Discussion on:

The CIA Triad

The CIA Triad deals with three important factors of security:

1. Information Confidentiality

2. Information Integrity

3. Information Availability

What other factors do you consider important for developing a comprehensive security policy?

I'd also like to suggest another A for Auditability.

This implies logging and analysis of those logs.

Being able to see who did what is a very important part of any overall security program.

...Information Accountability.

This covers InfoSec policies being enforceable, being widely known, and all stakeholders being properly educated.

With the rise in online transactions, as well as increased remote access and wireless connectivity, probably the addition of authentication and non-repudiation are good add-ons to the triad.
Authenticating the person into a system and making sure they are who they say they are seems like an obvious requirement. With the addition (expansion?) of multi-factor authentication methods throughout our everyday lives, this seems like an issue that needs to be taken very seriously. The days of using only a username/password combo are fading fast.
Non-repudiation deals with verifying that messages are sent by identifiable and verifiable senders - the sender cannot deny his message once he sends it.

My 'periodic table' of security properties includes CIA and adds a 4th 'element' Accountability - defined as tracking the identity of persons or processes and their actions applied to the information asset. These 'elements' can be used to construct other 'molecules' such as non-repudiation.

The controls to prevent the compromise of the CIAvAc properties can be grouped into a number of categories, for example:
policy
technical (& physical) architecture
people
process
governance

One virus in the DSL and the whole thing goes down.

Don't forget the other big triad in information security - AAA, authentication, authorization and accounting.

number of code