Security Concepts (CIA)
The five pillars as properties to preserve
A stolen customer database, a tampered firmware image, a ransomware-encrypted file server: read each as the pillar it broke (disclosure, alteration, destruction) and you have the fastest way the exam offers to classify what an incident actually cost. The CIA triad you can already name is exactly that lens, plus two pillars (authenticity and nonrepudiation) that the (ISC)2 outline elevates to first-class. Everything that follows in this domain, risk, governance, control selection, exists to preserve these five properties for a defined asset, so state each one as a precise property first. The figure below groups the five as a taxonomy: the CIA triad in one box, authenticity and nonrepudiation in a second, with the FIPS 200 nuance noted underneath.
Start from the canonical definitions and treat them as the model the rest of the page elaborates. Confidentiality is "preserving authorized restrictions on information access and disclosure[1]," which explicitly includes protecting personal privacy and proprietary information. Integrity is "guarding against improper information modification or destruction[2], and includes ensuring information non-repudiation and authenticity." Availability is "ensuring timely and reliable access to and use of information[3]." These three are the security objectives codified in U.S. law (44 U.S.C. 3542) and restated in FIPS 200[2]; they are the foundation of every later framework.
Two further pillars complete the set the (ISC)2 outline calls the five pillars of information security. Authenticity is "the property of being genuine and being able to be verified and trusted[4]; confidence in the validity of a transmission, message, or message originator." Nonrepudiation (one word in modern NIST usage; also written non-repudiation) is the "assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information[5]."
Notice the relationship the FIPS 200 wording makes explicit and that the exam loves to probe: integrity, in the federal definition, subsumes authenticity and nonrepudiation. That is why authenticity and nonrepudiation are sometimes taught as facets of integrity rather than as separate pillars. Both framings are correct: the (ISC)2 outline elevates them to first-class pillars to force candidates to reason about origin and accountability explicitly. When a question treats them as distinct, answer at that grain; when a question treats integrity broadly, remember it carries them inside it.
The inverse of the triad is the DAD triad: Disclosure, Alteration, Destruction. Disclosure is the failure of confidentiality, alteration the failure of integrity, and destruction (or denial of access) the failure of availability. DAD is not a separate theory to memorize; it is simply CIA read as outcomes, and it is the fastest way to classify what an incident actually broke. A stolen customer database is disclosure (confidentiality lost); a tampered firmware image is alteration (integrity lost); a ransomware-encrypted file server is destruction/denial (availability lost).
Mapping each pillar to its control class
This section turns the five definitions into a selection rule: given a threatened pillar, which class of control is the primary answer. The mechanism that preserves a property is the one whose effect is that property, not the strongest tool available.
Confidentiality is preserved primarily by encryption and by access control plus data classification. Encryption protects data at rest and in transit so unauthorized parties cannot read it; access control and classification decide who is authorized in the first place. Note the boundary the exam tests: encryption protects confidentiality directly, but it does not by itself prove who sent the data, that is authenticity, a different pillar (covered below). Encrypting a message hides it from eavesdroppers yet says nothing about whether the claimed sender really sent it.
Integrity is preserved by hashing, digital signatures, and change/version control. A cryptographic hash detects whether data changed; a digital signature additionally binds the change to a signer. Here is the reconciliation candidates miss: because FIPS 200 folds authenticity and nonrepudiation into integrity, a single digital signature can serve all three: it detects alteration (integrity), proves the data came from the key holder (authenticity), and lets a third party hold the signer to the act (nonrepudiation). The question's framing tells you which property to name.
Availability is preserved by redundancy, backups, capacity planning, and denial-of-service defense. The defining trait is that availability controls fight loss of access, not loss of secrecy: a perfectly encrypted backup that you cannot restore in time has failed availability while perfectly serving confidentiality.
Authenticity is preserved by origin authentication: digital signatures, message authentication codes (MACs), certificates, and mutual authentication. Authenticity answers "did this truly come from the claimed source?" A common misread is to treat a TLS-encrypted channel as proof of authenticity; the channel's certificate authenticates the server, but encryption of the payload alone authenticates nothing about the payload's origin.
Nonrepudiation is preserved by digital signatures over content, combined with secure, tamper-evident logging and trusted timestamps. Its single distinguishing requirement is third-party verifiability: a MAC can prove authenticity between two parties who share a secret key, but because both hold the same key, either could have produced the tag, so a MAC cannot give nonrepudiation. Only asymmetric signatures, where the private key is held by exactly one party, let an outside arbiter attribute the action and defeat a later denial.
