- Information assurance
Information assurance (IA) is the practice of managing information-related risks. More specifically, IA practitioners seek to protect and defend information and information systems by ensuring
confidentiality ,integrity ,authentication ,availability , andnon-repudiation . These goals are relevant whether the information are in storage, processing, or transit, and whether threatened by malice or accident. In other words, IA is the process of ensuring that authorized users have access to authorized information at the authorized time.Overview
Information assurance is closely related to
information security and the terms are sometimes used interchangeably. However, IA’s broader connotation also includes reliability and emphasizes strategicrisk management over tools and tactics. In addition to defending against malicious hackers and code (e.g.,virus es), IA includes othercorporate governance issues such asprivacy , compliance,audits , business continuity, anddisaster recovery . Further, while information security draws primarily fromcomputer science , IA is interdisciplinary and draws from multiple fields, includingfraud examination,forensic science ,military science ,management science ,systems engineering ,security engineering , andcriminology , in addition to computer science. Therefore, IA is best thought of as a superset of information security. Information assurance is not justComputer Security because it includes security issues that do not involve computers.The U.S. Government's
National Information Assurance Glossary defines IA as::"Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities."
History
In the 1960s, IA was not as complex as it is today. IA was as simple as controlling access to the computer room by locking the door and placing guards to protect it.
IA Concepts
Since the 1970s, information security has held that confidentiality, integrity and availability (known as the CIA triad) as the core principles.
Confidentiality
Confidential information must only be accessed, used, copied, or disclosed by users who have been authorized, and only when there is a genuine need. A confidentiality breech occurs when information or information systems have been, or may have been, accessed, used, copied, or disclosed, or by someone who was not authorized to have access to the information.
For example: Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it would be a breach of confidentiality if they were not authorized to have the information. If a laptop computer, which contains employment and benefit information about 100,000 employees, is stolen from a car (or is sold on eBay) could result in a breach of confidentiality because the information is now in the hands of someone who is not authorized to have it. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information.
Integrity
Integrity means data can "not" be created, changed, or deleted without proper authorization. It also means that data stored in one part of a
database system is in agreement with other related data stored in another part of the database system (or another system).For example: A loss of integrity occurs when an employee accidentally, or with malicious intent, deletes important data files. A loss of integrity can occur if a computer virus is released onto the computer. A loss of integrity can occur when an on-line shopper is able to change the price of the product they are purchasing.
Authenticity
Authenticity is necessary to ensure that the users or objects (like documents) are genuine (they have not been forged or fabricated).
For example: Authentication breech can occur when a user's login id and password is used by un-authorized users to gain un-authorized access to information and/or information systems.
Availability
Availability means that the information, the computing systems used to process the information, and the security controls used to protect the information are all available and functioning correctly when the information is needed. The opposite of availability is denial of service (DOS).Fact|date=January 2008
For example: In 2000 Amazon, CNN, eBay, and Yahoo! were victims of a DOS attack. cite web
url = http://www.royans.net/rant/2000/06/06/feb-attack-2000-ddos-attack-analysis/
title = Feb Attack 2000: DDOS Attack - analysis.
accessdate = 2008-04-09
author = Techhawking
date = February 2000
format = HTML]Non-repudiation
Non-repudiation implies that one party of a transaction can not deny having received a transaction nor can the other party deny having sent a transaction.
For example: Electronic commerce uses technology such as
digital signature s to establish authenticity and non-repudiation.Information assurance process
The IA process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a
risk assessment . This assessment considers both the probability and impact of the undesired events. The probability component may be subdivided into threats and vulnerabilities. The impact component is usually measured in terms of cost. The product of these values is the total risk.Based on the risk assessment, the IA practitioner will develop a risk management plan. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response. A framework, such as
ISO 17799 orISO/IEC 27002 , may be utilized in designing this plan. Countermeasures may include tools such asfirewalls andanti-virus software , policies and procedures such as regular backups and configuration hardening, training such as security awareness education, or restructuring such as forming an computer security incident response team (CSIRT ) or computer emergency response team (CERT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the mostcost-effective way.After the risk management plan is implemented, it is tested and evaluated, perhaps by means of formal audits. The IA process is cyclical; the risk assessment and risk management plan are continuously revised and improved based on data gleaned from evaluation.
