Information assurance


Information assurance

Information assurance (IA) is the practice of managing information-related risks. More specifically, IA practitioners seek to protect and defend information and information systems by ensuring confidentiality, integrity, authentication, availability, and non-repudiation. These goals are relevant whether the information are in storage, processing, or transit, and whether threatened by malice or accident. In other words, IA is the process of ensuring that authorized users have access to authorized information at the authorized time.

Overview

Information assurance is closely related to information security and the terms are sometimes used interchangeably. However, IA’s broader connotation also includes reliability and emphasizes strategic risk management over tools and tactics. In addition to defending against malicious hackers and code (e.g., viruses), IA includes other corporate governance issues such as privacy, compliance, audits, business continuity, and disaster recovery. Further, while information security draws primarily from computer science, IA is interdisciplinary and draws from multiple fields, including fraud examination, forensic science, military science, management science, systems engineering, security engineering, and criminology, in addition to computer science. Therefore, IA is best thought of as a superset of information security. Information assurance is not just Computer Security because it includes security issues that do not involve computers.

The U.S. Government's National Information Assurance Glossary defines IA as:

:"Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities."

History

In the 1960s, IA was not as complex as it is today. IA was as simple as controlling access to the computer room by locking the door and placing guards to protect it.

IA Concepts

Since the 1970s, information security has held that confidentiality, integrity and availability (known as the CIA triad) as the core principles.

Confidentiality

Confidential information must only be accessed, used, copied, or disclosed by users who have been authorized, and only when there is a genuine need. A confidentiality breech occurs when information or information systems have been, or may have been, accessed, used, copied, or disclosed, or by someone who was not authorized to have access to the information.

For example: Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it would be a breach of confidentiality if they were not authorized to have the information. If a laptop computer, which contains employment and benefit information about 100,000 employees, is stolen from a car (or is sold on eBay) could result in a breach of confidentiality because the information is now in the hands of someone who is not authorized to have it. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information.

Integrity

Integrity means data can "not" be created, changed, or deleted without proper authorization. It also means that data stored in one part of a database system is in agreement with other related data stored in another part of the database system (or another system).

For example: A loss of integrity occurs when an employee accidentally, or with malicious intent, deletes important data files. A loss of integrity can occur if a computer virus is released onto the computer. A loss of integrity can occur when an on-line shopper is able to change the price of the product they are purchasing.

Authenticity

Authenticity is necessary to ensure that the users or objects (like documents) are genuine (they have not been forged or fabricated).

For example: Authentication breech can occur when a user's login id and password is used by un-authorized users to gain un-authorized access to information and/or information systems.

Availability

Availability means that the information, the computing systems used to process the information, and the security controls used to protect the information are all available and functioning correctly when the information is needed. The opposite of availability is denial of service (DOS).Fact|date=January 2008

For example: In 2000 Amazon, CNN, eBay, and Yahoo! were victims of a DOS attack. cite web
url = http://www.royans.net/rant/2000/06/06/feb-attack-2000-ddos-attack-analysis/
title = Feb Attack 2000: DDOS Attack - analysis.
accessdate = 2008-04-09
author = Techhawking
date = February 2000
format = HTML
]

Non-repudiation

Non-repudiation implies that one party of a transaction can not deny having received a transaction nor can the other party deny having sent a transaction.

For example: Electronic commerce uses technology such as digital signatures to establish authenticity and non-repudiation.

Information assurance process

The IA process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a risk assessment. This assessment considers both the probability and impact of the undesired events. The probability component may be subdivided into threats and vulnerabilities. The impact component is usually measured in terms of cost. The product of these values is the total risk.

Based on the risk assessment, the IA practitioner will develop a risk management plan. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response. A framework, such as ISO 17799 or ISO/IEC 27002, may be utilized in designing this plan. Countermeasures may include tools such as firewalls and anti-virus software, policies and procedures such as regular backups and configuration hardening, training such as security awareness education, or restructuring such as forming an computer security incident response team (CSIRT) or computer emergency response team (CERT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most cost-effective way.

After the risk management plan is implemented, it is tested and evaluated, perhaps by means of formal audits. The IA process is cyclical; the risk assessment and risk management plan are continuously revised and improved based on data gleaned from evaluation.

