CIA is a well known security concept which defines the Information Security Frameworks such as ISO 27001 and many others.
In the context of ISMS objectives requiring to be modified for Personal Data security based on the Data Protection laws, there is a need to redefine Information security from as “Preservation of Confidentiality, Integrity, Availability and also the Value of Data”. The Core concepts of Confidentiality, Integrity and Availability themselves need to be modified and we need to adopt a ModC, Mod I and Mod A, in the place of CIA. To this we need to add the value perception.
The Value perception itself needs to be looked at from two angles namely the “Value of Data” because of the cost or market value and also the need to preserve erosion of value by in adequate Governance measures leading to penalties under the laws.
Hence CIA Triad needs to be upgraded to Mod-CIA V&V. The reason why CIA has to be modified in the Data Protection context can be briefly explained below.
The reason is, while “C” in ISMS reflects data access Control which the IS department decides on the basis of “Role Based Access”, in the Data Privacy context the fixing of Data access controls reflect the permissions given by the Data Principal based on the purpose of processing of personal data.
Similarly the “I” in the IS context reflects the need to ensure accuracy of data in the interest of the organization, in the DPDPA context, “Maintenance” of accuracy, completeness and consistency is related to whether the processed data is meant for disclosure or decision making.
Also “A” in DPDPA scenario depends on the exercising of “Rights” under the law rather than the denial of access possibility.
Apart from the modified CIA concept, the context of Personal Data Governance under DPDPA Compliance also recognizes the financial value of data represented by the V in the new concept.
The value itself can be looked at from the perspective of the revenue generative potential which is V+ while the opportunity cost of in adequate compliance results in a financial loss which is represented by V-.
Thus the CIA Triad needs to be expanded to five elements of Personal data security namely the Modified Confidentiality, Modified Integrity, Modified Availability, Value preservation and Prevention of Value loss through penalties.
Currently, DGPSI Full version does take into account all the five elements and hopefully this practice will gain acceptability in due course in the industry.
