Information Assurance
The CIA triad: confidentiality, integrity, availability
Picture a hospital. The patient records must be readable only by the right staff, they must be accurate so a doctor never treats someone from the wrong chart, and they must be reachable the moment an emergency arrives. Those three needs are the CIA triad[1]: confidentiality, integrity, and availability. The triad is the backbone of information assurance, the practice of keeping data and the systems that hold it trustworthy. Nearly every control in this exam exists to protect at least one of the three, so learning to spot which goal a scenario is about is one of the most useful skills for the CC exam.
Confidentiality
Confidentiality means preserving authorized restrictions on who can see information, which protects personal privacy and proprietary data from disclosure[1]. The everyday tools are access control (only the right people get in), encryption (scrambling data so an interceptor sees nothing useful), and careful handling such as not emailing a sensitive file to the wrong list. A breach of confidentiality is any time information is seen by someone who should not see it: a leaked customer database, a shoulder-surfed password, or a laptop stolen with unencrypted files.
Integrity
Integrity means guarding information against improper modification or destruction, so it stays accurate, complete, and trustworthy over its whole life (FIPS 200 / NIST[2]). The classic technical check is hashing: running data through a one-way function produces a short fingerprint, and if even one character changes, the fingerprint changes, so a mismatch reveals tampering. A breach of integrity is any unauthorized or accidental change: an attacker editing a bank balance, a corrupted file transfer, or a typo that silently alters a record.
Availability
Availability means ensuring timely and reliable access to and use of information for the people authorized to have it (NIST[3]). It is protected by backups, by redundancy (a second server ready to take over), and by enough capacity to handle the load. A breach of availability does not require any secret being exposed or any data being changed: an outage, a hardware failure, or a denial-of-service flood that buries a website under fake traffic all deny legitimate users their access.
The three goals can pull against each other. Encrypting and locking everything down strengthens confidentiality but can slow access and hurt availability; making data available everywhere can widen the ways it leaks. Security is the act of balancing the three for the value of what is being protected.
Authentication and multi-factor authentication
Authentication is the gate that checks you are who you claim to be before any access is granted, which is why it always comes before authorization: a system cannot give the right permissions to an identity it has not first confirmed (NIST[4]). It is easy to mix up the two terms, so hold the order in mind. Authentication answers "who are you?" and authorization answers "what are you allowed to do?", and authorization is meaningless until authentication has happened.
The three categories of factors
Proof of identity comes from three categories, and the CC exam expects you to recognize them by example:
- Something you know: a password, a PIN, or the answer to a security question. Knowledge can be guessed, phished, or shared.
- Something you have: a phone that receives a code, a hardware token, or a smart card. Possession can be lost or stolen.
- Something you are: a biometric such as a fingerprint, face, or iris. Inherence is hard to fake but cannot be reset if it leaks.
Multi-factor authentication
Multi-factor authentication (MFA) requires factors from two or more different categories, so the defining rule is that the factors must come from different categories, not just be two separate steps. A password plus a one-time code on your phone is MFA, because it combines something you know with something you have. A password plus a security question is not MFA, because both are something you know, so a single phishing attack can capture both. MFA matters because most attacks start with a stolen or guessed password, and a second factor from another category means that one stolen secret is no longer enough to get in.
Non-repudiation, accountability, and privacy
Beyond the CIA triad, the CC outline names authentication (covered above), non-repudiation, and privacy as additional information assurance goals. This section covers the last two, plus accountability, the supporting concept that non-repudiation rests on. They build on the triad rather than replace it.
Non-repudiation
Non-repudiation is assurance that someone cannot later deny an action they took: the sender of a message is given proof of delivery, and the recipient is given proof of the sender's identity, so neither can credibly claim it did not happen (NIST[5]). The classic example is a digital signature. Because only the signer holds the private key used to sign, a valid signature ties the document to that one person, providing origin authenticity, integrity, and non-repudiation at once (FIPS 186-5[6]). This is worth contrasting with a shared secret: a message authentication code[7] proves integrity and authenticity, but because both parties share the same key, either one could have produced it, so a MAC gives no non-repudiation.
Accountability
Accountability is the goal of tracing every action uniquely back to the individual who performed it (NIST[8]). It depends on authentication (to know who acted) and on logging (to record what they did), and it is the foundation non-repudiation rests on. This is the concrete reason shared accounts are discouraged: if five people log in as "admin," the logs can prove the action happened but not who is responsible, so accountability is lost no matter how strong the password is.
Privacy
Privacy is the right of individuals to control how their personal information is collected, used, shared, and retained, and it is increasingly enforced by laws and regulations (NIST[9]). Privacy is often confused with confidentiality, but they are not the same: confidentiality is the control that keeps data secret, while privacy is the individual's right to decide what is done with data about them. You can store a person's data with perfect confidentiality and still violate their privacy by using it for a purpose they never agreed to, which is why privacy is treated as its own goal.
