Question: What does the 'C' stand for in the CIA Triad?

• A. Certification
• B. Ciphertext
• C. Confidentiality
• D. Complexity

Correct Answer: C. Confidentiality

Understanding the CIA Triad

The CIA Triad is the most fundamental model in cybersecurity. Every security control, policy, and tool is designed to support one or more of these three pillars. For the CISSP exam, you must understand not just what they mean, but which controls protect them and which attacks threaten them.

1. Confidentiality (The 'C')

Confidentiality ensures that data is only accessible to those with the proper authorization. It is the protection of "secrecy."

• Primary Goal: Prevent unauthorized disclosure.
• Key Controls: Encryption (Symmetric/Asymmetric), Access Control Lists (ACLs), Steganography, and Physical Locks.
• Common Threats: Shoulder surfing, social engineering, packet sniffing, and unauthorized access to databases.

2. Integrity (The 'I')

Integrity ensures that information is accurate, complete, and has not been modified by unauthorized parties (or by accident).

• Primary Goal: Prevent unauthorized modification.
• Key Controls: Hashing (SHA-256), Digital Signatures, Message Authentication Codes (MACs), and Write-Once-Read-Many (WORM) media.
• Common Threats: Man-in-the-Middle (MitM) attacks, file corruption, and unauthorized data entry.

3. Availability (The 'A')

Availability ensures that systems, networks, and data are up and running whenever authorized users need them.

• Primary Goal: Prevent unauthorized withholding of information or resources.
• Key Controls: Redundancy (RAID, Clusters), Backups, Uninterruptible Power Supplies (UPS), and DDoS Protection.
• Common Threats: Denial of Service (DoS) attacks, hardware failure, environmental disasters (fire/flood), and ransomware.

Why the Other Options are Incorrect

• Option A: Certification: This is a technical evaluation of a system's security (often paired with "Accreditation"). While important for compliance, it is a process, not a foundational security principle.
• Option B: Ciphertext: This is the encrypted output of a plaintext message. It is a method used to achieve confidentiality, but it is not a pillar of the triad itself.
• Option D: Complexity: This usually refers to password requirements or system design. While it can enhance security, it is not a core element of the CIA model.

The "Opposites" of the Triad (DAD)

A common advanced concept on the CISSP is the DAD Triad, which represents the failure of the CIA Triad:

• Disclosure (Opposite of Confidentiality)
• Alteration (Opposite of Integrity)
• Destruction/Down-time (Opposite of Availability)

The "CISSP Rule of Thumb"

When faced with a scenario question, identify the primary impact:

• If data was leaked, it’s a Confidentiality issue.
• If data was changed or corrupted, it’s an Integrity issue.
• If the server is down or blocked, it’s an Availability issue.