Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the

integrity Integrity is the practice of being honest and showing a consistent and uncompromising adherence to strong moral and ethical principles and values. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions. In ...

, availability, authenticity,

non-repudiation Non-repudiation refers to a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract. The term is often seen in a legal setting when the authenticity of a signature is being challenged ...

and

confidentiality Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Legal confidentiality By law, lawyers are often required ...

of user data. IA encompasses not only digital protections but also physical techniques. These protections apply to

data in transit Data in transit, also referred to as data in motion and data in flight, is data en route between source and destination, typically on a computer network. Data in transit can be separated into two categories: information that flows over the publi ...

, both physical and electronic forms, as well as data at rest . IA is best thought of as a superset of

information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...

(i.e. umbrella term), and as the business outcome of information risk management.

Overview

Information assurance (IA) is the process of processing, storing, and transmitting the right information to the right people at the right time. IA relates to the business level and strategic risk management of information and related systems, rather than the creation and application of security controls. IA is used to benefit business through the use of information risk management, trust management, resilience, appropriate architecture, system safety, and security, which increases the utility of information to only their authorized users and reduces . Therefore, in addition to defending against malicious hackers and code (e.g.,

virus A virus is a submicroscopic infectious agent that replicates only inside the living cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and archaea. Since Dmitri Ivanovsk ...

es), IA practitioners consider

corporate governance Corporate governance is defined, described or delineated in diverse ways, depending on the writer's purpose. Writers focused on a disciplinary interest or context (such as accounting, finance, law, or management) often adopt narrow definitions ...

issues such as privacy, regulatory and standards compliance, auditing,

business continuity Business continuity may be defined as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident", and business continuity planning (or business continuity a ...

, and disaster recovery as they relate to information systems. Further, IA is an interdisciplinary field requiring expertise in business, accounting, user experience, fraud examination, forensic science,

management science Management science (or managerial science) is a wide and interdisciplinary study of solving complex problems and making strategic decisions as it pertains to institutions, corporations, governments and other types of organizational entities. It is ...

, systems engineering, security engineering, and criminology, in addition to computer science.

Evolution

With the growth of telecommunication networks also comes the dependency on networks, which makes communities increasing vulnerable to cyber attacks that could interrupt, degrade or destroy vital services. Starting from the 1950's the role and use of information assurance has grown and evolved. In the beginning information assurance involved just the backing up of data. However once the volume of information increased, the act of information assurance began to become automated, reducing the use of operator intervention, allowing for the creation of instant backups. The last main development of information assurance is the implementation of

distributed systems A distributed system is a system whose components are located on different networked computers, which communicate and coordinate their actions by passing messages to one another from any system. Distributed computing is a field of computer sci ...

for the processing and storage of data through techniques like SANs and NAS as well as the use of

cloud computing Cloud computing is the on-demand availability of computer system resources, especially data storage ( cloud storage) and computing power, without direct active management by the user. Large clouds often have functions distributed over mu ...

. These three main developments of information fall in line with the three generations of information technologies, the first used to prevent intrusions, the 2nd to detect intrusion and the 3rd for survivability. Information assurance is a collaborative effort of all sectors of life to allow a free and equal exchange of ideas.

Pillars

Information assurance is built between five pillars:

availability In reliability engineering, the term availability has the following meanings: * The degree to which a system, subsystem or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at ...

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...

and nonrepudiation. These pillars are taken into account to protect systems while still allowing them to efficiently provide services; However, these pillars do not act independently from one another, rather they interfere with the goal of the other pillars. These pillars of information assurance have slowly changed to become referred to as the pillars of Cyber Security. As an administrator it is important to emphasize the pillars that you want in order to achieve your desired result for their information system, balancing the aspects of service, and privacy.

Authentication

Authentication refers to the verification of the validity of a transmission, originator, or process within an information system. Authentication provides the recipient confidence in the data senders validity as well as the validity of their message. There exists many ways to bolster authentication, mainly breaking down into three main ways, personally identifiable information such as a person's name, address telephone number, access to a key token, or known information, like passwords.

Integrity

Integrity refers to the protection of information from unauthorized alteration. The goal of information integrity is to ensure data is accurate throughout its entire lifespan. User authentication is a critical enabler for information integrity. Information integrity is a function of the number of degrees-of-trust existing between the ends of an information exchange . One way information integrity risk is mitigated is through the use of redundant chip and software designs. A failure of authentication could pose a risk to information integrity as it would allow an unauthorized party to alter content. For example if a hospital has inadequate password policies, an unauthorized user could gain access to an information systems governing the delivery of medication to patients and risk altering the treatment course to the detriment of a particular patient.

Availability

The pillar of availability refers to the preservation of data to be retrieved or modified from authorized individuals. Higher availability is preserved through an increase in storage system or channel reliability. Breaches in information availability can result from power outages, hardware failures, DDOS, etc. The goal of high availability is to preserve access to information. Availability of information can be bolstered by the use of backup power, spare data channels, off site capabilities and

continuous signal In mathematical dynamics, discrete time and continuous time are two alternative frameworks within which variables that evolve over time are modeled. Discrete time Discrete time views values of variables as occurring at distinct, separate "po ...

