ESRI’s security guidance is based on the two widely held principles of:
- The Confidentiality, Integrity, Availability (CIA) Security Triad
- Defense-In-Depth (See diagram to right)
Throughout the Security Resource Center you will notice how these principles can be used to help choose appropriate security solutions for your organization, such as:
- Choosing the appropriate GIS Security Pattern is based on your organizations priorities of the CIA Triad components.
- Choosing multiple Security Mechanisms to work in parallel help move an organization to a Defense-In-Depth approach.
Confidentiality, Integrity, Availability (CIA) Security Triad
- This three-tiered model is a generally accepted component to assessing risks of sensitive information and establishing security policy.
- CIA is typically considered the de-facto standard security model consisting of three main areas:
- Confidentiality – Preventing intentional or unintentional unauthorized disclosure
- Integrity – Prevent unauthorized data modifications
- Availability – Ensures reliable and timely access to data
Defense-In-Depth
- This is a standard security strategy in which multiple layers of defense are placed throughout a solution.
- Computer security is often divided into three distinct master categories, commonly referred to as controls:
- Physical
- Policy (Administrative)
- Technical
- ESRI’s Security guidance focuses primarily on the Technical controls and their related Security Mechanisms to help secure GIS solutions with ESRI products.
- Note that it is extremely important to not overlook the inclusion of Policy and Physical controls within the organization.