Information assurance

Last updated

Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. [1] IA encompasses both digital protections and physical techniques. These methods apply to data in transit, both physical and electronic forms, as well as data at rest. IA is best thought of as a superset of information security (i.e. umbrella term), and as the business outcome of information risk management.

Contents

Overview

The McCumber Cube: one of the common information assurance schematics McCumber cube.jpg
The McCumber Cube: one of the common information assurance schematics

Information assurance (IA) is the process of processing, storing, and transmitting the right information to the right people at the right time. [1] IA relates to the business level and strategic risk management of information and related systems, rather than the creation and application of security controls. IA is used to benefit business through the use of information risk management, trust management, resilience, appropriate architecture, system safety, and security, which increases the utility of information to only their authorized users.

Besides defending against malicious hackers and code (e.g., viruses), IA practitioners consider corporate governance issues such as privacy, regulatory and standards compliance, auditing, business continuity, and disaster recovery as they relate to information systems. Further, IA is an interdisciplinary field requiring expertise in business, accounting, user experience, fraud examination, forensic science, management science, systems engineering, security engineering, and criminology, in addition to computer science.

Evolution

With the growth of telecommunication networks also comes the dependency on networks, which makes communities increasing vulnerable to cyber attacks that could interrupt, degrade or destroy vital services. [2] Starting from the 1950s the role and use of information assurance has grown and evolved. These feedback loop practices were employed while developing WWMCCS military decision support systems.

OODA Feedback Loop Diagram OODA.Boyd.svg
OODA Feedback Loop Diagram

In the beginning information assurance involved just the backing up of data. [3] However once the volume of information increased, the act of information assurance began to become automated, reducing the use of operator intervention, allowing for the creation of instant backups. [3] The last main development of information assurance is implementing distributed systems for the processing and storage of data through techniques like SANs and NAS plus using cloud computing. [4] [5] [3]

These three main developments of information assurance parallel the three generations of information technologies, the first used to prevent intrusions, the 2nd to detect intrusion and the 3rd for survivability. [6] [7] Information assurance is a collaborative effort of all sectors of life to allow a free and equal exchange of ideas.[ citation needed ]

Pillars

Information assurance is built between five pillars: availability, integrity, authentication, confidentiality and nonrepudiation. [8] These pillars are taken into account to protect systems while still allowing them to efficiently provide services; However, these pillars do not act independently from one another, rather they interfere with the goal of the other pillars. [8] These pillars of information assurance have slowly changed to become referred to as the pillars of Cyber Security. As an administrator it is important to emphasize the pillars that you want in order to achieve your desired result for their information system, balancing the aspects of service, and privacy.

Authentication

Authentication refers to the verification of the validity of a transmission, originator, or process within an information system. [9] Authentication provides the recipient confidence in the data senders validity as well as the validity of their message. [8] There exists many ways to bolster authentication, mainly breaking down into three main ways, personally identifiable information such as a person's name, address telephone number, access to a key token, or known information, like passwords. [10]

Integrity

Integrity refers to the protection of information from unauthorized alteration. [3] The goal of information integrity is to ensure data is accurate throughout its entire lifespan. [11] [12] User authentication is a critical enabler for information integrity. [8] Information integrity is a function of the number of degrees-of-trust existing between the ends of an information exchange . [12] One way information integrity risk is mitigated is through the use of redundant chip and software designs. [13] A failure of authentication could pose a risk to information integrity as it would allow an unauthorized party to alter content. For example, if a hospital has inadequate password policies, an unauthorized user could gain access to an information systems governing the delivery of medication to patients and risk altering the treatment course to the detriment of a particular patient. [12]

Availability

The pillar of availability refers to the preservation of data to be retrieved or modified from authorized individuals. Higher availability is preserved through an increase in storage system or channel reliability. [8] Breaches in information availability can result from power outages, hardware failures, DDOS, etc. The goal of high availability is to preserve access to information. Availability of information can be bolstered by the use of backup power, spare data channels, off site capabilities and continuous signal. [12]

