Information assurance

Edit links
Source: Wikipedia, the free encyclopedia.

Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and

information risk management
.

Overview

The McCumber Cube: one of the common information assurance schematics

Information assurance (IA) is the process of processing, storing, and transmitting the right information to the right people at the right time.[1] IA relates to the business level and strategic risk management of information and related systems, rather than the creation and application of security controls. IA is used to benefit business through the use of information risk management, trust management, resilience, appropriate architecture, system safety, and security, which increases the utility of information to only their authorized users.

Besides defending against malicious

disaster recovery as they relate to information systems. Further, IA is an interdisciplinary field requiring expertise in business, accounting, user experience, fraud examination, forensic science, management science, systems engineering, security engineering, and criminology
, in addition to computer science.

Evolution

With the growth of telecommunication networks also comes the dependency on networks, which makes communities increasing vulnerable to cyber attacks that could interrupt, degrade or destroy vital services.

WWMCCS
military decision support systems.

OODA Feedback Loop Diagram

In the beginning information assurance involved just the backing up of data.

distributed systems for the processing and storage of data through techniques like SANs and NAS plus using cloud computing.[4][5][3]

These three main developments of information assurance parallel the three generations of information technologies, the first used to prevent intrusions, the 2nd to detect intrusion and the 3rd for survivability.[6][7] Information assurance is a collaborative effort of all sectors of life to allow a free and equal exchange of ideas.[citation needed]

Pillars

Information assurance is built between five pillars: availability, integrity, authentication, confidentiality and nonrepudiation.[8] These pillars are taken into account to protect systems while still allowing them to efficiently provide services; However, these pillars do not act independently from one another, rather they interfere with the goal of the other pillars.[8] These pillars of information assurance have slowly changed to become referred to as the pillars of Cyber Security. As an administrator it is important to emphasize the pillars that you want in order to achieve your desired result for their information system, balancing the aspects of service, and privacy.

Authentication

Authentication refers to the verification of the validity of a transmission, originator, or process within an information system.

personally identifiable information such as a person's name, address telephone number, access to a key token, or known information, like passwords.[10]

Integrity

Integrity refers to the protection of information from unauthorized alteration.

degrees-of-trust existing between the ends of an information exchange .[12] One way information integrity risk is mitigated is through the use of redundant chip and software designs.[13] A failure of authentication could pose a risk to information integrity as it would allow an unauthorized party to alter content. For example, if a hospital has inadequate password policies, an unauthorized user could gain access to an information systems governing the delivery of medication to patients and risk altering the treatment course to the detriment of a particular patient.[12]

Availability

The pillar of availability refers to the preservation of data to be retrieved or modified from authorized individuals. Higher availability is preserved through an increase in storage system or channel reliability.

continuous signal.[12]

Confidentiality

Confidentiality is in essence the opposite of Integrity. Confidentiality is a security measure which protects against who is able to access the data, which is done by shielding who has access to the information.

information labeling and need-to-know regulations to ensure nondisclosure of information.[12]

Non-repudiation

Nonrepudiation is the integrity of the data to be true to its origin, which prevents possible denial that an action occurred.[3][1] Increasing non-repudiation makes it more difficult to deny that the information comes from a certain source. In other words, it making it so that you can not dispute the source/ authenticity of data. Non-repudiation involves the reduction to data integrity while that data is in transit, usually through the use of a man-in-the-middle attack or phishing.[15]

Interactions of Pillars

As stated earlier the pillars do not interact independently of one another, with some pillars impeding on the functioning of other pillars or in the opposite case where they boost other pillars.[8] For example, the increasing the availability of information works directly against the goals of three other pillars: integrity, authentication and confidentiality.[8]

Process

The information assurance process typically begins with the enumeration and classification of the information

assets to be protected. Next, the IA practitioner will perform a risk assessment for those assets.[16] Vulnerabilities in the information assets are determined in order to enumerate the threats capable of exploiting the assets. The assessment then considers both the probability and impact of a threat exploiting a vulnerability in an asset, with impact usually measured in terms of cost to the asset's stakeholders.[17]
The sum of the products of the threats' impact and the probability of their occurring is the total risk to the information asset.

With the risk assessment complete, the IA practitioner then develops a

risk management plan
. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response to threats.

A framework published by a standards organization, such as NIST RMF,

cost-effective way.[18]

After the risk management plan is implemented, it is tested and evaluated, often by means of formal audits.[16] The IA process is an iterative one, in that the risk assessment and risk management plan are meant to be periodically revised and improved based on data gathered about their completeness and effectiveness.[2]

There are two meta-techniques with information assurance: audit and risk assessment.[16]

Business Risk Management

Business Risk Management breaks down into three main processes Risk Assessment, Risk Mitigation and Evaluation and assessment.[citation needed] Information Assurance is one of the methodologies which organizations use to implement business risk management. Through the use of information assurance policies like the "BRICK" frame work.[1] Additionally, Business Risk Management also occurs to comply with federal and international laws regarding the release and security of information such as HIPAA.[19]

Information assurance can be aligned with corporates strategies through training and awareness, senior management involvement and support, and intra-organizational communication allowing for greater internal control and business risk management.[20]

Many security executives in are firms are moving to a reliance on information assurance to protect intellectual property, protect against potential data leakage, and protect users against themselves.[17] While the use of information assurance is good ensuring certain pillars like, confidentiality, non-repudiation, etc. because of their conflicting nature an increase in security often comes at the expense of speed.[8][17] Using information assurance in the business model improves reliable management decision-making, customer trust, business continuity and good governance in both public and private sectors.[21]

Standards organizations and standards

Main article: IT risk § Standards Organizations and Standards

There are a number of international and national bodies that issue standards on information assurance practices, policies, and procedures. In the UK, these include the Information Assurance Advisory Council and the

Information Assurance Collaboration Group.[4]

See also

References

Notes
  1. ^
    ISSN 2068-9403
    .
  2. ^
    ISSN 0018-9162
    .
  3. ^
    ISSN 0018-9162
    .
  4. ^
    doi:10.1016/j.diin.2014.03.005
    .
  5. S2CID 8059538
    .
  6. S2CID 14058057
    .
  7. S2CID 3897784
    .
  8. ^
    S2CID 27170966
    .
  9. ^ Sadiku, Matthew; Alam, Shumon; Musa, Sarhan (2017). "Information Assurance Benefits and Challenges: An Introduction". procon.bg. Retrieved 2020-11-28.
  10. ISSN 2163-5226
    .
  11. doi:10.1016/j.accinf.2005.07.001
    .
  12. ^
    S2CID 7746947
    .
  13. S2CID 214408357
    .
  14. ISSN 1812-1098
    .
  15. S2CID 218934756
    .
  16. ^
    doi:10.1016/j.cose.2016.03.009
    .
  17. ^
    S2CID 30062820
    .
  18. S2CID 10191333
    .
  19. ISSN 0276-7783
    .
  20. S2CID 11624922
    .
  21. S2CID 31840083
    .
Bibliography

External links

Documentation

Information assurance has also evolved due to social media

Retrieved from "https://en.wikipedia.org/w/index.php?title=Information_assurance&oldid=1169297326"