Prior to examining your local government’s or school’s IT internal controls, it is important to understand two concepts that are fundamental to how IT professionals approach data and network and system security: the CIA triad and defense-in-depth. These concepts highlight the importance of looking at internal controls both individually and collectively and will help you place the internal controls in context.

CIA Triad

The CIA triad refers to an information security model comprised of three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security. The CIA triad is a well-known model in information security development. It is applied in various situations to identify problems or weaknesses and to establish security solutions. The model is an industry standard with which most IT professionals should be familiar.

• Confidentiality is closely linked with privacy and relates to preventing or minimizing unauthorized access to and disclosure of data and information. To ensure confidentiality, information must be organized in terms of who ought to have access to it as well as its sensitivity.
• Integrity is focused on ensuring that data is not tampered with during or after submission. Having accurate and complete data is essential for good decision-making. What good is the information if it cannot be trusted?
• Availability means that the information is available when it is needed. Data that cannot be accessed will prove to be of little value. The most available systems are accessible at all times and have safeguards against software or system errors, hardware failures, power outages, natural disasters and attempts by individuals with malicious intent to cause disruption.

Defense-in-Depth

Defense-in-depth refers to the implementation of multiple layers of security to protect data, networks and IT systems. Building successive layers of defense mechanisms can reduce the risk of a successful attack by someone with malicious intent and is considered a best practice by IT security professionals. A combination of controls helps ensure that your system does not become overly dependent on any one control or layer of security and provides added protection in case a layer of security fails to function properly or does not prevent or stop a threat to your data or system. There is no single control that can be used to adequately protect against IT security threats. Only a combination of multiple preventive, detective and responsive internal controls will help keep your data and systems safe.

The Information Technology Governance LGMG can be downloaded at https://www.osc.ny.gov/files/local-government/publications/pdf/information-technology-governance.pdf