Exam pattern: name the goal in the scenario
Most Information Assurance questions describe a situation and ask which security goal is at stake, or which goal a control protects. The fastest path to the right answer is to read for the verb in the scenario and match it to a goal, because each goal maps to a distinct kind of harm.
How to read the stem
- If information was seen by the wrong person (leaked, exposed, intercepted, overheard), the goal is confidentiality.
- If information was changed (altered, tampered, corrupted, modified), the goal is integrity.
- If a system or data became unreachable (down, outage, denial of service, deleted with no backup), the goal is availability.
- If the task is to confirm an identity before access, the goal is authentication, and "strengthen the login against stolen passwords" points to MFA.
- If the task is to prove who did something so they cannot deny it, the goal is non-repudiation, typically a digital signature.
Common traps
The most common trap is choosing confidentiality for a tampering scenario. If records were altered rather than viewed, the answer is integrity, even though an attacker may have needed access to make the change. A second trap is treating any two-step login as MFA: check that the two factors come from different categories first. A third trap is picking confidentiality when the scenario is really about consent or misuse of personal data, which is privacy. When a question lists several goals as options, decide what kind of harm occurred (exposure, change, or downtime) and let that pick the goal.
The core security goals of information assurance
| Goal | Plain-language meaning | What it protects against | Typical control |
|---|---|---|---|
| Confidentiality | Only authorized people can see the information | Disclosure, eavesdropping, theft of data | Access control, encryption |
| Integrity | Information stays accurate and unaltered | Unauthorized or accidental changes | Hashing, change control |
| Availability | Information and systems are usable when needed | Outages, denial of service, data loss | Backups, redundancy |
| Authentication | The identity is confirmed before access | Impersonation, stolen passwords | Passwords plus MFA |
| Non-repudiation | The actor cannot deny the action | Forgery, false denial of sending | Digital signatures |
| Privacy | Individuals control their personal data | Misuse of personal information | Consent, data-handling policy |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- The CIA triad is confidentiality, integrity, and availability
The CIA triad names the three core goals of information assurance: confidentiality (only authorized people can see the data), integrity (the data stays accurate and unaltered), and availability (the data and systems are usable when authorized people need them). Almost every control you study protects at least one of the three, so a fast first step on any scenario is to decide which of the three is at stake.
4 questions test this
- When determining the value of an information asset using the CIA triad approach, what THREE attributes are summed together?
- Which of the following best describes the CIA triad in information security?
- What is the PRIMARY purpose of the CIA triad in information security?
- When assessing the security requirements of an information asset, which three attributes form the CIA triad?
- Confidentiality is about who can see the data, protected by access control and encryption
Confidentiality preserves authorized restrictions on access and disclosure, so only the right people can read the information. It is protected mainly by access control, encryption, and careful data handling. A confidentiality breach is any exposure to the wrong person, such as a leaked database, a shoulder-surfed password, or a stolen unencrypted laptop.
11 questions test this
- Which security control is MOST appropriate for protecting sensitive data stored on a laptop hard drive?
- What is the PRIMARY purpose of encryption in information security?
- Which of the following scenarios represents a threat specifically targeting confidentiality?
- Which security principle is PRIMARILY protected when data is encrypted during transmission?
- What security assurance is primarily provided when a sender encrypts a message using the recipient's public key?
- Which security control provides confidentiality protection for data stored on a laptop hard drive?
- Which element of the CIA triad is PRIMARILY supported by encrypting sensitive data files stored on a server?
- Which security principle is primarily concerned with ensuring that information is only accessible to those authorized to view it?
- Encryption is an important technical control that primarily protects which element of the CIA triad?
- What is the PRIMARY element of the CIA triad that encryption is designed to protect?
- Which security principle ensures that information is not disclosed to unauthorized individuals, processes, or devices?
- Integrity is about data staying unaltered, and hashing is the classic check
Integrity guards information against improper or accidental modification, keeping it accurate and complete. Hashing is the classic check: a one-way function produces a short fingerprint of the data, and if even one character changes, the fingerprint changes, so a mismatch reveals tampering. An integrity breach is any unauthorized or accidental change, such as an altered bank balance or a corrupted file.
Trap Picking confidentiality when records were altered rather than viewed; a change to the data is integrity, even if the attacker needed access to make it.
11 questions test this
- A company uses hash values to verify that software downloads have not been tampered with during transmission. Which CIA triad element does…
- An organization requires employees to digitally sign all outgoing contracts. What security benefits does this provide?
- Which cryptographic mechanism enables a recipient to verify both the origin of a message and that the message has not been altered?
- Which cryptographic technique is BEST suited for verifying data integrity?
