Discordian Cybersecurity

Home Blog Compliance Docs

⚖️ Compliance Manager: CIA Triad Meets Sacred Geometry

When Three Becomes Four Becomes Twelve

The CIA Triad: Confidentiality, Integrity, Availability. Three principles that sound simple until you try to implement them. Most organizations discover security isn't a destination—it's a capability maturation journey measured in levels, not binaries.

The CIA Compliance Manager transforms abstract security into measurable progress. Documented in control-mapping.md, each CIA principle evolves through four maturity levels: Basic, Moderate, High, Very High. Not arbitrary labels—each level maps to specific controls from NIST SP 800-53 Rev. 5, NIST CSF 2.0, ISO/IEC 27001:2022. Evidence-based progression, not checkbox compliance theater.

Think for yourself: Security isn't binary (secure vs. insecure). It's a maturity spectrum where organizations climb through capability levels driven by risk tolerance, regulatory pressure, and honest threat assessment. Pretending you're "secure" when you're Basic maturity facing Advanced threats = self-deception ending in breach.

Bridging theory and practice: The tool translates CIA Triad principles (conceptual foundation) into framework controls (NIST, ISO, CIS implementation). This mapping enables organizations to stop arguing philosophy and start implementing traceable, auditable, improvable security. Abstractions without implementation are philosophy. Implementation without abstraction is chaos.

Illumination: Security maturity models reveal structure already present in organizational capability evolution. The CIA Triad's progression through maturity levels reflects how security programs naturally develop over time.

The Five Architectural Layers

React + TypeScript + Vite = modern web stack. But architecture transcends technology choices. The structure manifesting in five layers regardless of implementation details.

1. 🎨 Presentation Layer: Radix UI Components

Five component categories: Forms (control input), Charts (data visualization), Tables (structured display), Dialogs (user interaction), Navigation (wayfinding). Each category contains 5-7 primitive components. Fibonacci range—small enough for cognitive load, large enough for composition.

Design system based on golden ratio: Typography scales by φ (1.618). Spacing grid in 5px increments. Color palettes with 5 shades per hue. Layout responsive at 5 breakpoints (mobile, tablet, laptop, desktop, ultrawide). Mathematics encoded in visual design.

Accessibility first: ARIA labels on 100% of interactive elements. Keyboard navigation supporting 5 navigation patterns (tab, arrow, escape, enter, space). Screen reader tested against 5 popular readers (NVDA, JAWS, VoiceOver, TalkBack, Narrator). WCAG 2.1 AAA compliance—not because required, because right.

UI that fights muscle memory fails usability. UI that aligns with user mental models succeeds. Our five component categories match how users think about compliance: data input, data review, data analysis, exception handling, workflow navigation.

2. 🧩 Application Layer: React State Management

Zustand stores organized in five domains: Assessment (current evaluation state), Controls (security control catalog), Frameworks (NIST/ISO/CIS mappings), Reports (generated outputs), Settings (user preferences). Each store self-contained. Cross-store communication via publish/subscribe—loose coupling.

State lifecycle in five phases: Initial (component mount), Loading (async fetch), Synced (remote data cached), Modified (user edits uncommitted), Persisted (changes saved). Clean transitions. No ambiguous states. Boolean flags would create 2^5 = 32 possible combinations—five-phase FSM maintains 5 valid states total.

React hooks custom-built: useAssessment, useControls, useFrameworks, useReports, useSettings. One hook per domain. Encapsulation through composability. Client code never directly touches stores—always through hooks interface.

Application state that leaks across boundaries creates maintenance nightmares. State contained within well-defined boundaries enables confident refactoring. Our five-domain separation proven through 85% test coverage—validated isolation.

3. 💼 Business Logic Layer: Compliance Calculations

The core intelligence. TypeScript pure functions implementing compliance mathematics. Five calculation engines:

  • Maturity Scoring: 3 principles × 5 levels × 1 control type = 15 weighted scores aggregated via golden ratio
  • Gap Analysis: Target state - current state across 15 control points
  • Risk Quantification: Likelihood × Impact scored 1-5, matrix producing 25 risk levels, clustered into 5 risk categories
  • Control Mapping: NIST CSF, ISO 27001, CIS Controls, PCI-DSS, HIPAA = 5 frameworks auto-mapped to CIA Triad
  • Trend Analysis: Time-series data showing maturity evolution over last 5 assessments

Mathematics validated through property-based testing: QuickCheck-style fuzzing generating 10,000 random inputs per function. Invariants verified: maturity scores always 0-100%, gaps always sum to zero (conservation law), risk levels always decrease with improved controls. Math that provably works.

