Domain 1 of 5 · Chapter 1 of 5

Information Assurance

The CIA triad: confidentiality, integrity, availability

Picture a hospital. The patient records must be readable only by the right staff, they must be accurate so a doctor never treats someone from the wrong chart, and they must be reachable the moment an emergency arrives. Those three needs are the CIA triad[1]: confidentiality, integrity, and availability. The triad is the backbone of information assurance, the practice of keeping data and the systems that hold it trustworthy. Nearly every control in this exam exists to protect at least one of the three, so learning to spot which goal a scenario is about is one of the most useful skills for the CC exam.

Confidentiality

Confidentiality means preserving authorized restrictions on who can see information, which protects personal privacy and proprietary data from disclosure[1]. The everyday tools are access control (only the right people get in), encryption (scrambling data so an interceptor sees nothing useful), and careful handling such as not emailing a sensitive file to the wrong list. A breach of confidentiality is any time information is seen by someone who should not see it: a leaked customer database, a shoulder-surfed password, or a laptop stolen with unencrypted files.

Integrity

Integrity means guarding information against improper modification or destruction, so it stays accurate, complete, and trustworthy over its whole life (FIPS 200 / NIST[2]). The classic technical check is hashing: running data through a one-way function produces a short fingerprint, and if even one character changes, the fingerprint changes, so a mismatch reveals tampering. A breach of integrity is any unauthorized or accidental change: an attacker editing a bank balance, a corrupted file transfer, or a typo that silently alters a record.

Availability

Availability means ensuring timely and reliable access to and use of information for the people authorized to have it (NIST[3]). It is protected by backups, by redundancy (a second server ready to take over), and by enough capacity to handle the load. A breach of availability does not require any secret being exposed or any data being changed: an outage, a hardware failure, or a denial-of-service flood that buries a website under fake traffic all deny legitimate users their access.

The three goals can pull against each other. Encrypting and locking everything down strengthens confidentiality but can slow access and hurt availability; making data available everywhere can widen the ways it leaks. Security is the act of balancing the three for the value of what is being protected.

InformationassuranceConfidentialityonly authorized eyesIntegrityaccurate, unalteredAvailabilityusable when neededThreat: disclosureThreat: changeThreat: outage
Information assurance protects three goals; each defends against one kind of threat (CIA triad, per FIPS 200 / NIST definitions).

Authentication and multi-factor authentication

Authentication is the gate that checks you are who you claim to be before any access is granted, which is why it always comes before authorization: a system cannot give the right permissions to an identity it has not first confirmed (NIST[4]). It is easy to mix up the two terms, so hold the order in mind. Authentication answers "who are you?" and authorization answers "what are you allowed to do?", and authorization is meaningless until authentication has happened.

The three categories of factors

Proof of identity comes from three categories, and the CC exam expects you to recognize them by example:

  • Something you know: a password, a PIN, or the answer to a security question. Knowledge can be guessed, phished, or shared.
  • Something you have: a phone that receives a code, a hardware token, or a smart card. Possession can be lost or stolen.
  • Something you are: a biometric such as a fingerprint, face, or iris. Inherence is hard to fake but cannot be reset if it leaks.

Multi-factor authentication

Multi-factor authentication (MFA) requires factors from two or more different categories, so the defining rule is that the factors must come from different categories, not just be two separate steps. A password plus a one-time code on your phone is MFA, because it combines something you know with something you have. A password plus a security question is not MFA, because both are something you know, so a single phishing attack can capture both. MFA matters because most attacks start with a stolen or guessed password, and a second factor from another category means that one stolen secret is no longer enough to get in.

Something you knowpassword, PINSomething you havephone, token, cardSomething you arefingerprint, faceMulti-factor authenticationtwo or more DIFFERENT categories
MFA combines factors from two or more different categories; two factors from one category is still single-factor.

Non-repudiation, accountability, and privacy

Beyond the CIA triad, the CC outline names authentication (covered above), non-repudiation, and privacy as additional information assurance goals. This section covers the last two, plus accountability, the supporting concept that non-repudiation rests on. They build on the triad rather than replace it.

Non-repudiation

Non-repudiation is assurance that someone cannot later deny an action they took: the sender of a message is given proof of delivery, and the recipient is given proof of the sender's identity, so neither can credibly claim it did not happen (NIST[5]). The classic example is a digital signature. Because only the signer holds the private key used to sign, a valid signature ties the document to that one person, providing origin authenticity, integrity, and non-repudiation at once (FIPS 186-5[6]). This is worth contrasting with a shared secret: a message authentication code[7] proves integrity and authenticity, but because both parties share the same key, either one could have produced it, so a MAC gives no non-repudiation.

Accountability

Accountability is the goal of tracing every action uniquely back to the individual who performed it (NIST[8]). It depends on authentication (to know who acted) and on logging (to record what they did), and it is the foundation non-repudiation rests on. This is the concrete reason shared accounts are discouraged: if five people log in as "admin," the logs can prove the action happened but not who is responsible, so accountability is lost no matter how strong the password is.

