cia 安全三要素_CIA安全治理简介–机密性，完整性，可用性

cia 安全三要素

Security Governance are implemented with management concepts, security policies, implementation etc. While working with these items we need some parameters to understand and describe security in IT environment.

安全治理是通过管理概念，安全策略，实现等来实施的。在处理这些项目时，我们需要一些参数来理解和描述IT环境中的安全性。

There is CIA which is actually the synonym of Confidentiality , Integrity and Availability . These are used to define the level and status of current security situation. We will look all of them and more in below. We will simply start defining related term an then provide advanced explanation and examples below.

中央情报局实际上是Confidentiality ， Integrity和Availability的同义词。 这些用于定义当前安全状况的级别和状态。 我们将在下面查看所有这些内容以及更多内容。 我们将简单地开始定义相关术语，然后在下面提供高级解释和示例。

保密 (Confidentiality)

Let’s start with an example about a credit card password from confidentiality point of view.We have credit cards those have printed cards and used to make payment physically from a POS or from electronic POS from internet. We need pin code for POS usage. The only one who should  know this PIN is card holder. We call this rule or policy confidentiality. Also credit card should be kept in secure environment like our pocket. We can not put the credit card on the street or in a pub alone. Confidentiality also related with unauthorized access. Now we have two item

让我们从机密性的角度来看一个有关信用卡密码的示例。我们有一些信用卡，这些信用卡上印有卡片，用于从POS或从互联网的电子POS进行实物支付。 我们需要用于POS使用的个人识别码。 唯一知道此PIN码的人是持卡人。 我们称此规则或政策为机密性。 信用卡也应放在安全的环境中，例如我们的口袋里。 我们不能仅在大街上或酒吧里放信用卡。 机密性也与未经授权的访问有关。 现在我们有两个项目

• Keeping secret
  保密
• Unauthorized access
  越权存取

廉洁(Integrity)

We want to make payment about 50$ . But during the transmission the payment is changed to 5000$ by adding or changing the given value. We call this issue integrity problem. The information shouldn’t be altered or at least if altered it can be detected and eliminated.

我们想支付约50美元。 但是在传输过程中，通过添加或更改给定值将付款更改为5000 $。 我们称此问题为完整性问题。 信息不应该被更改，或者至少可以被更改并可以消除。

可用性 (Availability)

Another subject is availability which means we can make payment in a 7×24 manner. If there are problems for some time periods and we can not make payment this is an availability problem. DDOS or similar attacks hurts the availability of given IT infrastructure or application.

另一个问题是可用性，这意味着我们可以以7×24的方式付款。 如果一段时间内有问题，但我们无法付款，这是可用性问题。 DDOS或类似攻击会损害给定IT基础架构或应用程序的可用性。

灵敏度 (Sensitivity)

Security is designed to protect information and related environment. Sensitivity refers to the quality of information. It is used as subterm with confidentiality. As an example we can access different type of information like Apache Logs or user pins by breaking confidentiality. But their sensitivity is far more different from each other.PIN’s are for more sensitive than Apache Logs.

安全性旨在保护信息和相关环境。 敏感性是指信息的质量。 它用作具有保密性的子术语。 例如，我们可以通过破坏机密性来访问不同类型的信息，例如Apache日志或用户密码。 但是它们的敏感性相差甚远，PIN的敏感性比Apache Logs高。

关键性 (Criticality)

Criticality is similar to the sensitivity but generally related with operations running. If an issued which interrupts the whole process is found it is more critical than breaking down a test server.

关键程度与敏感度相似，但通常与运行中的操作有关。 如果发现某个发出的消息打断了整个过程，那么它比破坏测试服务器更为关键。

保密 (Secrecy)

Secrecy is act of keeping something secret or prevent to access this information from unwanted and unauthorized parties. We should prevent the PIN information to be accessible from Linux admins.

保密是对某些事物保密或阻止从不需要的和未经授权的一方访问此信息的行为。 我们应该防止Linux管理员可以访问PIN信息。

隐私 (Privacy)

Privacy is very popular issue at recents years. Privacy is keeping personally identifiable information confidential. For example we should confidential the credit card holder name and surname.

隐私是近年来非常流行的问题。 隐私保护个人身份信息的机密性。 例如，我们应该对信用卡持有人的姓名和姓氏保密。

隔离 (Seclusion)

Seclusion is storing data at rest in a very strictly secured area. We should  tore cold backups about credit cards in a seclusion.

隔离将静态数据存储在非常严格的安全区域中。 我们应该孤立地删除有关信用卡的冷备份。

隔离 (Isolation)

Isolation is another way to protect and prevent using same channel to area for different type information. We should prevent network of normal users with higher privileged users.

隔离是另一种保护和防止对不同类型的信息使用相同的信道区域的方法。 我们应该防止具有较高特权用户的普通用户网络。

授权书 (Authorization)

Authorization is given required and privileged rights to a authenticated user or part.

授予已验证的用户或部件所需的特权和特权。

认证方式 (Authentication)

Authentication is verifying identity. We should authentication before giving authorization to a part because authorization will world according to the identity of part.

身份验证正在验证身份。 在授权给零件之前，我们应该先进行身份验证，因为授权将根据零件的身份生效。

稽核 (Auditing)

Auditing is act of storing the acts of given role. This will provide evidents about the actions the role done.

审计是存储给定角色的行为。 这将提供有关角色所执行的动作的证据。

不可否认 (Nonrepudiation)

Nonrepudiation is similar to integrity. Nonrepudiation provides a bit more than integrity. Nonrepudiation make the given auditing information can not deniable.

不可否认性类似于完整性。 不可否认提供的不仅仅是完整性。 不可否认性使给定的审计信息不可否认。

翻译自: https://www.poftut.com/introduction-security-governance-cia-confidentiality-integrity-availibility/

cia 安全三要素