Confidentiality

Confidentiality is in essence the opposite of Integrity. Confidentiality is a security measure which protects against who is able to access the data, which is done by shielding who has access to the information. This is different from Integrity as integrity is shielding who can change the information. Confidentiality is often ensured with the use of cryptography and steganography of data. Confidentiality can be seen within the classification and information superiority with international operations such as NATO Information assurance confidentiality in the United States need to follow HIPAA and healthcare provider security policy information labeling and

need-to-know The term "need to know", when used by government and other organizations (particularly those related to the military or espionage), describes the restriction of data which is considered very sensitive. Under need-to-know restrictions, even if one ...

regulations to ensure nondisclosure of information.

Non-repudiation

Nonrepudiation is the integrity of the data to be true to its origin, which prevents possible denial that an action occurred. Increasing non-repudiation makes it more difficult to deny that the information comes from a certain source. In other words, it making it so that you can not dispute the source/ authenticity of data. Non-repudiation involves the reduction to

data integrity Data integrity is the maintenance of, and the assurance of, data accuracy and consistency over its entire life-cycle and is a critical aspect to the design, implementation, and usage of any system that stores, processes, or retrieves data. The ter ...

while that data is in transit, usually through the use of a

man-in-the-middle attack In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...

phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwa ...

Interactions of Pillars

As stated earlier the pillars do not interact independently of one another, with some pillars impeding on the functioning of other pillars or in the opposite case where they boost other pillars. For example the increasing the availability of information works directly against the goals of three other pillars: integrity, authentication and confidentiality.

Process

The information assurance process typically begins with the enumeration and classification of the information

assets In financial accounting, an asset is any resource owned or controlled by a business or an economic entity. It is anything (tangible or intangible) that can be used to produce positive economic value. Assets represent value of ownership that can ...

to be protected. Next, the IA practitioner will perform a

risk assessment Broadly speaking, a risk assessment is the combined effort of: # identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis); and # making judgments "on the ...

for those assets. Vulnerabilities in the information assets are determined in order to enumerate the threats capable of exploiting the assets. The assessment then considers both the probability and impact of a threat exploiting a vulnerability in an asset, with impact usually measured in terms of cost to the asset's stakeholders. The sum of the products of the threats' impact and the probability of their occurring is the total risk to the information asset. With the risk assessment complete, the IA practitioner then develops a risk management plan. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response to threats. A framework published by a standards organization, such as NIST RMF,

Risk IT Risk IT, published in 2009 by ISACA,ISACA THE RISK IT FR ...

CobiT COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework is business focused and defines a set of generic processes for the m ...

PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card scheme, card brands. The standard is administered by the Payment Card Industry Security Standards Council a ...

or ISO/IEC 27002, may guide development.

Countermeasures A countermeasure is a measure or action taken to counter or offset another one. As a general concept, it implies precision and is any technological or tactical solution or system designed to prevent an undesirable outcome in the process. The fi ...

may include technical tools such as firewalls and

anti-virus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...

, policies and procedures requiring such controls as regular backups and configuration hardening, employee training in security awareness, or organizing personnel into dedicated computer emergency response team (CERT) or computer security incident response team ( CSIRT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most

cost-effective Cost-effectiveness analysis (CEA) is a form of economic analysis that compares the relative costs and outcomes (effects) of different courses of action. Cost-effectiveness analysis is distinct from cost–benefit analysis, which assigns a monetar ...

way. After the risk management plan is implemented, it is tested and evaluated, often by means of formal audits. The IA process is an iterative one, in that the risk assessment and risk management plan are meant to be periodically revised and improved based on data gathered about their completeness and effectiveness. There do exist two meta-techniques with information assurance: audit and risk assessment.

Business Risk Management

Business Risk Management breaks down into three main processes Risk Assessment, Risk Mitigation and Evaluation and assessment. Information Assurance is one of the methodologies which organizations use to implement business risk management. Through the use of information assurance policies like the "BRICK" frame work. Additionally, Business Risk Management also occurs to comply with federal and international laws regarding the release and security of information such as

HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1 ...

Information assurance can be aligned with corporates strategies through training and awareness, senior management involvement and support, and intra-organizational communication allowing for greater internal control and business risk management. Many security executives in are firms are moving to a reliance on information assurance to protect intellectual property, protect against potential data leakage, and protect users against themselves. While the use of information assurance is good ensuring certain pillars like, confidentiality, Non-repudiation etc. because of their conflicting nature an increase in security often comes at the expense of speed. This being said, the use of information assurance in the business model improves reliable management decision making, customer trust, business continuity and good governance in both the public and private sector.

Standards organizations and standards

There are a number of international and national bodies that issue standards on information assurance practices, policies, and procedures. In the UK, these include the Information Assurance Advisory Council and the Information Assurance Collaboration Group.

References

;Notes ;Bibliography * Data Encryption; Scientists at Chang Gung University Target Data Encryption. (2011, May). Information Technology Newsweekly,149. Retrieved October 30, 2011, from ProQuest Computing. (Document ID: 2350804731). * * {{Dead link, date=January 2020 , bot=InternetArchiveBot , fix-attempted=yes

External links

Documentation

UK Government

HMG INFOSEC STANDARD NO. 2
Risk management and accreditation of information systems (2005)
IA ReferencesInformation Assurance XML Schema Markup Language

DoD Directive 8500.01
Information Assurance

DoD IA Policy Chart
Archive of Information Assurance
Archive of Information Assurance Information assurance has also evolved due to social media IT risk management