Information assurance

From Wikipedia, the free encyclopedia

 To comply with Wikipedia's lead section guidelines, the introduction of this article may need to be rewritten.
Please discuss this issue on the talk page and read the layout guide to make sure the section will be inclusive of all essential details.
This article or section includes a list of references or external links, but its sources remain unclear because it lacks in-text citations.
You can improve this article by introducing more precise citations.
The remainder of this article may require cleanup to meet Wikipedia's quality standards.
Please improve this article if you can.
U.S. Department of Defense Information Assurance emblem
U.S. Department of Defense Information Assurance emblem

Information assurance (IA) is the practice of managing information-related risks. More specifically, IA practitioners seek to protect and defend information and information systems by ensuring confidentiality, integrity, authentication, availability, and non-repudiation. These goals are relevant whether the information are in storage, processing, or transit, and whether threatened by malice or accident. In other words, IA is the process of ensuring that authorized users have access to authorized information at the authorized time.

Contents

[edit] Overview

Information assurance is closely related to information security and the terms are sometimes used interchangeably. However, IA’s broader connotation also includes reliability and emphasizes strategic risk management over tools and tactics. In addition to defending against malicious hackers and code (e.g., viruses), IA includes other corporate governance issues such as privacy, compliance, audits, business continuity, and disaster recovery. Further, while information security draws primarily from computer science, IA is interdisciplinary and draws from multiple fields, including fraud examination, forensic science, military science, management science, systems engineering, security engineering, and criminology, in addition to computer science. Therefore, IA is best thought of as a superset of information security. Information assurance is not just Computer Security because it includes security issues that do not involve computers.

The U.S. Government's National Information Assurance Glossary defines IA as:

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

[edit] History

In the 1960s, IA was not as complex as it is today. IA back then simply meant controlling access to the computer room by locking the door and places guards to protect it.

[edit] IA Concepts

Model of integrated CIA triad, Defense-in-Depth strategies.
Model of integrated CIA triad, Defense-in-Depth strategies.

Since the 1970s, information security has held that confidentiality, integrity and availability (known as the CIA triad) as the core principles.

[edit] Confidentiality

Confidential information must only be accessed, used, copied, or disclosed by users who have been authorized, and only when there is a genuine need. A confidentiality breech occurs when information or information systems have been, or may have been, accessed, used, copied, or disclosed, or by someone who was not authorized to have access to the information.

For example: Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it would be a breach of confidentiality if they were not authorized to have the information. If a laptop computer, which contains employment and benefit information about 100,000 employees, is stolen from a car (or is sold on eBay) could result in a breach of confidentiality because the information is now in the hands of someone who is not authorized to have it. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information.

[edit] Integrity

Integrity means data can not be created, changed, or deleted without proper authorization. It also means that data stored in one part of a database system is in agreement with other related data stored in another part of the database system (or another system).

For example: A loss of integrity occurs when an employee accidentally, or with malicious intent, deletes important data files. A loss of integrity can occur if a computer virus is released onto the computer. A loss of integrity can occur when an on-line shopper is able to change the price of the product they are purchasing.

[edit] Authenticity

Authenticity is necessary to ensure that the users or objects (like documents) are genuine (they have not been forged or fabricated).

For example: Authentication breech can occur when a user's login id and password is used by un-authorized users to gain un-authorized access to information and/or information systems.

[edit] Availability

Availability means that the information, the computing systems used to process the information, and the security controls used to protect the information are all available and functioning correctly when the information is needed. The opposite of availability is denial of service (DOS).[citation needed]

For example: In 2000 Amazon, CNN, eBay, and Yahoo! were victims of a DOS attack.[1]

Yahoo Attacked. No one knows what happened except that it was inaccesable for more than 3 hours. It was also known that the attack was co-ordinated and hence the standard firewall algorithms failed to figure out what was happening.

— -Techhawking[1]

[edit] Non-repudiation

Non-repudiation implies that one party of a transaction can not deny having received a transaction nor can the other party deny having sent a transaction.

For example: Electronic commerce uses technology such as digital signatures to establish authenticity and non-repudiation.

[edit] Information assurance process

The IA process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a risk assessment. This assessment considers both the probability and impact of the undesired events. The probability component may be subdivided into threats and vulnerabilities. The impact component is usually measured in terms of cost. The product of these values is the total risk.

Based on the risk assessment, the IA practitioner will develop a risk management plan. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response. A framework, such as ISO 17799 or ISO/IEC 27002, may be utilized in designing this plan. Countermeasures may include tools such as firewalls and anti-virus software, policies and procedures such as regular backups and configuration hardening, training such as security awareness education, or restructuring such as forming an computer security incident response team (CSIRT) or computer emergency response team (CERT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most cost-effective way.

After the risk management plan is implemented, it is tested and evaluated, perhaps by means of formal audits. The IA process is cyclical; the risk assessment and risk management plan are continuously revised and improved based on data gleaned from evaluation.

[edit] Notes

  1. ^ a b Techhawking (February 2000). Feb Attack 2000: DDOS Attack - analysis. (HTML). Retrieved on 2008-04-09.

[edit] See also

[edit] External links

[edit] Documentation

[edit] EMSEC

  • AFI 33-203 Vol 1, Emission Security (Soon to be AFSSI 7700)
  • AFI 33-203 Vol 3, EMSEC Countermeasures Reviews (Soon to be AFSSI 7702)
  • AFI 33-210 Vol 8, Protected Distributed Systems (Soon to be AFSSI 7703)

[edit] COMPUSEC

  • AFMAN 33-223, Identification and Authentication (Soon to be AFSSI 8520)
  • AFI 33-202, Vol 6, Identity Management (Soon to be AFSSI 8520)
  • (Biometrics) (Soon to be AFSSI 8521)
  • AFI 33-202, Vol 1, Chapter 5, Access to Information Systems (Soon to be AFSSI 8522)
  • AFI 33-202, Vol 1, Para 3.11, Cross-Domain Solutions (CDS) (Soon to be AFSSI 8540)
  • AFI 33-202, Vol 1, Para 4.2, Network Security (Soon to be AFSSI 8550)
  • AFI 33-137, Ports, Protocols, and Services (PPS) Management (Soon to be AFSSI 8551)
  • AFI 33-230, Information Assurance Assessment and Assistance Program (Soon to be AFSSI 8560)
  • AFI 33-219, Section C, Notice and Consent Procedures (Soon to be AFSSI 8561)
  • AFSSI 5020, Remanence Security (Soon to be AFSSI 8580)

[edit] Organizations

[edit] Education and certifications

The Master of Science in Information Assurance (MSIA) is a multidisciplinary degree program offered by many leading institutions which combines theory with applied learning in order to enable security practitioners in the field of information security.

There is a current and future need for information assurance professionals to support the security needs of the world's information infrastructure. Information Assurance has become a critical issue for businesses in the current era as they wrestle with the problems of external and internal network attack, cyberterrorism, access control systems and regulatory compliance requirements.

The MSIA degree is a multidisciplinary degree that creates professionals able to navigate and manage the many challenges presented by the demands of modern security and information science.

Colleges and universities in the United States with accredited Master of Science in Information Assurance or Masters of Information Assurance degree programs