Notes
See also
*
CIA triad
*ISO/IEC 27001
*ISO 9001
*ISO 17799
*McCumber cube External links
Documentation
* [http://www.cabinetoffice.gov.uk/csia/ia_review UK Government]
* [http://www.albany.edu/acc/courses/ia/classics IA References]
* [http://www.ism3.com/index.php?option=com_docman&task=doc_download&gid=5&Itemid=9 Information Assurance XML Schema Markup Language]* [http://www.dtic.mil/whs/directives/corres/html/850002.htm DoD Instruction 8500.2] Information Assurance (IA) Implementation
* [http://www.dtic.mil/whs/directives/corres/pdf/851001p.pdf DoD Instruction 8510.01] DoD Information Assurance Certification and Accreditation Process (DIACAP )EMSEC
* [http://www.e-publishing.af.mil/shared/media/epubs/AFI33-203V1.pdf AFI 33-203 Vol 1] , Emission Security (Soon to be AFSSI 7700)
* [http://www.e-publishing.af.mil/shared/media/epubs/AFI33-203V3.pdf AFI 33-203 Vol 3] , EMSEC Countermeasures Reviews (Soon to be AFSSI 7702)
*AFI 33-201 Vol 8, Protected Distributed Systems (Soon to be AFSSI 7703)COMPUSEC
*AFMAN 33-223, Identification and Authentication (Soon to be AFSSI 8520)
*AFI 33-202, Vol 6, Identity Management (Soon to be AFSSI 8520)
*(Biometrics) (Soon to be AFSSI 8521)
*AFI 33-202, Vol 1, Chapter 5, Access to Information Systems (Soon to be AFSSI 8522)
*AFI 33-202, Vol 1, Para 3.11, Cross-Domain Solutions (CDS) (Soon to be AFSSI 8540)
*AFI 33-202, Vol 1, Para 4.2, Network Security (Soon to be AFSSI 8550)
*AFI 33-137, Ports, Protocols, and Services (PPS) Management (Soon to be AFSSI 8551)
*AFI 33-230, Information Assurance Assessment and Assistance Program (Soon to be AFSSI 8560)
*AFI 33-219, Section C, Notice and Consent Procedures (Soon to be AFSSI 8561)
*AFSSI 5020, Remanence Security (Soon to be AFSSI 8580)Organizations
* [http://www.nitrd.gov/subcommittee/csia.php Interagency Working Group on Cyber Security and Information Assurance (CSIA IWG) (US)]
* [http://www.nsa.gov/ia/ National Security Agency Information Assurance Directorate (NSA IAD) (US)]
* [http://www.cabinetoffice.gov.uk/csia/ia_review Government - Central Sponsor for Information Assurance (UK)]
* [http://www.nsa.gov/ia/industry/niap.cfm National Information Assurance Partnership (US)]
* [http://www.iaac.org.uk/ Information Assurance Advisory Council (UK)]
* [http://www.iatf.net/ Information Assurance Technical Framework Forum (US)]
* [http://iac.dtic.mil/iatac/ Information Assurance Technology Analysis Center, IATAC (US)]
* [http://iase.disa.mil/ditscap/ DoD Information Assurance Certification and Accreditation Process (DIACAP)(US)]Education and certifications
The Master of Science in Information Assurance (
MSIA ) is a multidisciplinary degree program offered by many leading institutions which combines theory with applied learning in order to enablesecurity practitioner s in the field ofinformation security .There is a current and future need for
information assurance professionals to support the security needs of the world'sinformation infrastructure . Information Assurance has become a critical issue for businesses in the current era as they wrestle with the problems of external and internal network attack,cyberterrorism , access control systems andregulatory compliance requirements.The
MSIA degree is a multidisciplinary degree that creates professionals able to navigate and manage the many challenges presented by the demands of modern security and information science.Colleges and universities in the United States with accredited
Master of Science in Information Assurance orMasters of Information Assurance degree programs
*Capitol College , Master of Science in Information Assurance [http://www.capitol-college.edu/academicprograms/graduateprograms/msiae/index.shtml]Laurel, Maryland
*Dakota State University Dakota State University [http://www.dsu.edu/msia/]Madison, South Dakota
*Northeastern University , College of Computer an Information Science & College of Criminal Justice, [http://www.ccs.neu.edu/graduate/msia.html]Boston, MA
*University of Detroit Mercy College of Business Administration [http://business.udmercy.edu/ia.php]Detroit, Michigan
*Walsh College of Accountancy and Business Walsh College [http://www.walshcollege.edu/?id=846&sid=1]Troy, Michigan
*Norwich University * [http://www.graduate.norwich.edu/infoassurance]Northfield, Vermont
* [http://www.defenselink.mil/cio-nii/infoassurance/diap/ Defense-Wide Information Assurance Program]
* [http://security.isu.edu/ Idaho State University Information Assurance Program]
* [http://mbaia.mgt.unm.edu/ University of New Mexico Information Assurance Program (Anderson School of Management )]Albuquerque, New Mexico
* [http://csepi.utdallas.edu/information_assurance.htm University of Texas at Dallas Information Assurance Program]
* [http://www.bus.iastate.edu/MSIA/ Iowa State Master of Science in Information Assurance]
* [http://www.nsa.gov/ia/academia/caeiae.cfm National Security Agency's Centers of Academic Excellence]
* [http://www.giac.org/ The SANS Institute’s Global Information Assurance Certification Program]
* [http://www.cert.org/sia/ CERT: Survivability and Information Assurance Curriculum]
* [http://www.amazon.com/dp/1599041715/ Book: Managing Information Assurance in Financial Services]
* [http://elamb.org/category/assurance/ security blog: Information Assurance]
* [http://www.nsa.gov/ia/academia/caeiae.cfm National Centers of Academic Excellence in Information Assurance Education (CAEIAE)]
* [http://niatec.info/(S(41xa2dq21etse3bfkbigso45))/index.aspx National Information Assurance Training and Education Center]
* [http://iase.disa.mil/eta/ IA Education, Training and Awareness]* [http://www.cerias.purdue.edu/education/post_secondary_education/past_offerings/faculty_development/info_assurance_education/ Information Assurance Education Graduate Certificate Program]
* [http://coeia.edu.sa/en/ Center of Excellence in Information Assurance, King Saud University, Saudi Arabia]
Wikimedia Foundation. 2010.