Privacy

Privacy is the right of individuals to control how their personal information is collected, used, shared, and retained, and it is increasingly enforced by laws and regulations (NIST[9]). Privacy is often confused with confidentiality, but they are not the same: confidentiality is the control that keeps data secret, while privacy is the individual's right to decide what is done with data about them. You can store a person's data with perfect confidentiality and still violate their privacy by using it for a purpose they never agreed to, which is why privacy is treated as its own goal.

Exam pattern: name the goal in the scenario

Most Information Assurance questions describe a situation and ask which security goal is at stake, or which goal a control protects. The fastest path to the right answer is to read for the verb in the scenario and match it to a goal, because each goal maps to a distinct kind of harm.

How to read the stem

  • If information was seen by the wrong person (leaked, exposed, intercepted, overheard), the goal is confidentiality.
  • If information was changed (altered, tampered, corrupted, modified), the goal is integrity.
  • If a system or data became unreachable (down, outage, denial of service, deleted with no backup), the goal is availability.
  • If the task is to confirm an identity before access, the goal is authentication, and "strengthen the login against stolen passwords" points to MFA.
  • If the task is to prove who did something so they cannot deny it, the goal is non-repudiation, typically a digital signature.

Common traps

The most common trap is choosing confidentiality for a tampering scenario. If records were altered rather than viewed, the answer is integrity, even though an attacker may have needed access to make the change. A second trap is treating any two-step login as MFA: check that the two factors come from different categories first. A third trap is picking confidentiality when the scenario is really about consent or misuse of personal data, which is privacy. When a question lists several goals as options, decide what kind of harm occurred (exposure, change, or downtime) and let that pick the goal.

What harm happened?seenchangedunreachableConfidentialityIntegrityAvailabilityWhat is the task?confirm identityprove who actedAuthentication / MFANon-repudiation
Map the harm or task in the stem to the goal: seen to confidentiality, changed to integrity, unreachable to availability.

The core security goals of information assurance

GoalPlain-language meaningWhat it protects againstTypical control
ConfidentialityOnly authorized people can see the informationDisclosure, eavesdropping, theft of dataAccess control, encryption
IntegrityInformation stays accurate and unalteredUnauthorized or accidental changesHashing, change control
AvailabilityInformation and systems are usable when neededOutages, denial of service, data lossBackups, redundancy
AuthenticationThe identity is confirmed before accessImpersonation, stolen passwordsPasswords plus MFA
Non-repudiationThe actor cannot deny the actionForgery, false denial of sendingDigital signatures
PrivacyIndividuals control their personal dataMisuse of personal informationConsent, data-handling policy

Decision tree

Data itself,or an identity?the dataan identityWhat harm to the data?What is the task?seenchangeddownConfidentialitydata exposedIntegritydata alteredAvailabilitydata unreachableconfirm identityprove who actedAuthentication / MFAverify who you areNon-repudiationcannot deny actTrap: data altered, not seen, is integrity, not confidentiality

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

The CIA triad is confidentiality, integrity, and availability

The CIA triad names the three core goals of information assurance: confidentiality (only authorized people can see the data), integrity (the data stays accurate and unaltered), and availability (the data and systems are usable when authorized people need them). Almost every control you study protects at least one of the three, so a fast first step on any scenario is to decide which of the three is at stake.

4 questions test this
Confidentiality is about who can see the data, protected by access control and encryption

Confidentiality preserves authorized restrictions on access and disclosure, so only the right people can read the information. It is protected mainly by access control, encryption, and careful data handling. A confidentiality breach is any exposure to the wrong person, such as a leaked database, a shoulder-surfed password, or a stolen unencrypted laptop.

11 questions test this
Integrity is about data staying unaltered, and hashing is the classic check

Integrity guards information against improper or accidental modification, keeping it accurate and complete. Hashing is the classic check: a one-way function produces a short fingerprint of the data, and if even one character changes, the fingerprint changes, so a mismatch reveals tampering. An integrity breach is any unauthorized or accidental change, such as an altered bank balance or a corrupted file.

Trap Picking confidentiality when records were altered rather than viewed; a change to the data is integrity, even if the attacker needed access to make it.

11 questions test this
Availability is about timely access, protected by backups and redundancy

Availability ensures timely and reliable access to information and systems for the people authorized to use them. It is protected by backups, redundancy such as a standby server, and enough capacity to handle the load. An availability breach needs no secret exposed and no data changed: an outage, a hardware failure, or a denial-of-service flood that blocks legitimate users all count.

7 questions test this
Authentication confirms identity and always comes before authorization

Authentication verifies that a user, device, or process is who it claims to be, and it must happen before authorization because a system cannot grant the right permissions to an identity it has not first confirmed. Authentication answers "who are you?" while authorization answers "what are you allowed to do?", and the order is fixed: authenticate first, then authorize.