Confidentiality

Confidentiality is in essence the opposite of Integrity. Confidentiality is a security measure which protects against who is able to access the data, which is done by shielding who has access to the information. [8] This is different from Integrity as integrity is shielding who can change the information. Confidentiality is often ensured with the use of cryptography and steganography of data. [3] Confidentiality can be seen within the classification and information superiority with international operations such as NATO [14] Information assurance confidentiality in the United States need to follow HIPAA and healthcare provider security policy information labeling and need-to-know regulations to ensure nondisclosure of information. [12]

Non-repudiation

Nonrepudiation is the integrity of the data to be true to its origin, which prevents possible denial that an action occurred. [3] [1] Increasing non-repudiation makes it more difficult to deny that the information comes from a certain source. In other words, it making it so that you can not dispute the source/ authenticity of data. Non-repudiation involves the reduction to data integrity while that data is in transit, usually through the use of a man-in-the-middle attack or phishing. [15]

Interactions of Pillars

As stated earlier the pillars do not interact independently of one another, with some pillars impeding on the functioning of other pillars or in the opposite case where they boost other pillars. [8] For example, the increasing the availability of information works directly against the goals of three other pillars: integrity, authentication and confidentiality. [8]

Process

The information assurance process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a risk assessment for those assets. [16] Vulnerabilities in the information assets are determined in order to enumerate the threats capable of exploiting the assets. The assessment then considers both the probability and impact of a threat exploiting a vulnerability in an asset, with impact usually measured in terms of cost to the asset's stakeholders. [17] The sum of the products of the threats' impact and the probability of their occurring is the total risk to the information asset.

With the risk assessment complete, the IA practitioner then develops a risk management plan. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response to threats.

A framework published by a standards organization, such as NIST RMF, Risk IT, CobiT, PCI DSS or ISO/IEC 27002, may guide development. Countermeasures may include technical tools such as firewalls and anti-virus software, policies and procedures requiring such controls as regular backups and configuration hardening, employee training in security awareness, or organizing personnel into dedicated computer emergency response team (CERT) or computer security incident response team (CSIRT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks; but, to manage them in the most cost-effective way. [18]

After the risk management plan is implemented, it is tested and evaluated, often by means of formal audits. [16] The IA process is an iterative one, in that the risk assessment and risk management plan are meant to be periodically revised and improved based on data gathered about their completeness and effectiveness. [2]

There are two meta-techniques with information assurance: audit and risk assessment. [16]

Business Risk Management

Business Risk Management breaks down into three main processes Risk Assessment, Risk Mitigation and Evaluation and assessment.[ citation needed ] Information Assurance is one of the methodologies which organizations use to implement business risk management. Through the use of information assurance policies like the "BRICK" frame work. [1] Additionally, Business Risk Management also occurs to comply with federal and international laws regarding the release and security of information such as HIPAA. [19]

Information assurance can be aligned with corporates strategies through training and awareness, senior management involvement and support, and intra-organizational communication allowing for greater internal control and business risk management. [20]

Many security executives in are firms are moving to a reliance on information assurance to protect intellectual property, protect against potential data leakage, and protect users against themselves. [17] While the use of information assurance is good ensuring certain pillars like, confidentiality, non-repudiation, etc. because of their conflicting nature an increase in security often comes at the expense of speed. [8] [17] Using information assurance in the business model improves reliable management decision-making, customer trust, business continuity and good governance in both public and private sectors. [21]

Standards organizations and standards

There are a number of international and national bodies that issue standards on information assurance practices, policies, and procedures. In the UK, these include the Information Assurance Advisory Council and the Information Assurance Collaboration Group. [4]

See also

Related Research Articles

<span class="mw-page-title-main">Information security</span> Protecting information by mitigating risk

Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g., electronic or physical, tangible, or intangible. Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process that involves:

In law, non-repudiation is a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract. The term is often seen in a legal setting when the authenticity of a signature is being challenged. In such an instance, the authenticity is being "repudiated".

A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key can be different sizes and varieties, but in all cases, the strength of the encryption relies on the security of the key being maintained. A key's security strength is dependent on its algorithm, the size of the key, the generation of the key, and the process of key exchange.