The pattern across all five rows of the figure is one rule: name the property the asset most needs, read off its inverse to confirm what would break it, then pick the control class whose primary effect is that property.
Weighing the pillars: impact, categorization, baselines
Real assets value the pillars unequally, and protecting a pillar the asset does not need wastes budget the pillars it does need. Building on the per-pillar control mapping above, the leadership skill is weighing the pillars rather than maximizing all three.
The disciplined way to weigh them is security categorization. FIPS 199[1] rates the potential impact of a loss of confidentiality, integrity, and availability independently as low, moderate, or high. The conventional shorthand expresses an asset's security category as a triple, for example a public web server might be (confidentiality LOW, integrity MODERATE, availability MODERATE), while a patient record store might be (confidentiality HIGH, integrity HIGH, availability MODERATE). Impact is graded by the magnitude of adverse effect: low is a limited adverse effect, moderate is a serious adverse effect, and high is a severe or catastrophic adverse effect on operations, assets, or individuals.
The rule that connects categorization to controls is the high-water-mark: the overall impact level of the system is the highest of its three objective impact ratings. A system rated (LOW, LOW, HIGH) is a HIGH-impact system overall, and its control baseline is selected accordingly. This is why an asset whose availability is critical inherits strong controls even if its confidentiality need is trivial, and why the figure flows the three independent ratings into a single baseline.
The trade-off this forces is the heart of the subtopic. Strengthening one pillar routinely costs another: aggressive integrity controls (mandatory signing, immutable logs) can slow availability; strict confidentiality (heavy encryption, tight access) can impede the availability of legitimate users; high availability through wide replication multiplies the surface that confidentiality must defend. A security leader's job is to set each pillar's target to the asset's real impact rating and accept the residual trade-off deliberately, deciding the balance rather than reflexively turning every dial to maximum.
Exam-pattern recognition
CISSP rarely asks you to recite a definition: it asks you to name the pillar at stake or pick the control whose primary property matches it. Building on the prior three sections, this is how the pillars surface in question stems and which answer the (ISC)2 grain rewards.
Pattern 1, "Which concept/objective is MOST affected?" The stem describes an event; you classify it via the DAD inverse. A leaked customer list is a confidentiality loss (disclosure); a manipulated funds-transfer amount is an integrity loss (alteration); a flood that takes the data center offline is an availability loss (destruction/denial). The trap answer names a real but secondary pillar: pick the one the event directly negated.
Pattern 2, "Which control BEST provides [property]?" Map the property to its primary control class: confidentiality to encryption or access control, integrity to hashing or signing, availability to redundancy or backups. If the property is confidentiality, the answer is encryption or access control, not a digital signature. If it is integrity, the answer is hashing or signing, not encryption. The seductive distractor is a strong control for the wrong pillar: strength never beats fit.
Pattern 3, authenticity vs. nonrepudiation. This is the most-missed pair. If the requirement is "confirm the message genuinely came from the stated sender," the property is authenticity and a MAC or signature satisfies it. If the requirement adds "...so the sender cannot later deny it to a third party / auditor / court," the property is nonrepudiation and only an asymmetric digital signature satisfies it: a MAC fails because both parties share the key and either could have produced the tag. Watch for the words "deny," "dispute," "prove to a third party," and "legally binding": they signal nonrepudiation.
Pattern 4, confidentiality is not authentication. A stem that says data was encrypted and asks whether the recipient can trust its origin is testing whether you conflate the two. Encryption serves confidentiality; it does not establish that the sender is genuine. The right answer adds an origin-authentication mechanism.
Pattern 5, pillar trade-offs and impact. When a stem asks for the FIRST or BEST step in protecting an asset, the (ISC)2-correct move is usually to determine the asset's value and which pillar it most needs (categorize impact) before selecting a control. An answer that jumps to a specific technology before the impact is understood is the manager-altitude trap: the right answer identifies the dominant pillar and its impact level first, then the control follows.