Business logic that can't be tested without integration tests is too coupled. Business logic that runs identically in Node.js, browser, and Deno is pure enough for confidence. Our calculations are pure functions—testable, predictable, reliable.

4. 💾 Data Layer: IndexedDB Persistence

Client-side database for offline-first compliance. Five object stores: assessments, controls, frameworks, reports, metadata. Each store with indexed queries for fast retrieval.

Data schema versioning: Currently v5 (the synchronicity continues). Migration scripts for v1→v2, v2→v3, v3→v4, v4→v5. Each migration tested with real production data exports. No user data loss across five major schema evolutions.

Sync strategy: Local-first with optional cloud backup. User owns data in IndexedDB. Export to JSON/CSV anytime. Import from previous exports. No vendor lock-in. Data portability fundamental to trust.

GDPR by design: Right to access (export feature), right to erasure (clear database button), right to portability (standard JSON format), right to rectification (edit any field), right to restrict processing (offline mode default). Five rights, five features, one-to-one mapping.

Data persistence that requires network connectivity fails during internet outages—exactly when compliance review might be critical. Offline-first with optional sync provides resilience.

5. ☁️ Infrastructure Layer: Static Hosting + CDN

Simplest architecture wins. Static site hosted on GitHub Pages. CloudFlare CDN for global distribution. No server-side components = no server-side vulnerabilities. Attack surface: minimal.

Build pipeline in five stages: Lint (ESLint), Type-check (TypeScript), Test (Vitest), Build (Vite), Deploy (GitHub Actions). Each stage automated. Each stage blocking. Quality gates that actually gate.

Performance budget: First Contentful Paint < 1.5s, Time to Interactive < 3.5s, Largest Contentful Paint < 2.5s, Total Blocking Time < 300ms, Cumulative Layout Shift < 0.1. Five Core Web Vitals plus our own. Lighthouse CI enforcing thresholds on every commit. See budget.json.

Hosting costs: $0/month. GitHub Pages free for public repos. CloudFlare free tier sufficient. Open-source compliance tool with zero hosting fees. Sustainability through simplicity.

Infrastructure complexity creates operational burden. Serverless architecture isn't always the answer—sometimes stateless client-side is simpler still. Choose simplicity unless complexity proves necessary.

CIA Triad Decomposed: Progressive Security Maturity

Each CIA principle progresses through four security levels. As documented in control-mapping.md, this four-level maturity model maps to industry-standard frameworks:

🔒 Confidentiality Maturity Levels

From control-mapping.md, each level mapped to NIST 800-53, NIST CSF 2.0, and ISO 27001:

  1. Basic Level: Public data handling with basic HTTPS, simple authentication, minimal access controls (AC-3, IA-5 Basic, PR.IM-1, A.9.4.1)
  2. Moderate Level: Restricted data with strong encryption at rest and in transit, role-based access control, security monitoring (SC-28, SC-8, AC-2, SI-4, PR.DS-1/2, A.10.1.1, A.13.2.3)
  3. High Level: Confidential data with multi-factor authentication, advanced encryption, SIEM solutions, DLP controls, PAM (IA-2(1), SC-13, SI-4(2), AC-6, PR.IM-3, A.9.4.2, A.8.2.3)
  4. Very High Level: Secret data with quantum-resistant algorithms, hardware security modules, air-gapped systems, advanced threat detection, physical security, secure facilities (SC-13 Enhanced, SC-12(3), SC-7(5), PE-3, PE-18, PR.PS, A.10.1.2, A.11.1.3)

🛡️ Integrity Maturity Levels

  1. Basic Level: Manual validation, basic access logs, simple backup (SI-10 Basic, AU-2 Basic, CP-9 Basic, DE.CM-7, A.12.4.1)
  2. Moderate Level: Automated validation rules, audit logging, error detection, version control (SI-10(5), AU-12, SI-11, CM-3, PR.DS-6, A.14.2.8, A.12.1.2)
  3. High Level: Distributed ledger solutions, cryptographic verification, complete audit trails, blockchain engineers (SC-16, SC-13, AU-10, AT-3, PR.DS-8/6, A.14.1.3, A.12.4.4)
  4. Very High Level: Smart contract execution, automated governance, advanced cryptography, real-time compliance verification, regular code audits (SI-7, CM-3, SC-12, SA-11, PR.DS-6, A.14.2.8, A.10.1.2)