<span class="mw-page-title-main">Tokenization (data security)</span> Concept in data security

Tokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no intrinsic or exploitable meaning or value. The token is a reference that maps back to the sensitive data through a tokenization system. The mapping from original data to a token uses methods that render tokens infeasible to reverse in the absence of the tokenization system, for example using tokens created from random numbers. A one-way cryptographic function is used to convert the original data into tokens, making it difficult to recreate the original data without obtaining entry to the tokenization system's resources. To deliver such services, the system maintains a vault database of tokens that are connected to the corresponding sensitive data. Protecting the system vault is vital to the system, and improved processes must be put in place to offer database integrity and physical security.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

<span class="mw-page-title-main">Federal Information Security Management Act of 2002</span> United States federal law

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

<span class="mw-page-title-main">Security testing</span> The process of finding flaws in the security of information systems

Security testing is a process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing the security testing process is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Quality engineering is the discipline of engineering concerned with the principles and practice of product and service quality assurance and control. In software development, it is the management, development, operation and maintenance of IT systems and enterprise architectures with a high quality standard.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

<span class="mw-page-title-main">Trusted Computer System Evaluation Criteria</span>

Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information.

NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

<span class="mw-page-title-main">Security information and event management</span> Computer security

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.

Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation.
X.800 and ISO 7498-2 are technically aligned. This model is widely recognized

HMG Information Assurance Standard No.1, usually abbreviated to IS1, was a security standard applied to government computer systems in the UK.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

"Domain Based Security", abbreviated to "DBSy", is a model-based approach to help analyze information security risks in a business context and provide a clear and direct mapping between the risks and the security controls needed to manage them. A variant of the approach is used by the UK government's HMG Infosec Standard No.1 technical risk-assessment method. DBSy is a registered trade mark of QinetiQ Ltd.

Confidential computing is a security and privacy-enhancing computational technique focused on protecting data in use. Confidential computing can be used in conjunction with storage and network encryption, which protect data at rest and data in transit respectively. It is designed to address software, protocol, cryptographic, and basic physical and supply-chain attacks, although some critics have demonstrated architectural and side-channel attacks effective against the technology.