Notes

See also

*CIA triad
* ISO/IEC 27001
* ISO 9001
*ISO 17799
*McCumber cube

External links

Documentation

* [http://www.cabinetoffice.gov.uk/csia/ia_review UK Government]
* [http://www.albany.edu/acc/courses/ia/classics IA References]
* [http://www.ism3.com/index.php?option=com_docman&task=doc_download&gid=5&Itemid=9 Information Assurance XML Schema Markup Language]

* [http://www.dtic.mil/whs/directives/corres/html/850002.htm DoD Instruction 8500.2] Information Assurance (IA) Implementation
* [http://www.dtic.mil/whs/directives/corres/pdf/851001p.pdf DoD Instruction 8510.01] DoD Information Assurance Certification and Accreditation Process (DIACAP)

EMSEC

* [http://www.e-publishing.af.mil/shared/media/epubs/AFI33-203V1.pdf AFI 33-203 Vol 1] , Emission Security (Soon to be AFSSI 7700)
* [http://www.e-publishing.af.mil/shared/media/epubs/AFI33-203V3.pdf AFI 33-203 Vol 3] , EMSEC Countermeasures Reviews (Soon to be AFSSI 7702)
*AFI 33-201 Vol 8, Protected Distributed Systems (Soon to be AFSSI 7703)

COMPUSEC

*AFMAN 33-223, Identification and Authentication (Soon to be AFSSI 8520)
*AFI 33-202, Vol 6, Identity Management (Soon to be AFSSI 8520)
*(Biometrics) (Soon to be AFSSI 8521)
*AFI 33-202, Vol 1, Chapter 5, Access to Information Systems (Soon to be AFSSI 8522)
*AFI 33-202, Vol 1, Para 3.11, Cross-Domain Solutions (CDS) (Soon to be AFSSI 8540)
*AFI 33-202, Vol 1, Para 4.2, Network Security (Soon to be AFSSI 8550)
*AFI 33-137, Ports, Protocols, and Services (PPS) Management (Soon to be AFSSI 8551)
*AFI 33-230, Information Assurance Assessment and Assistance Program (Soon to be AFSSI 8560)
*AFI 33-219, Section C, Notice and Consent Procedures (Soon to be AFSSI 8561)
*AFSSI 5020, Remanence Security (Soon to be AFSSI 8580)

Organizations

* [http://www.nitrd.gov/subcommittee/csia.php Interagency Working Group on Cyber Security and Information Assurance (CSIA IWG) (US)]
* [http://www.nsa.gov/ia/ National Security Agency Information Assurance Directorate (NSA IAD) (US)]
* [http://www.cabinetoffice.gov.uk/csia/ia_review Government - Central Sponsor for Information Assurance (UK)]
* [http://www.nsa.gov/ia/industry/niap.cfm National Information Assurance Partnership (US)]
* [http://www.iaac.org.uk/ Information Assurance Advisory Council (UK)]
* [http://www.iatf.net/ Information Assurance Technical Framework Forum (US)]
* [http://iac.dtic.mil/iatac/ Information Assurance Technology Analysis Center, IATAC (US)]
* [http://iase.disa.mil/ditscap/ DoD Information Assurance Certification and Accreditation Process (DIACAP)(US)]

Education and certifications

The Master of Science in Information Assurance (MSIA) is a multidisciplinary degree program offered by many leading institutions which combines theory with applied learning in order to enable security practitioners in the field of information security.

There is a current and future need for information assurance professionals to support the security needs of the world's information infrastructure. Information Assurance has become a critical issue for businesses in the current era as they wrestle with the problems of external and internal network attack, cyberterrorism, access control systems and regulatory compliance requirements.

The MSIA degree is a multidisciplinary degree that creates professionals able to navigate and manage the many challenges presented by the demands of modern security and information science.

