Home Discussion Topics Dictionary Almanac

Signup Login

Information Assurance

Discussion

Ask a question about 'Information Assurance'

Start a new discussion about 'Information Assurance'

Answer questions from other users

Full Discussion Forum

Encyclopedia

Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. While focused dominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form.
Information assurance as a field has grown from the practice of information security

Information security

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

which in turn grew out of practices and procedures of computer security

Computer security

Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...

.

There are three models used in the practice of IA to define assurance requirements and assist in covering all necessary aspects or attributes.

The first is the classic information security

Information security

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

model, also called the CIA Triad, which addresses three attributes of information and information systems, confidentiality

Confidentiality

Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...

, integrity, and availability

Availability

In telecommunications and reliability theory, the term availability has the following meanings:* The degree to which a system, subsystem, or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time...

. This C-I-A model is extremely useful for teaching introductory and basic concepts of information security and assurance; the initials are an easy mnemonic to remember, and when properly understood,
can prompt systems designers and users to address the most pressing aspects of assurance.

The next most widely known model is the Five Pillars of IA model, promulgated by the U.S. Department of Defense (DoD) in a variety of publications, beginning with the National Information Assurance Glossary

National Information Assurance Glossary

Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, published by the United States federal government, is an unclassified glossary of Information security terms intended to provide a common vocabulary for discussing Information Assurance...

, Committee on National Security Systems Instruction CNSSI-4009.
Here is the definition from that publication:
"Measures that protect and defend information and information systems by ensuring their availability

Availability

, integrity, authentication

Authentication

Authentication is the act of confirming the truth of an attribute of a datum or entity...

, confidentiality

Confidentiality

, and non-repudiation

Non-repudiation

Non-repudiation refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract. The term is often seen in a legal setting wherein the authenticity of a signature is being challenged...

. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities."
The Five Pillars model is sometimes criticized because authentication and non-repudiation are not attributes of information or systems; rather, they are procedures or methods useful to assure the integrity and authenticity of information, and to protect the confidentiality of those same.

A third, less widely known IA model is the Parkerian Hexad

Parkerian hexad

The Parkerian hexad is a set of six elements of information security proposed by Donn B. Parker in 2002. The term was coined by M. E. Kabay. The Parkerian hexad adds three additional attributes to the three classic security attributes of the CIA triad .The Parkerian Hexad attributes are the...

, first introduced by Donn B. Parker

Donn B. Parker

Donn B. Parker, CISSP, Information Security Researcher and Consultant, 2008 Fellow of the Association for Computing Machinery- Biography:Donn Parker earned BA and MA degrees in mathematics from the University of California at Berkeley...

in 1998. Like the Five Pillars, Parker's hexad begins with the C-I-A model but builds it out by adding authenticity, utility, and possession (or control). It is significant to point out that the concept or attribute of authenticity, as described by Parker, is not identical to the pillar of authentication as described by the U.S. DoD.

Overview

Information assurance is closely related to information security

Information security

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

and the terms are sometimes used interchangeably. However, IA’s broader connotation also includes reliability and emphasizes strategic

Strategy

Strategy, a word of military origin, refers to a plan of action designed to achieve a particular goal. In military usage strategy is distinct from tactics, which are concerned with the conduct of an engagement, while strategy is concerned with how different engagements are linked...

risk management

Risk management

Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...

over tools and tactics. In addition to defending against malicious hackers

Hacker (computer security)

In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...

and code (e.g., virus

Virus

A virus is a small infectious agent that can replicate only inside the living cells of organisms. Viruses infect all types of organisms, from animals and plants to bacteria and archaea...

es), IA includes other corporate governance

Corporate governance

Corporate governance is a number of processes, customs, policies, laws, and institutions which have impact on the way a company is controlled...

issues such as privacy

Privacy

Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...

, compliance, audits, business continuity

Business continuity planning

Business continuity planning “identifies [an] organization's exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization, whilst maintaining competitive advantage and value system integrity”. It is also called...

, and disaster recovery

Disaster recovery

Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity...

. Further, while information security draws primarily from computer science

Computer science

Computer science or computing science is the study of the theoretical foundations of information and computation and of practical techniques for their implementation and application in computer systems...

, IA is interdisciplinary and draws from multiple fields, including accounting, fraud

Fraud

In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...

examination, forensic science, management science, systems engineering

Systems engineering

Systems engineering is an interdisciplinary field of engineering that focuses on how complex engineering projects should be designed and managed over the life cycle of the project. Issues such as logistics, the coordination of different teams, and automatic control of machinery become more...

, security engineering

Security engineering

Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...

, and criminology

Criminology

Criminology is the scientific study of the nature, extent, causes, and control of criminal behavior in both the individual and in society...

, in addition to computer science. Therefore, IA is best thought of as a superset of information security (i.e. umbrella term).

History

In the 1960s, IA was not as complex as it is today. IA was as simple as controlling access to the computer room by locking the door and placing guards to protect it.

IA Concepts

Since the 1970s, information security

Information security

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

has held confidentiality, integrity and availability (known as the CIA triad) as the core principles. One newer model of Information Assurance adds Authentication and Non-repudiation to create the 5 Pillars of IA.

In contrast, Donn B. Parker

Donn B. Parker

developed a model that added three attributes of authenticity, utility, and possession to the core C-I-A.

Confidentiality

CNSSI-4009: "Assurance that information is not disclosed to unauthorized individuals, processes, or devices. "

Confidential information must only be accessed, used, copied, or disclosed by users who have been authorized, and only when there is a genuine need. A confidentiality breach occurs when information or information systems have been, or may have been, accessed, used, copied, or disclosed, or by someone who was not authorized to have access to the information.