- Sarah digitally signs an email to her colleague using her private key. What security services does this digital signature provide?
- Which of the following controls BEST supports the integrity element of the CIA triad?
- Sarah needs to verify that a software download has not been corrupted or tampered with during the download process. Which cryptographic…
- A ransomware attack encrypts all files on a company's server, making the data inaccessible to users. Which elements of the CIA triad are…
- An organization wants to verify that a file has not been modified during transmission. Which cryptographic technique is MOST appropriate…
- A security analyst needs to verify that a software download has not been altered during transmission. Which mechanism BEST supports the…
- A hospital discovers that patient medical records have been altered without authorization. Which element of the CIA triad has been…
- Availability is about timely access, protected by backups and redundancy
Availability ensures timely and reliable access to information and systems for the people authorized to use them. It is protected by backups, redundancy such as a standby server, and enough capacity to handle the load. An availability breach needs no secret exposed and no data changed: an outage, a hardware failure, or a denial-of-service flood that blocks legitimate users all count.
7 questions test this
- An organization implements data backups, redundant systems, and load balancing across multiple servers. Which element of the CIA triad do…
- An organization needs to ensure that its online banking portal remains operational during high traffic periods. Which element of the CIA…
- A ransomware attack encrypts all files on a company's server, making the data inaccessible to users. Which elements of the CIA triad are…
- Which of the following best describes the concept of availability in the CIA triad?
- A company's critical business application becomes inaccessible due to a distributed denial-of-service (DDoS) attack. Which element of the…
- A critical hospital system must be accessible 24/7 for patient care. Which element of the CIA triad is MOST important for this system?
- A ransomware attack encrypts all files on a company server, making them inaccessible to employees. Which element of the CIA triad is…
- Authentication confirms identity and always comes before authorization
Authentication verifies that a user, device, or process is who it claims to be, and it must happen before authorization because a system cannot grant the right permissions to an identity it has not first confirmed. Authentication answers "who are you?" while authorization answers "what are you allowed to do?", and the order is fixed: authenticate first, then authorize.
Trap Treating authorization as the step that proves identity; authorization only assigns permissions after authentication has already confirmed who the identity is.
- Authentication factors fall into three categories: know, have, are
Proof of identity comes from three categories of factors: something you know (a password or PIN), something you have (a phone, token, or smart card), and something you are (a biometric such as a fingerprint or face). The exam expects you to sort an example into the right category, because the category, not the specific item, is what determines whether a login is multi-factor.
9 questions test this
- A user logs into a banking application using a password and then receives a one-time code on their mobile phone that must be entered. What…
- An organization implements authentication that requires employees to enter a password and then provide a fingerprint scan. Which…
- A user logs into a system using a smart card and enters a PIN. Which authentication factors are being used?
- A fingerprint scan used during login is an example of which authentication factor?
- A user enters a password and then scans their fingerprint to access a secure system. What type of authentication is being used?
- Which authentication factor category does a hardware security token represent?
- Which combination represents valid authentication factors for multi-factor authentication?
- Which of the following represents the three standard categories of authentication factors?
- An organization requires employees to use a proximity card combined with a PIN to enter the data center. Which security concept does this…
- MFA requires factors from two or more different categories
Multi-factor authentication combines factors from two or more different categories, so a password plus a phone code is MFA because it mixes something you know with something you have. The point is to resist stolen passwords: a second factor from another category means one captured secret is no longer enough to get in.
Trap Counting a password plus a security question as MFA; both are something you know, so it is single-factor and one phishing attack can capture both.
4 questions test this
- A user logs into a banking application using a password and then receives a one-time code on their mobile phone that must be entered. What…
- A user enters a password and then scans their fingerprint to access a secure system. What type of authentication is being used?
- Which combination represents valid authentication factors for multi-factor authentication?
- An organization requires employees to use a proximity card combined with a PIN to enter the data center. Which security concept does this…
- Non-repudiation means an actor cannot deny what they did
Non-repudiation is assurance that the person who took an action cannot later deny it, and that the receiver cannot deny receiving it. It depends on integrity plus strong proof of identity, and it is what lets an organization hold someone responsible for an action with confidence.
5 questions test this
- An organization requires employees to digitally sign all outgoing contracts. What security benefits does this provide?
- Sarah digitally signs an email to her colleague using her private key. What security services does this digital signature provide?
- An organization wants to ensure that employees cannot deny sending critical business communications. Which mechanism best supports this…
- A financial services company needs to prove that a specific customer authorized a large wire transfer. Which security principle is the…
- An employee claims they did not authorize a financial transaction that occurred under their credentials. Which security principle addresses…
- A digital signature provides non-repudiation because only the signer holds the private key
A digital signature gives origin authenticity, integrity, and non-repudiation at once. Because only the signer holds the private key used to sign, a valid signature ties the document or action to that one person, so they cannot credibly deny it. This is the classic control to reach for when a scenario asks to prove who sent or approved something.