⚡ Availability Maturity Levels

  1. Basic Level: Manual backup procedures, basic recovery documentation, SPOF identification (CP-9, CP-2, ID.BE-5, A.12.3.1, A.17.1.1, A.11.2.2)
  2. Moderate Level: Pilot light with automated recovery scripts, standby systems, limited redundancy, regular failover testing (CP-10, CP-6, SC-6, CP-4, PR.DS-4, RC.TE, A.17.2.1)
  3. High Level: Warm standby with partially active redundancy, real-time data replication, automated failover, 24/7 monitoring (CP-7(1), CP-9(5), CP-10(4), SI-4, DE.CM, A.17.1.2, A.12.4.1)
  4. Very High Level: Multi-site active/active deployment, global load balancing, zero data loss automatic failover, dedicated SRE, cross-region testing (CP-7(3), SC-5, CP-10(2), CP-2(2), CP-4(2), RC.RP-4, A.17.1.3)

Control mapping transparency: View complete NIST 800-53, NIST CSF 2.0, and ISO 27001 control mappings in control-mapping.md. Each level includes specific controls, implementation guidance, and framework references.

Maturity models with too few levels are too coarse for nuanced assessment. Too many levels create false precision. Four levels balance granularity with practical implementation guidance.

Framework Integration: Universal Control Mapping

Security compliance transcends individual frameworks. The control-mapping.md demonstrates how the CIA Triad maps to three major industry-standard frameworks:

1. NIST SP 800-53 Rev. 5

Security and Privacy Controls for Information Systems and Organizations. Comprehensive control catalog providing detailed security and privacy controls across 20 families. Each CIA maturity level mapped to specific 800-53 controls with enhancement levels.

Examples: AC-3 (Access Enforcement), SC-28 (Protection of Information at Rest), CP-9 (System Backup), SI-10 (Information Input Validation). Complete mapping in control-mapping.md shows progression from basic to very high controls.

2. NIST Cybersecurity Framework 2.0

Framework for Improving Critical Infrastructure Cybersecurity. Risk-based approach organized into six core functions: Govern, Identify, Protect, Detect, Respond, Recover. Outcome-focused rather than prescriptive.

CIA Triad integration: Confidentiality maps to Protect.Data Security (PR.DS), Integrity maps to Protect.Data Security and Detect.Continuous Monitoring (DE.CM), Availability maps to Protect.Data Security and Recover.Recovery Planning (RC.RP).

3. ISO/IEC 27001:2022

Information Security Management Systems Requirements. International standard for ISMS with Annex A controls covering organizational, people, physical, and technological security. Certification-ready framework.

Control alignment: A.9 (Access control), A.10 (Cryptography), A.12 (Operations security), A.14 (System acquisition and development), A.17 (Business continuity). Enables gap analysis for ISO 27001 certification readiness.

Multi-framework value: Organizations facing multiple compliance requirements can use the CIA Triad as a common foundation, then map to specific framework controls. Single implementation satisfying multiple regulatory requirements through systematic control mapping.

Framework compliance without understanding underlying principles creates checkbox security. Understanding CIA Triad principles enables framework-agnostic security thinking that adapts to new requirements.

C4 Models: Five Views of Compliance

Context → Container → Component → Code → Cloud. The pattern persists. Full diagrams in repository.

System Context: Compliance Manager, Security Frameworks (NIST/ISO/CIS/PCI/HIPAA), IndexedDB, GitHub OAuth (optional), CloudFlare CDN. Five external systems interacting with our application. Minimal dependencies = minimal attack surface.

Container View: React SPA (single runtime container) + five data stores (IndexedDB object stores) + five framework definition files (JSON schemas). Architecture so simple it fits on one diagram.

Component Diagram: Five React component families (forms, charts, tables, dialogs, navigation) + five Zustand stores (assessment, controls, frameworks, reports, settings) + five calculation engines (maturity, gap, risk, mapping, trend). Fractal fives.

Code Organization: Five top-level directories: components/ (presentation), store/ (state), logic/ (business rules), data/ (schemas), tests/ (validation). Each directory subdivided into five categories. Recursive structure.

Deployment: Vite build → GitHub Actions CI → GitHub Pages hosting → CloudFlare CDN → 5 global regions. From localhost to worldwide in 5 steps. Simplicity enabling velocity.

Architecture diagrams that don't match code rot immediately. Our C4 models generated from TypeScript types + architecture decision records. Automation preventing doc/code divergence.