For example: Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it would be a breach of confidentiality if they were not authorized to have the information. If a laptop computer, which contains employment and benefit information about 100,000 employees, is stolen from a car (or is sold on eBay) could result in a breach of confidentiality because the information is now in the hands of someone who is not authorized to have it. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information.

Integrity

CNSSI-4009:
"Quality of an IS reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data. Note that, in a formal security mode, integrity is interpreted more narrowly to mean protection against unauthorized modification or destruction of information."

Some practitioners make the mistake of thinking of the integrity attribute as being only data integrity. While data integrity is a major part of this attribute, it is not everything. This attribute also addresses whether the physical and electronic systems have been maintained without breach or unauthorized change. It even refers to the people involved in handling the information; are they acting with proper motivation and integrity.

Integrity means data can not be created, changed, or deleted without proper authorization. It also means that data stored in one part of a database

Database

A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...

system is in agreement with other related data stored in another part of the database system (or another system).

For example: A loss of integrity occurs when an employee accidentally, or with malicious intent, deletes important data files. A loss of integrity can occur if a computer virus is released onto the computer. A loss of integrity can occur when an on-line shopper is able to change the price of the product they are purchasing.

Availability

CNSSI-4009:
"Timely, reliable access to data and information services for authorized users."

Availability means that the information, the computing systems used to process the information, and the security controls used to protect the information are all available and functioning correctly when the information is needed. The opposite of availability is the lack thereof, one example of this is a common attack known as a denial of service (DoS) attack.

For example: In 2000 Amazon, CNN, eBay, and Yahoo! were victims of a DoS attack.

Authentication

CNSSI-4009:
"Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information."

Authentication is very important in Information Assurance. It means that a user is who they say they are, and can prove their identity. If an intruder can get access into the system by impersonating an authorized user, he will then have that user’s access privileges.

Authentication breach can occur when a user's login id and password is used by un-authorized users to send un-authorized information.

Authenticity

Authenticity is necessary to ensure that the users or objects (like documents) are genuine (they have not been forged or fabricated).

As files are shared across multiple organizations, there can be circumstances when duplicate copies of that file may exist. In such cases it is important to establish not only which copy is the master, but also to allow those who use the data to know the source of both the file, and all of the tagged data sets in the file. A Tagged Data Authority Engine is one way to do this.

Non-repudiation

CNSSI-4009:
"Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data."

Non-repudiation implies that one party of a transaction can not deny having received a transaction nor can the other party deny having sent a transaction.

Non-repudiation is a major issue in credit card transactions, on-line auctions and various business contracts. The best way to secure confidential applications such as credit card transcations is to use a convertible authenticated encryption (CAE) scheme simultaneously satisfying the properties of authenticity, confidentiality and non-repudiation. It allows the user to ensure that the message has been sent and received by the correct person.

For example: Electronic commerce uses technology such as digital signature

Digital signature

A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...

s to establish authenticity and non-repudiation.

Utility

Utility means usefulness and usability. For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications – and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available – they just wouldn’t be useful in that form. Similarly, conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM. A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data. Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.

Information assurance process

The IA process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a risk assessment

Risk assessment

Risk assessment is a step in a risk management procedure. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat...

. This assessment considers both the probability and impact of the undesired events. The probability component may be subdivided into threats and vulnerabilities. The impact component is usually measured in terms of cost. The product of these values is the total risk.

Based on the risk assessment, the IA practitioner will develop a risk management plan

Risk Management Plan

A Risk Management Plan is a document prepared by a project manager to foresee risks, to estimate the impacts, and to create response plans to mitigate them...

. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response. A framework, such as Risk IT

Risk IT

Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...

, CobiT

COBIT

COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...

, PCI DSS

PCI DSS

The Payment Card Industry Data Security Standard is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards....

, ISO 17799 or ISO/IEC 27002

ISO/IEC 27002

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission , entitled Information technology - Security techniques - Code of practice for information security management.ISO/IEC 27002:2005...

, may be utilized in designing this plan. Countermeasures

Countermeasure (computer)

In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...

may include tools such as firewalls

Firewall (computing)

A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....

and anti-virus software, policies and procedures such as regular backups and configuration hardening, training such as security awareness education, or restructuring such as forming an computer security incident response team (CSIRT

CSIRT

Computer Emergency Response Team is a name given to expert groups that handle computer security incidents. Most groups append the abbreviation CERT or CSIRT to their designation where the latter stands for Computer Security Incident Response Team...

) or computer emergency response team (CERT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most cost-effective way.

After the risk management plan is implemented, it is tested and evaluated, perhaps by means of formal audits. The IA process is cyclical; the risk assessment and risk management plan are continuously revised and improved based on data gleaned from evaluation.

Standards Organizations and Standards

There are a number of international and national bodies that issued standards in Information Assurance

Education and certifications

External links

Documentation

UK Government
- HMG INFOSEC STANDARD NO. 2 Risk management and accreditation of information systems (2005)
IA References
Information Assurance XML Schema Markup Language
DoD Directive 8500.01 Information Assurance
DoD Instruction 8500.02 Information Assurance (IA) Implementation
DoD IA Policy Chart DoD IA Policy Chart
Archive of Information Assurance Archive of Information Assurance

EMSEC

AFI 33-203 Vol 1, Emission Security (Soon to be AFSSI 7700)
AFI 33-203 Vol 3, EMSEC Countermeasures Reviews (Soon to be AFSSI 7702)
AFI 33-201 Vol 8, Protected Distributed Systems (Soon to be AFSSI 7703)

Information Assurance

Overview

History

IA Concepts

Confidentiality

Integrity

Availability

Authentication

Authenticity

Non-repudiation

Utility

Information assurance process

Standards Organizations and Standards

Education and certifications

See also

External links

Documentation

EMSEC