References

Notes
  1. 1 2 3 4 Sosin, Artur (2018-04-01). "HOW TO INCREASE THE INFORMATION ASSURANCE IN THE INFORMATION AGE". Journal of Defense Resources Management. 9 (1): 45–57. ISSN   2068-9403.
  2. 1 2 McConnell, M. (April 2002). "Information assurance in the twenty-first century". Computer. 35 (4): supl16–supl19. doi:10.1109/MC.2002.1012425. ISSN   0018-9162.
  3. 1 2 3 4 5 6 Cummings, R. (December 2002). "The evolution of information assurance". Computer. 35 (12): 65–72. doi:10.1109/MC.2002.1106181. ISSN   0018-9162.
  4. 1 2 Pringle, Nick; Burgess, Mikhaila (May 2014). "Information assurance in a distributed forensic cluster". Digital Investigation. 11: S36–S44. doi: 10.1016/j.diin.2014.03.005 .
  5. Chakraborty, Rajarshi; Ramireddy, Srilakshmi; Raghu, T.S.; Rao, H.Raghav (July 2010). "The Information Assurance Practices of Cloud Computing Vendors". IT Professional. 12 (4): 29–37. doi:10.1109/mitp.2010.44. ISSN   1520-9202. S2CID   8059538.
  6. Luenam, P.; Peng Liu (2003). "The design of an adaptive intrusion tolerant database system". Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems]. IEEE. pp. 14–21. doi:10.1109/fits.2003.1264925. ISBN   0-7695-2057-X. S2CID   14058057.{{cite book}}: CS1 maint: date and year (link)
  7. Liu, Peng; Zang, Wanyu (2003). "Incentive-based modeling and inference of attacker intent, objectives, and strategies". Proceedings of the 10th ACM conference on Computer and communications security. New York, New York, USA: ACM Press. p. 179. doi:10.1145/948109.948135. ISBN   1-58113-738-9. S2CID   3897784.
  8. 1 2 3 4 5 6 7 8 9 Wilson, Kelce S. (July 2013). "Conflicts Among the Pillars of Information Assurance". IT Professional. 15 (4): 44–49. doi:10.1109/mitp.2012.24. ISSN   1520-9202. S2CID   27170966.
  9. Sadiku, Matthew; Alam, Shumon; Musa, Sarhan (2017). "Information Assurance Benefits and Challenges: An Introduction". procon.bg. Retrieved 2020-11-28.
  10. San Nicolas-Rocca, Tonia; Burkhard, Richard J (2019-06-17). "Information Security in Libraries". Information Technology and Libraries. 38 (2): 58–71. doi: 10.6017/ital.v38i2.10973 . ISSN   2163-5226.
  11. Boritz, J. Efrim (December 2005). "IS practitioners' views on core concepts of information integrity". International Journal of Accounting Information Systems. 6 (4): 260–279. doi:10.1016/j.accinf.2005.07.001.
  12. 1 2 3 4 5 Schou, C.D.; Frost, J.; Maconachy, W.V. (January 2004). "Information assurance in biomedical informatics systems". IEEE Engineering in Medicine and Biology Magazine. 23 (1): 110–118. doi:10.1109/MEMB.2004.1297181. ISSN   0739-5175. PMID   15154266. S2CID   7746947.
  13. Yan, Aibin; Hu, Yuanjie; Cui, Jie; Chen, Zhili; Huang, Zhengfeng; Ni, Tianming; Girard, Patrick; Wen, Xiaoqing (2020-06-01). "Information Assurance Through Redundant Design: A Novel TNU Error-Resilient Latch for Harsh Radiation Environment". IEEE Transactions on Computers. 69 (6): 789–799. doi:10.1109/tc.2020.2966200. ISSN   0018-9340. S2CID   214408357.
  14. Hanna, Michael; Granzow, David; Bolte, Bjorn; Alvarado, Andrew (2017). "NATO Intelligence and Information Sharing: Improving NATO Strategy for Stabilization and Reconstruction Operations". Connections: The Quarterly Journal. 16 (4): 5–34. doi: 10.11610/connections.16.4.01 . ISSN   1812-1098.
  15. Chen, Chin-Ling; Chiang, Mao-Lun; Hsieh, Hui-Ching; Liu, Ching-Cheng; Deng, Yong-Yuan (2020-05-08). "A Lightweight Mutual Authentication with Wearable Device in Location-Based Mobile Edge Computing". Wireless Personal Communications. 113 (1): 575–598. doi:10.1007/s11277-020-07240-2. ISSN   0929-6212. S2CID   218934756.
  16. 1 2 3 Such, Jose M.; Gouglidis, Antonios; Knowles, William; Misra, Gaurav; Rashid, Awais (July 2016). "Information assurance techniques: Perceived cost effectiveness". Computers & Security. 60: 117–133. doi:10.1016/j.cose.2016.03.009.
  17. 1 2 3 Johnson, M. E.; Goetz, E.; Pfleeger, S. L. (May 2009). "Security through Information Risk Management". IEEE Security Privacy. 7 (3): 45–52. doi:10.1109/MSP.2009.77. ISSN   1558-4046. S2CID   30062820.
  18. Singh, R.; Salam, A.F. (May 2006). "Semantic information assurance for secure distributed knowledge management: a business process perspective". IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans. 36 (3): 472–486. doi:10.1109/TSMCA.2006.871792. ISSN   1083-4427. S2CID   10191333.
  19. Park, Insu; Sharman, Raj; Rao, H. Raghav (2015-02-02). "Disaster Experience and Hospital Information Systems: An Examination of Perceived Information Assurance, Risk, Resilience, and HIS Usefulness". MIS Quarterly. 39 (2): 317–344. doi:10.25300/misq/2015/39.2.03. ISSN   0276-7783.
  20. McFadzean, Elspeth; Ezingeard, Jean-Noël; Birchall, David (2011-04-08). "Information Assurance and Corporate Strategy: A Delphi Study of Choices, Challenges, and Developments for the Future". Information Systems Management. 28 (2): 102–129. doi:10.1080/10580530.2011.562127. ISSN   1058-0530. S2CID   11624922.
  21. Ezingeard, Jean-Noël; McFadzean, Elspeth; Birchall, David (March 2005). "A Model of Information Assurance Benefits". Information Systems Management. 22 (2): 20–29. doi:10.1201/1078/45099.22.2.20050301/87274.3. ISSN   1058-0530. S2CID   31840083.
Bibliography

Documentation

Information assurance has also evolved due to social media

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.