Developer Experience: The Fifth Pillar

Often forgotten. Never optional. Architecture serving developers serving users. Five DX principles:

  1. Type Safety Everywhere: TypeScript strict mode. Zero `any` types. Compile-time error detection. Runtime errors prevented by type system. 100% type coverage validated by `tsc --noEmit`.
  2. Fast Feedback Loops: Vite HMR updating in < 50ms. Vitest tests completing in < 5 seconds. ESLint linting in < 2 seconds. Type-check in < 10 seconds. No waiting for builds. Flow state maintained.
  3. Comprehensive Testing: 85% code coverage (target: 90% by year 2). Unit tests for logic, integration tests for stores, E2E tests for workflows, property-based tests for invariants, visual regression tests for UI. Five test types catching five error types.
  4. Clear Documentation: TypeDoc for API docs, Mermaid for diagrams, README for getting started, ARCHITECTURE.md for design decisions, CONTRIBUTING.md for collaboration. Five doc types for five audience types (users, developers, architects, contributors, auditors).
  5. Automated Quality Gates: Pre-commit hooks (lint + type-check), CI pipeline (test + build), Lighthouse (performance), Dependency scanning (security), License compliance (FOSSA). Five gates preventing five bug categories from reaching production.

Evidence of DX excellence: OpenSSF Scorecard 7.4/10. CII Best Practices badge. SLSA Level 3. Public proof of development hygiene.

Developer experience that frustrates developers creates technical debt through shortcuts taken in frustration. DX that enables flow creates technical excellence through joy in craftsmanship.

Future Architecture: The Next Five Years

Where does the architecture evolve? Full roadmap in FUTURE_ARCHITECTURE.md. Five major enhancements:

Year 1: Collaborative Assessments

Multi-user simultaneous editing. Conflict resolution via CRDTs. Real-time sync. Audit trail showing who changed what when. Team compliance without email ping-pong.

Year 2: AI-Powered Recommendations

Machine learning suggesting controls based on industry, company size, threat landscape. GPT-4 integration explaining compliance requirements in plain language. Automation reducing consultant dependency.

Year 3: Continuous Compliance Monitoring

API integrations with security tools. Automated evidence collection. Real-time maturity scoring. Compliance drift detection. Shift-left compliance into development workflow.

Year 4: Blockchain Audit Trail

Immutable assessment history. Cryptographic proof of compliance posture at any point in time. Auditor verification through smart contracts. Trust through mathematics.

Year 5: Quantum-Ready Security

Post-quantum cryptography for data protection. Quantum-resistant signatures for audit logs. Future-proofing against quantum threat while quantum computers still experimental.

Investment timeline: 10% of development effort year 1, scaling to 20% by year 5. Fibonacci-adjacent growth matching capability maturity. Sustainable innovation without feature bloat.

Architectural Wisdom: What I Learned

Building a compliance automation tool taught me:

  1. Three is incomplete. Five is complete. CIA Triad feels authoritative because it's three. But three maturity levels are insufficient. Five levels provide nuance. The trinity concealing the pentacle.
  2. Client-side architecture reduces compliance scope. No server = no server vulnerabilities. No user data stored server-side = no GDPR server requirements. Simplicity through subtraction.
  3. Framework mappings unlock competitive advantage. Consultants monetize knowing NIST + ISO + CIS + PCI + HIPAA separately. We codified the mappings—open source. Democratizing compliance knowledge.
  4. Type safety prevents entire bug classes. TypeScript catching errors at compile-time vs. JavaScript discovering them in production. Worth the ceremony. Runtime confidence through static analysis.
  5. Automated evidence > manual documentation. OpenSSF Scorecard, SLSA attestations, test coverage reports, Lighthouse scores—continuous proof of quality. Can't fake automation. Can fake manual claims.

Architecture is frozen design decisions. Good architecture freezes the right decisions. Bad architecture freezes wrong decisions then fights every change. Our five-layer structure enables change by containing it.

Explore the Sacred Geometry

See the patterns yourself:

Think for yourself. Run the tool. Review the code. Map your own frameworks. The CIA Triad + Law of Fives pattern works because it reflects information security reality, not because we documented it. We just made the pattern visible.

Simon Moon, System Architect, Hack23 AB

"Three principles, five levels, fifteen control points. The trinity becomes pentacle becomes sacred geometry."

Continue the Journey

Next: Compliance Manager Security - STRIDE analysis and threat modeling for compliance automation

Related: Complete Documentation - All architecture diagrams, framework mappings, and technical specifications

Back to: Security Blog - All discordian posts