Final Exam

POSITION PAPER: Is the “Parkerian Hexad” superior to the “CIA Triad” in describing the elements necessary for information systems security?

SUBMITTED BY NAME OF STUDENT

CLASS NUMBER : NAME OF CLASS

SEMESTER AND YEAR

Is the “Parkerian Hexad” superior to the “CIA Triad” in describing the elements necessary for information systems security? Yes, the Parkerian Hexad is superior to the CIA Triad.

Research has shown that due to the increase in sensitive information and government regulation in regards to this data, companies over the last 12 months have become more concerned with the custody of sensitive information (Brook, 2011). As cited in the functional security model, “the question of general IT controls and information security controls designed to safeguard sensitive data has come to the forefront” (Guillén and Quintero, 2007). Both the CIA Triad and the Pakerian Hexad offer security frameworks that assist organizations in minimizing their risk. The CIA Triad and the Pakerian Hexad each address the fundamental areas of confidentiality, “a requirement that private or confidential information not be disclosed to unauthorized individuals,” integrity “a requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system,” and availability, “a requirement intended to ensure that systems work promptly and service is not denied to authorized users” (Dougherty and Walsh, 2011, 10). These components help entities to understand and develop a security models that may be incorporated into their everyday business environment. However, the CIA Triad falls short in addressing three more specific areas that also threaten the security of an organization’s essential data. The U.S. Government has stated that confidentiality, integrity, and availability (CIA) were not enough security states of information (Sloane, 2010). The areas in which the CIA Triad is lacking are: Possession, Authenticity, and Utility. At first glance these components may seem redundant to the attributes already included in the CIA Triad, although upon further review it is evident that these components attack different risks that are not formerly confronted.

Possession in the Parkerian Hexad is “referred to as the disposition of the media upon which the data is stored” (Andress, 2011, 7). Possession attacks concepts similar to those of confidentiality, integrity and availability, but it confronts other areas not considered by these three attributes. For instance information can be stolen or lost without the confidentiality aspect being breached. This situation would come into play if an unauthorized person gained access to information, but does not view the information. A unauthorized person who acquires confidential information that has no value to him, and as a result does not review the data, has not violated any the CIA Triad component, unless he sells it too a 3rd party that actually plans to use the information. Another case would be an individual who gains physical possession of information or a device that stores the data, in an encrypted format. The perpetrator may not be able to decrypt the information or he may not even know that the device contains sensitive information. Lastly even information that is not confidential may be compromised. The possession of public information that is owned or created by another party may still need to be protected to prevent unauthorized uses of that information. This information may still need to be safeguarded against plagiarism and false attribution. For example valuable public information such as websites are protected by proprietary rights through the application of trade secret, copyright, and trade mark laws and require utilization of security controls and practices to ensure exclusive or desired possession. What happens after an entity loses possession of their information might fall under one of the three basic attributes of the CIA Triad, but this is not always true. Therefore it is necessary for organizations to establish controls focusing on possession in creating an effective security framework because these are all problems that can impact an entities ability to achieve their overall objectives. While possession is clearly an important factor that the CIA Triad is missing it is not the only component missing (Parker, 2010).

Another crucial factor omitted from the CIA Triad is authenticity. In the Parkerian Hexad, authenticity “refers to the correct labeling or attribution of information” (Andress, 2011, 7). Comparable to authenticity is the concept of integrity which is included in both the Parkerian Hexad and the CIA Triad, though integrity does not address many security concerns that may arise with the manipulation of data. Integrity relates to the protection of information from unauthorized alterations that impact the completeness and quality of information. Unlike authenticity integrity does not directly confront the necessity of preserving the correct meaning of information. Allowing modifications to be made that may not impact the completeness or quality of information, but change the intended meaning of the data. An example of this would be the rearrangement of a sequence of numbers. The numbers are still readable, the quality is not changed, and the information is still complete, none of the numbers have been remove), however the document may not project the same message. In addition integrity does not pertain to the incorrect attribution of information. For instance this is the case when quality complete data is credited to being created by the wrong party. The source of information is very important and strongly impacts how it is perceived; therefore it is important that information received is attributed to correct issuing body. It is apparent that data may possess integrity, yet fail to be authentic and vice versa. If information is to be relied upon it is necessary that it be both authentic and contain integrity, as a result it is important that both integrity and authenticity be included in a model security framework (Parker, 2010).

