Skip to content
Skip to main content

About this free course

Download this course

Share this free course

Information security
Information security

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

2 Information security

It’s safe to say that Coca-Cola would never share its secret recipe with anyone other than the chosen few. Facebook, too, are unlikely to share the information they have on their users with those that would advertise. Keeping that information secret keeps the value that it has inside their companies. Some information needs to be kept confidential.

Of course, if confidentiality was paramount, we could simply lock the recipe up in a safe and throw away the key. Even more drastic, we could just burn every last copy of it. But that would mean that Coca-Cola’s shareholders would lose interest in investing as the source of its ability to make money would have disappeared. So information has to be available when needed.

Moreover, when it is needed, it must be correct otherwise, when you come to use it, you won’t end up with Coca-Cola. The information contained in it needs integrity – in the sense that it should be whole and undivided, i.e. correct.

There is sometimes a difficult balance to be made between the Confidentiality, Integrity and Availability – the CIA triad – of information. Information security is the art and science of getting that balance right.

Activity 4: CIA for your organisation’s information

Choose a piece of information whose value is critical for your organisation.

  • a.To which of the three security requirements is it subject? Why?
  • b.Thinking about each of confidentiality, integrity and availability in turn, how would you balance the CIA triad for it?


We chose Open University assessment material, which contains information to the mission of The Open University in allowing us to validate a student’s study. Thus, it is critical to get the CIA triad correct.

  • a.Open University assessment material is subject to the following requirements:
    • They’re highly confidential. In the case of an examination paper, if it was disclosed to students before the exam date, it would lose its value.
    • They need to have integrity. Assessment with errors would cause problems for both students, who might be confused, and The Open University, as they would interfere with the marking of a student’s work.
    • They have to be available – in the right place at the right time. If, for instance, a course exam paper wasn’t available at an examination centre on the day of the exam it would again have no value.
  • b.Let’s think about an exam paper
    • Confidentiality. The information in the exam paper needs to be kept confidential as it is (i) authored and checked and (ii) distributed to the exam centre. First, I need to know who can be trusted and who can’t. I’m going to assume that people who get paid by The Open University – for instance academics, external examiners etc. – can be trusted, but others can’t.

      The process of authoring and checking the exam paper could take many months, and in that time it might need to be shared by many people, both inside and outside of the University. I know that email isn’t really confidential, so I’m going to stop the exam paper being attached to an email, unless it is password protected. Internal post isn’t secure, so I’ll ask that people walk to collect the exam paper whenever necessary. However, there are now paid for secure services that I might also look into.

      To keep it confidential while they’re on their way to the exam centre, the exam paper will be in a tamper-proof box, so that the courier – who won’t work for The Open University – doesn’t need to be trusted.

    • Integrity. I’m going to ensure that there are lots of different sets of eyes on the exam paper so that errors will be spotted. I’m going to give responsibility for catching those errors both to the author and to the external examiner both of whom will have to formally sign off on the exam paper, confirming it’s error-free. That should get us most of the way. If all that fails and on the day someone spots an error on the paper, I’ll make sure there’s an academic no more than a telephone call away to check and quickly release a fix, if the error is confirmed.
    • Availability. I know where the exam paper needs to be and on which day, so I’m going to book a courier service to pick the exam paper up from The Open University the day before, making sure it gets to its correct destination. The courier will deliver the paper to a named person who works in the examination centre at the other end. They will have responsibility to deliver it to where the examination is taking place.

Given that you chose different information assets, your analysis will be different. However, perhaps you asked the same questions: who could you trust? What services can be used? Who does what? If not, have another go and try to answer those questions too.