1

When looking at the availability element of the CIA triad, most definitions mention that availability is addressed through ensuring system up-time by using controls such as disaster recovery, business continuity, rate limiting to mitigate DOS(Denial of Service) etc.

Can the availability element also be addressed by ensuring that information is only available to certain users through technical controls such as access control, encryption etc. ?

user3382203
  • 11
  • 10
synthesis
  • 155
  • 1
  • 1
  • 15

1 Answers1

6

"Only available to certain users" is not a measure of "availability". That's "confidentiality".

Making sure that information is available to users who need it is a measure of "availability". Redundancy, backups, load balancing, parallelism are technical controls that address availability.

Access control and encryption do not affect availability but affect confidentiality.

schroeder
  • 123,438
  • 55
  • 284
  • 319