Trap Treating authorization as the step that proves identity; authorization only assigns permissions after authentication has already confirmed who the identity is.

1 question tests this
Authentication factors fall into three categories: know, have, are

Proof of identity comes from three categories of factors: something you know (a password or PIN), something you have (a phone, token, or smart card), and something you are (a biometric such as a fingerprint or face). The exam expects you to sort an example into the right category, because the category, not the specific item, is what determines whether a login is multi-factor.

9 questions test this
MFA requires factors from two or more different categories

Multi-factor authentication combines factors from two or more different categories, so a password plus a phone code is MFA because it mixes something you know with something you have. The point is to resist stolen passwords: a second factor from another category means one captured secret is no longer enough to get in.

Trap Counting a password plus a security question as MFA; both are something you know, so it is single-factor and one phishing attack can capture both.

4 questions test this
Non-repudiation means an actor cannot deny what they did

Non-repudiation is assurance that the person who took an action cannot later deny it, and that the receiver cannot deny receiving it. It depends on integrity plus strong proof of identity, and it is what lets an organization hold someone responsible for an action with confidence.

5 questions test this
A digital signature provides non-repudiation because only the signer holds the private key

A digital signature gives origin authenticity, integrity, and non-repudiation at once. Because only the signer holds the private key used to sign, a valid signature ties the document or action to that one person, so they cannot credibly deny it. This is the classic control to reach for when a scenario asks to prove who sent or approved something.

Trap Reaching for a shared-key message authentication code (MAC) for non-repudiation; both parties hold the same key, so either could have produced it and neither is uniquely bound.

5 questions test this
Accountability traces each action to one individual, which shared accounts defeat

Accountability is the goal of tracing every action uniquely back to the individual who performed it, and it rests on authentication plus logging. Shared accounts defeat accountability no matter how strong the password is: if several people sign in as "admin", the logs show the action but not who is responsible.

Trap Assuming a strong password on a shared account preserves accountability; shared use breaks the unique attribution that accountability and non-repudiation both require.

1 question tests this
Privacy is the right to control personal data, not the same as confidentiality

Privacy is the right of individuals to control how their personal information is collected, used, shared, and retained, and it is increasingly driven by laws and regulations. Confidentiality is the control that keeps data secret; privacy is the individual's right to decide what is done with data about them. You can hold data with perfect confidentiality and still violate privacy by using it for a purpose the person never agreed to.

Trap Treating strong confidentiality controls as satisfying privacy; secrecy of the data does not cover consent or how the personal data is used.

1 question tests this
Read the harm in the stem to pick the CIA goal

Most Information Assurance questions describe a situation and ask which goal is at stake, and the harm names the goal. Data seen by the wrong person is confidentiality, data changed is integrity, and a system that is down or unreachable is availability. Match the verb in the scenario to the goal rather than guessing from the topic.

1 question tests this
Information assurance balances the three goals rather than maximizing one

The three goals can pull against each other: locking everything down strengthens confidentiality but can hurt availability, while spreading data everywhere for availability can widen how it leaks. Security is the act of balancing confidentiality, integrity, and availability for the value of what is being protected, not maximizing any single one.

Authentication, non-repudiation, and privacy extend the triad in the CC outline

The CC Information Assurance topic covers the CIA triad plus three more goals: authentication (confirming identity), non-repudiation (preventing denial of an action), and privacy (individual control over personal data). Knowing that the outline lists these alongside the triad helps you recognize which goal an answer choice is naming.

To send a confidential message, encrypt with the recipient's public key

In asymmetric (public-key) encryption, the sender encrypts with the recipient's public key, and only the recipient's matching private key can decrypt it, which is how confidentiality is achieved. The private key is never shared, so even an intercepted message stays unreadable.

Trap Encrypting with the sender's own private key, which gives a signature for non-repudiation, not confidentiality.

4 questions test this
Symmetric encryption shares one key and is fast; asymmetric uses a key pair and is slow

Symmetric encryption uses a single shared secret key for both encryption and decryption, so it is fast and suited to bulk data at rest (for example AES). Asymmetric encryption uses a public/private key pair, which solves key distribution but is slower, so hybrid systems use it only to exchange a symmetric session key.

Trap Reaching for asymmetric encryption to protect large volumes of data, when its overhead makes symmetric the efficient choice for bulk encryption.

6 questions test this

Also tested in

References

  1. https://csrc.nist.gov/glossary/term/confidentiality
  2. https://csrc.nist.gov/glossary/term/integrity
  3. https://csrc.nist.gov/glossary/term/availability
  4. https://csrc.nist.gov/glossary/term/authentication
  5. https://csrc.nist.gov/glossary/term/non_repudiation
  6. https://csrc.nist.gov/glossary/term/digital_signature
  7. https://csrc.nist.gov/glossary/term/message_authentication_code
  8. https://csrc.nist.gov/glossary/term/accountability
  9. https://csrc.nist.gov/glossary/term/privacy