Finally, the CIA Triad is also missing the aspect of utility. Utility relates to the usefulness of data for a particular purpose. The utility of information is partially confronted in the CIA Triad through the inclusion of availability. It is common sense that in order for information to be useful or provide utility, it must be available. However, just because information is available does not necessarily mean that it is useful. For instance, information for which an organization has access, is encrypted and the organization cannot decrypt it. Another example would be a situation in which salary information possessed is converted to another type of poorly understood currency. In both cases the data is available, but not useable. Therefore it is important when entities are addressing their risks that they institute controls that not only assist in maintaining availability but also controls that aid in providing utility (Parker, 2010).

While it is obvious that the components of the CIA Triad are fundamental and irreplaceable to almost any security framework, it is also apparent that they are not complete and must be supplemented. Many organizations and government bodies have also noted this as well such as the International Organization for Standardization (ISO) in their issuance of ISO/IEC 7498-2: InformationTechnology—Open Systems Interconnection—Basic Reference Model—Part 2: Security Architecture, which includes similar aspects to those missing from the CIA Triad, but contained in the Parkerian Hexad (Beautement and Pym 2010). Without the three components of possession, authenticity, and utility, a model security framework is incomplete and fails to address issues surrounding the physical theft of information or misuse of non-confidential information, incorrect attribution of information, and data available in forms that aren’t useable. Through the inclusion of these three attributes along with the three core factors of: integrity, confidentiality, and availability, included in the CIA Triad, the Parkerian Hexad establishes a more complete security framework that better aids companies in reducing their information risk and helps them to better accomplish their goals. Therefore it can be concluded that Parkerian Hexad is superior to the CIA Triad.

References

1. Andress, J. The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice. Waltham, MA: Syngress/Elsevier, 2011.

Jason Andress has a Ph.D. in computer Science in computer science with a focus in data protection. He has taught both undergraduate and graduate classes since 2005. Currently he performs security oversight duties.

2. Beautement, A. and D. Pym. "Structured Systems Economics For Securtiy Management." Econiforsec.com. 2010. Accessed September 29, 2011. http://weis2010.econinfosec.org/papers/session6/weis2010_beautement.pdf.

Adam Beautement and David Pym are professors in the department of computer science at the

University College of London.

3. Brook, J. "CIA Triad « CIPP Guide." CIPP Guide. 2011. Accessed September 29, 2011. http://www.cippguide.org/2010/08/03/cia-triad/.

Jon-Michael Brook is an experienced security professional specializing in business development, and security principles/technologies with extensive technical skills in computing and networking. He possess a MBA and several certifications applicable IT security such as: CISSP,CCNP, GCIA

4. Dougherty, M. and T. Walsh. "The 10 Security Domains (Updated)." AHIMA Body of Knowledge. July 2011. Accessed September 29, 2011. http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_049173.hcsp?dDocName=bok1_049173.

Tom Walsh and Michelle Dougherty are part of the American Health Information Management

Association (AHIMA) professional practice team. Tom and Michelle both hold applicable security certifications such as the CISSP.

5. Guillén, E.and R. Quintero. "Functional Security." In A Way to Link Technological Affairs with Companies Management. Proceedings of Proceedings of the World Congress on Engineering and Computer Science, San Francisco. October 24, 2007. Accessed September 29, 2011. http://www.iaeng.org/publication/WCECS2007/WCECS2007_pp368-373.pdf.

Edward Guillen and Rulfo Quintero are professors in information technology at the Universidad Distrital "Francisco José de Caldas", Bogotá, D. C, Colombia

6. Parker, D. "Our Excessively Simplistic Security Model and How to Fix It." ISSA Journal, July 2010, 16-17. Accessed September 29, 1989. http://www.issa.org/images/upload/files/Parker-Simplistic%20Information%20Security%20Model.pdf.

Donn Parker has bachelors and master degrees from the University of California at Berkeley. He has more than 50 years of experience in the computer field in computer programming, computer systems management, consulting, teaching, and research including 30 years at SRI International pioneering and working in information and computer security.

7. Sloane, E. "Medical Device Security Effects of HIPAA, ARRA ARRA- and FDA FDA-." Speech, NIST-OCR HIPAA Conference, Washington D.C, May 11, 2010. Accessed September 29, 2011. http://csrc.nist.gov/news_events/HIPAA-May2010_workshop/presentations/1-4-health-devices-sloane-drexel.pdf.

Elliot Sloane has a Ph.D from Drexel University, College of Information Science and Technology. She currently is the CEO of the Center for Healthcare Information Research and Policy.