensitive data and valuable commercial Intellectual Property (IP). One private security firm claims to have linked the OPM intrusion to the same group that hacked the health insurance giant Anthem.

As we’ve warned before, the cold war might be over, but the need for cyber security has never been greater. At The Bunker, we recognise how important it is for businesses to protect the Confidentiality, Integrity and Availability of their information and assets. Known in information security circles as the ‘CIA Triad’, it refers to the triangle of people, process and technology required to build a robust set of security controls.

However, we’ve created our own interpretation of the CIA or ‘Information Security’ Triad in the form of The Bunker ProtocolTM: our all-encompassing methodology that secures against risk and ensures the most secure IT delivery in the UK. It incorporates Physical, Human and Digital security capability and processes and wraps them with a governance and standards layer that ensures that client data and systems are continually secure and compliant:

  • Physical – we take a multi-layered approach to physical security. Planned as a single entity, our counter-measures include perimeter fences, gates, lighting, CCTV and robust access control, backed by visual verification of all persons entering, escorted access, and Electro Magnetic Pulse (EMP) and Tempest RFI intrusion protection. Our facilities are also highly available, with auto-failover and replication across our two main sites combined with redundant power ensuring 100% uptime.
  • Human – our culture starts and ends with security. The Bunker uses pre-employment screening and includes security terms and conditions in our conditions of service. We also operate a personnel security review process and a formal process for managing staff leaving the business to ensure the highest level of security from a people perspective.
  • Digital – We build and integrate systems in-house, with the highest levels of security from the source code up – Hardened Windows, Unix and Linux environments, and up to four additional levels of security, each with full encryption. We also employ a variety of sophisticated tools and techniques to ensure the protection of virtual machines (VMs) in a highly granular fashion.

With information security now used interchangeably with the phrase ‘cyber security’, there is growing consensus that conventional security controls alone are no longer adequate to address the cyber risk faced by organisations today. ‘Cyber risk’ means any risk of financial loss, disruption or damage to the reputation of an organisation from a failure of its information technology systems.

Naturally, keeping pace with the constantly evolving threat landscape can be costly and resource-intensive for organisations of all size. At the same time, many firms are fighting this battle on multiple fronts, with regulators demanding an increasingly complex set of robust security controls that are extending a firm’s responsibility into the realms of supply chain management. Nowhere has this become more apparent than with the Payment Card Industry Data Security Standard (PCI DSS), for example.

But contrary to perceptions, it is possible to improve your security posture and risk position by outsourcing your requirement to a trusted third party. Working with The Bunker gives our customers the confidence that their systems will be secure and available and that when due diligence is performed, their environment will be fully compliant.

Our fully owned UK data centres are secure by design because they are located within purpose built, ex-Ministry of Defence facilities that are armoured, nuclear bombproof and military-specified fortresses. You can see them for yourselves here. We’re also ISO 27001 accredited, PCI DSS certified and fully compliant with all 12 PCI DSS v3.0 requirements. What’s more, all of our processes are Security Council controlled.

Crucially, our culture may start and end with security, but we believe that security and compliance should be enablers, not barriers to business growth and innovation. This is enshrined within three key tenets that underpin our culture:

  • We believe Information Security should enable businesses to be more competitive, manage risk, protect brand and allow innovation in a controlled manner
  • We view compliance as a source of business advantage and a way of achieving operational best practice for secure IT
  • We work with like-minded businesses that recognise security as a differentiator and a business enabler

Best practice in Information Security, compliance and good governance, are business as usual for The Bunker, and will always be manifest in everything we do. They can also be put to work for you. Contact us today to find out how.