Colleges and universities in the United States with accredited Master of Science in Information Assurance or Masters of Information Assurance degree programs
*Capitol College, Master of Science in Information Assurance [http://www.capitol-college.edu/academicprograms/graduateprograms/msiae/index.shtml] Laurel, Maryland
*Dakota State University Dakota State University [http://www.dsu.edu/msia/] Madison, South Dakota
*Northeastern University, College of Computer an Information Science & College of Criminal Justice, [http://www.ccs.neu.edu/graduate/msia.html] Boston, MA
*University of Detroit Mercy College of Business Administration [http://business.udmercy.edu/ia.php] Detroit, Michigan
*Walsh College of Accountancy and Business Walsh College [http://www.walshcollege.edu/?id=846&sid=1] Troy, Michigan
*Norwich University* [http://www.graduate.norwich.edu/infoassurance] Northfield, Vermont
* [http://www.defenselink.mil/cio-nii/infoassurance/diap/ Defense-Wide Information Assurance Program]
* [http://security.isu.edu/ Idaho State University Information Assurance Program]
* [http://mbaia.mgt.unm.edu/ University of New Mexico Information Assurance Program (Anderson School of Management)] Albuquerque, New Mexico
* [http://csepi.utdallas.edu/information_assurance.htm University of Texas at Dallas Information Assurance Program]
* [http://www.bus.iastate.edu/MSIA/ Iowa State Master of Science in Information Assurance]
* [http://www.nsa.gov/ia/academia/caeiae.cfm National Security Agency's Centers of Academic Excellence]
* [http://www.giac.org/ The SANS Institute’s Global Information Assurance Certification Program]
* [http://www.cert.org/sia/ CERT: Survivability and Information Assurance Curriculum]
* [http://www.amazon.com/dp/1599041715/ Book: Managing Information Assurance in Financial Services]
* [http://elamb.org/category/assurance/ security blog: Information Assurance]
* [http://www.nsa.gov/ia/academia/caeiae.cfm National Centers of Academic Excellence in Information Assurance Education (CAEIAE)]
* [http://niatec.info/(S(41xa2dq21etse3bfkbigso45))/index.aspx National Information Assurance Training and Education Center]
* [http://iase.disa.mil/eta/ IA Education, Training and Awareness]

* [http://www.cerias.purdue.edu/education/post_secondary_education/past_offerings/faculty_development/info_assurance_education/ Information Assurance Education Graduate Certificate Program]
* [http://coeia.edu.sa/en/ Center of Excellence in Information Assurance, King Saud University, Saudi Arabia]


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • information assurance — UK US noun [U] IT ► the process of protecting information from being seen, changed, etc. by someone who does not have permission: »Our systems include data management and information assurance …   Financial and business terms

  • information assurance — Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. This includes providing for restoration of information systems by… …   Military dictionary

  • Information Assurance Vulnerability Alert — An Information Assurance Vulnerability Alert (IAVA) is an announcement of a computer application software or operating system vulnerability notification in the form of alerts, bulletins, and technical advisories identified by DoD CERT, a division …   Wikipedia

  • Information Assurance Security Officer — An Information Assurance Security Officer in the United States Army is primarily responsible for the security and integrity of the information systems in his or her area of responsibility References… …   Wikipedia

  • Department of Defense Information Assurance Certification and Accreditation Process — The DoD Information Assurance Certification and Accreditation Process (DIACAP) is the United States Department of Defense (DoD) process to ensure that risk management is applied on information systems (IS). DIACAP defines a DoD wide formal and… …   Wikipedia

  • National Information Assurance Glossary — Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, published by the United States federal government, is an unclassified glossary of Information security terms intended to provide a common… …   Wikipedia

  • Department of Defense Information Assurance Policy Chart (DoD IA Policy Chart) — is a chart developed by Information Assurance Technolgy Analysis Center (IATAC) [1] for the US Defense wide Information Assurance Program (DIAP) behalf of the Deputy Assistant Secretary of Defense (DASD) for Cyber Identity and Information… …   Wikipedia

  • National Information Assurance Training and Education Center — The National Information Assurance Training and Education Center (NIATEC) is an American consortium of academic, industry, and government organizations to improve the literacy, awareness, training and education standards in Information Assurance …   Wikipedia

  • National Information Assurance Glossary — Le National Information Assurance Glossary, publié par le gouvernement fédéral des États Unis d Amérique, est un glossaire non classifié de termes de sécurité de l information, ayant pour objectif de fournir un vocabulaire commun. Liens externes… …   Wikipédia en Français

  • Global Information Assurance Certification — (GIAC) is an information security certification entity that specialises in technical and practical certification as well as new research in the form of its GIAC Gold program. SANS Institute founded the certification entity in 1999 and the term… …   Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.