Trap Reaching for a shared-key message authentication code (MAC) for non-repudiation; both parties hold the same key, so either could have produced it and neither is uniquely bound.
5 questions test this
- An organization requires employees to digitally sign all outgoing contracts. What security benefits does this provide?
- Which cryptographic mechanism enables a recipient to verify both the origin of a message and that the message has not been altered?
- Sarah digitally signs an email to her colleague using her private key. What security services does this digital signature provide?
- An organization wants to ensure that employees cannot deny sending critical business communications. Which mechanism best supports this…
- What cryptographic mechanism is primarily used to achieve non-repudiation?
Accountability is the goal of tracing every action uniquely back to the individual who performed it, and it rests on authentication plus logging. Shared accounts defeat accountability no matter how strong the password is: if several people sign in as "admin", the logs show the action but not who is responsible.
Trap Assuming a strong password on a shared account preserves accountability; shared use breaks the unique attribution that accountability and non-repudiation both require.
- Privacy is the right to control personal data, not the same as confidentiality
Privacy is the right of individuals to control how their personal information is collected, used, shared, and retained, and it is increasingly driven by laws and regulations. Confidentiality is the control that keeps data secret; privacy is the individual's right to decide what is done with data about them. You can hold data with perfect confidentiality and still violate privacy by using it for a purpose the person never agreed to.
Trap Treating strong confidentiality controls as satisfying privacy; secrecy of the data does not cover consent or how the personal data is used.
- Read the harm in the stem to pick the CIA goal
Most Information Assurance questions describe a situation and ask which goal is at stake, and the harm names the goal. Data seen by the wrong person is confidentiality, data changed is integrity, and a system that is down or unreachable is availability. Match the verb in the scenario to the goal rather than guessing from the topic.
- Information assurance balances the three goals rather than maximizing one
The three goals can pull against each other: locking everything down strengthens confidentiality but can hurt availability, while spreading data everywhere for availability can widen how it leaks. Security is the act of balancing confidentiality, integrity, and availability for the value of what is being protected, not maximizing any single one.
- Authentication, non-repudiation, and privacy extend the triad in the CC outline
The CC Information Assurance topic covers the CIA triad plus three more goals: authentication (confirming identity), non-repudiation (preventing denial of an action), and privacy (individual control over personal data). Knowing that the outline lists these alongside the triad helps you recognize which goal an answer choice is naming.
- To send a confidential message, encrypt with the recipient's public key
In asymmetric (public-key) encryption, the sender encrypts with the recipient's public key, and only the recipient's matching private key can decrypt it, which is how confidentiality is achieved. The private key is never shared, so even an intercepted message stays unreadable.
Trap Encrypting with the sender's own private key, which gives a signature for non-repudiation, not confidentiality.
4 questions test this
- To ensure only the intended recipient can read a confidential message using asymmetric encryption, which key should the sender use to…
- In asymmetric encryption, if Sarah wants to send a confidential message to James, which key should she use to encrypt the message?
- What security assurance is primarily provided when a sender encrypts a message using the recipient's public key?
- In asymmetric encryption, which key should be kept confidential and never shared with other parties?
- Symmetric encryption shares one key and is fast; asymmetric uses a key pair and is slow
Symmetric encryption uses a single shared secret key for both encryption and decryption, so it is fast and suited to bulk data at rest (for example AES). Asymmetric encryption uses a public/private key pair, which solves key distribution but is slower, so hybrid systems use it only to exchange a symmetric session key.
Trap Reaching for asymmetric encryption to protect large volumes of data, when its overhead makes symmetric the efficient choice for bulk encryption.
6 questions test this
- Which statement correctly describes symmetric encryption?
- A security administrator needs to encrypt large volumes of data efficiently. Which type of encryption should be used?
- Which statement accurately describes the difference between symmetric and asymmetric encryption?
- Which statement accurately describes the relationship between asymmetric encryption and symmetric encryption in modern security…
- In symmetric encryption, which characteristic distinguishes it from asymmetric encryption?
- Which type of encryption uses a single key for both encrypting and decrypting data, making it efficient for protecting large amounts of…
Also tested in
References
- https://csrc.nist.gov/glossary/term/confidentiality
- https://csrc.nist.gov/glossary/term/integrity
- https://csrc.nist.gov/glossary/term/availability
- https://csrc.nist.gov/glossary/term/authentication
- https://csrc.nist.gov/glossary/term/non_repudiation
- https://csrc.nist.gov/glossary/term/digital_signature
- https://csrc.nist.gov/glossary/term/message_authentication_code
- https://csrc.nist.gov/glossary/term/accountability
- https://csrc.nist.gov/glossary/term/privacy