The five pillars: what each preserves, its inverse, and the control class
| Pillar | Property preserved | Inverse / failure | Primary control class |
|---|---|---|---|
| Confidentiality | Authorized restriction on access and disclosure | Disclosure | Encryption, access control, classification |
| Integrity | Guard against improper modification or destruction | Alteration | Hashing, digital signatures, change control |
| Availability | Timely and reliable access and use | Destruction / denial | Redundancy, backups, capacity, DDoS defense |
| Authenticity | Genuineness and verifiable origin | Spoofing / forgery | Origin authentication, certificates, MACs |
| Nonrepudiation | Inability to deny a performed action | Repudiation | Digital signatures, secure logging, timestamps |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- The five pillars are CIA plus authenticity and nonrepudiation
Information security preserves five properties: confidentiality, integrity, and availability (the CIA triad) plus authenticity and nonrepudiation. CIA is the historic core codified in U.S. law and FIPS 200; (ISC)2 adds authenticity (data is genuine and its origin verifiable) and nonrepudiation (an actor cannot deny an action) as the fourth and fifth pillars. Each is a property to preserve, so a control earns its place only by strengthening one or more of them for a defined asset.
- Confidentiality preserves authorized restrictions on access and disclosure
Confidentiality is preserving authorized restrictions on information access and disclosure, explicitly including protecting personal privacy and proprietary information. It is preserved primarily by encryption (data at rest and in transit), access control, and data classification. The point is who is allowed to see the data, not whether the data is correct or reachable.
Trap Equating confidentiality with privacy, when privacy is the subset concerned specifically with personal data while confidentiality covers any restricted information.
- Integrity guards against improper modification and, in the federal sense, includes authenticity and nonrepudiation
Integrity is guarding against improper information modification or destruction; the FIPS 200 wording adds that it includes ensuring information nonrepudiation and authenticity. It is preserved by hashing (detects change), digital signatures (binds change to a signer), and change/version control. That nesting is why a single digital signature can satisfy integrity, authenticity, and nonrepudiation at once.
Trap Treating integrity as only 'data isn't changed' and forgetting the FIPS 200 definition folds authenticity and nonrepudiation inside it.
- Availability ensures timely and reliable access to information
Availability is ensuring timely and reliable access to and use of information. It is preserved by redundancy, backups, capacity planning, and denial-of-service defense. Its distinguishing trait is that it fights loss of access, not loss of secrecy, so a perfectly encrypted backup you cannot restore in time has failed availability while still serving confidentiality.
- Authenticity is the property of being genuine with verifiable origin
Authenticity is the property of being genuine and verifiable and trusted, confidence in the validity of a transmission, message, or originator. It answers 'did this truly come from the claimed source?' and is preserved by origin authentication: digital signatures, message authentication codes (MACs), certificates, and mutual authentication. Encryption alone does not provide it, because a confidential channel can still carry data from a forged sender.
Trap Assuming encryption establishes authenticity, when a confidential channel can still carry data injected by a forged or impersonated sender.
- Nonrepudiation stops an actor from credibly denying an action
Nonrepudiation assures that the sender is given proof of delivery and the recipient proof of the sender's identity, so neither can later deny having processed the information. It is preserved by asymmetric digital signatures over content plus secure, tamper-evident logging and trusted timestamps. Its defining requirement is third-party verifiability: an outside arbiter can attribute the action to one party.
- DAD is the inverse of CIA: disclosure, alteration, destruction
The DAD triad names the failure of each CIA property: Disclosure breaks confidentiality, Alteration breaks integrity, and Destruction or denial breaks availability. It is not a separate theory but CIA read as outcomes, and it is the fastest way to classify what an incident actually broke. A leaked database is disclosure, a tampered transfer amount is alteration, and a ransomware-locked server is destruction.
- Match the threatened pillar to the control whose primary effect IS that property
Control selection means naming the dominant or threatened pillar first, then choosing the control class whose primary effect is that property: confidentiality maps to encryption and access control, integrity to hashing and signatures, availability to redundancy and backups. The exam-correct answer is the control that fits the threatened pillar, not the strongest control overall. Reversing the order, picking an impressive control before identifying the pillar, is how candidates choose a mis-targeted answer.
Trap Choosing a strong control for the wrong pillar, e.g. a digital signature when the requirement is confidentiality (which needs encryption).
- Encryption provides confidentiality, not authentication of the sender
Encryption protects confidentiality by making data unreadable to unauthorized parties, but on its own it proves nothing about who sent the data, which is authenticity. A TLS certificate authenticates the server, yet encrypting a payload does not authenticate the payload's origin. When a stem says data was encrypted and asks whether the recipient can trust its source, the missing piece is an origin-authentication mechanism.
Trap Assuming an encrypted message is therefore proven to come from the stated sender, conflating confidentiality with authenticity.
- A MAC gives authenticity but not nonrepudiation; only a signature gives both
A message authentication code proves data came from someone holding the shared secret key, so it provides integrity and authenticity between two parties. It cannot provide nonrepudiation because both parties hold the same key and either could have produced the tag, so no third party can attribute the action to one of them. Asymmetric digital signatures, where the private key is held by exactly one party, are required for nonrepudiation.
