Cheetsheet on what questions you should ask when following the CIA Triad.


Confidentiality ensures that information is accessible only to those authorized to have access.

  1. Who should have access to this information?
    • Identify the users or groups that need access to the information.
  2. What are the potential risks of unauthorized access?
    • Assess the potential damage or loss if information is accessed by unauthorized individuals.
  3. How is access to the information controlled?
    • Determine the mechanisms in place (e.g., authentication, authorization, encryption) to control access.
  4. Are there adequate measures to protect against data breaches?
    • Evaluate the security measures (e.g., firewalls, VPNs, access controls) to prevent data breaches.
  5. How is sensitive data protected during transmission and storage?
    • Verify the use of encryption and secure communication protocols (e.g., TLS, SSL) for data in transit and at rest.


Integrity ensures that information is accurate and reliable and has not been tampered with.

  1. How is data integrity maintained?
    • Identify the processes and technologies in place to ensure data remains accurate and unaltered (e.g., checksums, digital signatures).
  2. What mechanisms are in place to detect data corruption or unauthorized modifications?
    • Determine the tools and methods used to detect data integrity issues (e.g., hashing, version control).
  3. How are changes to data tracked and logged?
    • Assess the logging and audit trails in place to monitor data changes and identify potential integrity breaches.
  4. Are there processes for regular data validation and verification?
    • Verify the existence of procedures for routine data integrity checks and audits.
  5. How is integrity ensured across different systems and data transfers?
    • Evaluate the consistency and reliability of data as it moves between systems and during data transfers.


Availability ensures that information and resources are available when needed.

  1. What are the critical systems and data that need to be available?
    • Identify the key systems and data essential for business operations.
  2. What are the potential threats to system and data availability?
    • Assess the risks that could lead to system downtime or data inaccessibility (e.g., hardware failures, DDoS attacks).
  3. What measures are in place to ensure high availability and redundancy?
    • Determine the use of redundant systems, failover mechanisms, and load balancing.
  4. How is system performance and uptime monitored?
    • Verify the monitoring tools and practices used to track system performance and detect availability issues.
  5. What is the disaster recovery and business continuity plan?
    • Evaluate the plans and procedures in place for recovering from disruptions and ensuring business continuity.
  6. How quickly can services be restored after an outage?
    • Assess the recovery time objectives (RTOs) and recovery point objectives (RPOs) to understand the expected downtime and data loss limits.