Trap Selecting a MAC or shared-secret HMAC to satisfy a nonrepudiation requirement, when only an asymmetric signature can defeat a later denial.
- Authenticity vs nonrepudiation: 'genuine source' vs 'cannot deny to a third party'
Authenticity answers whether a message genuinely came from its stated sender; nonrepudiation adds that the sender cannot later deny it to an auditor, arbiter, or court. The cue words 'deny', 'dispute', 'prove to a third party', and 'legally binding' signal nonrepudiation, whereas 'confirm the sender is genuine' signals authenticity alone. Both can be satisfied by a digital signature, so the answer hinges on which property the stem is actually demanding.
Trap Picking nonrepudiation when the stem only asks to confirm the sender is genuine, a requirement that authenticity alone satisfies.
- FIPS 199 rates confidentiality, integrity, and availability independently
FIPS 199 categorizes a system by rating the potential impact of losing each objective, confidentiality, integrity, and availability, independently as LOW, MODERATE, or HIGH. Assets value the pillars unequally: a public price list needs integrity and availability but little confidentiality, while a draft merger needs confidentiality above all. Rating them separately stops you from over-protecting a pillar the asset does not need.
5 questions test this
- A federal agency is categorizing an information system that processes multiple information types with different security requirements. The…
- An organization's security team is implementing a data classification scheme that incorporates all three elements of the CIA Triad. They…
- A healthcare organization is classifying its medical records system according to the CIA Triad. Patient records require protection from…
- An organization is implementing a data classification scheme with four levels: Public, Internal, Confidential, and Restricted. The security…
- A manufacturing company operates a SCADA system that monitors production line equipment. The security team is establishing data…
- Impact levels: LOW is limited, MODERATE is serious, HIGH is severe or catastrophic
FIPS 199 grades each objective's potential impact by the magnitude of adverse effect on operations, assets, or individuals: LOW is a limited adverse effect, MODERATE is a serious adverse effect, and HIGH is a severe or catastrophic adverse effect. These three levels, applied per pillar, are what later drive the strength of the control baseline.
- High-water-mark: a system's overall impact is the highest of its three ratings
Under the FIPS 199 high-water-mark rule, the overall impact level of a system equals the highest of its confidentiality, integrity, and availability impact ratings. A system rated (LOW, LOW, HIGH) is a HIGH-impact system overall and selects controls accordingly. This is why an asset whose availability alone is critical still inherits a strong baseline even if its confidentiality need is trivial.
Trap Averaging the three impact ratings instead of taking the maximum, which understates the required baseline.
3 questions test this
- A federal agency is categorizing an information system that processes multiple information types with different security requirements. The…
- A financial services organization is implementing a data classification scheme following FIPS 199 guidelines. Their customer transaction…
- An organization is implementing a data classification scheme with four levels: Public, Internal, Confidential, and Restricted. The security…
- Pillars are weighed and traded off, not all maximized at once
Strengthening one pillar routinely costs another: mandatory signing and immutable logs (integrity) can slow availability, heavy encryption and tight access (confidentiality) can impede legitimate users' availability, and wide replication for availability enlarges the surface confidentiality must defend. A security leader sets each pillar's target to the asset's real impact rating and accepts the residual trade-off deliberately, rather than turning every dial to maximum.
Trap Assuming all three pillars should be maximized for every asset, ignoring that raising one pillar routinely degrades another.
- First identify the asset's value and dominant pillar, then select a control
When a stem asks for the FIRST or BEST step to protect an asset, the manager-altitude answer is to determine the asset's value and which pillar it most needs, that is, categorize impact, before choosing any technology. Jumping to a specific mechanism before the impact is understood is the classic distractor. Identify the dominant pillar and its impact level first; the control follows from that.
Trap Picking a specific technology as the FIRST step before the asset's value and dominant pillar have been determined.
Also tested in
References
- NIST CSRC Glossary: Confidentiality (FIPS 200 / 44 U.S.C. 3542) Whitepaper
- NIST CSRC Glossary: Integrity (FIPS 200) Whitepaper
- NIST CSRC Glossary: Availability (FIPS 200) Whitepaper
- NIST CSRC Glossary: Authenticity (NIST SP 800-53 Rev. 5) Whitepaper
- NIST CSRC Glossary: Non-repudiation (NIST SP 800-18 / CNSSI 4009) Whitepaper