Information assurance (IA) is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. While focused dominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form. Information assurance as a field has grown from the practice of information security which in turn grew out of practices and procedures of computer security.
Contents |
Information assurance is closely related to information security and the terms are sometimes used interchangeably. However, IA’s broader connotation also includes reliability and emphasizes strategic risk management over tools and tactics. In addition to defending against malicious hackers and code (e.g., viruses), IA includes other corporate governance issues such as privacy, compliance, audits, business continuity, and disaster recovery. Further, while information security draws primarily from computer science, IA is interdisciplinary and draws from multiple fields, including accounting, fraud examination, forensic science, management science, systems engineering, security engineering, and criminology, in addition to computer science. Therefore, IA is best thought of as a superset of information security (i.e. umbrella term).
There are three models used in the practice of IA to define assurance requirements and assist in covering all necessary aspects or attributes. The first is the classic information security model, also called the CIA Triad, which addresses three attributes of information and information systems, confidentiality, integrity, and availability. This C-I-A model is extremely useful for teaching introductory and basic concepts of information security and assurance; the initials are an easy mnemonic to remember, and when properly understood, can prompt systems designers and users to address the most pressing aspects of assurance.
The next most widely known model is the Five Pillars of IA model, promulgated by the U.S. Department of Defense (DoD) in a variety of publications, beginning with the National Information Assurance Glossary, Committee on National Security Systems Instruction CNSSI-4009. Here is the definition from that publication: "Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities." The Five Pillars model is sometimes criticized because authentication and non-repudiation are not attributes of information or systems; rather, they are procedures or methods useful to assure the integrity and authenticity of information, and to protect the confidentiality of those same.
A third, less widely known IA model is the Parkerian Hexad, first introduced by Donn B. Parker in 1998. Like the Five Pillars, Parker's hexad begins with the C-I-A model but builds it out by adding authenticity, utility, and possession (or control). It is significant to point out that the concept or attribute of authenticity, as described by Parker, is not identical to the pillar of authentication as described by the U.S. DoD.
In the 1960s, IA was not as complex as it is today. IA was as simple as controlling access to the computer room by locking the door and placing guards to protect it.
Since the 1970s, information security has held confidentiality, integrity and availability (known as the CIA triad) as the core principles. One newer model of Information Assurance adds Authentication and Non-repudiation to create the 5 Pillars of IA.
In contrast, Donn B. Parker developed a model that added three attributes of authenticity, utility, and possession to the core C-I-A.[1][2]
CNSSI-4009: "Assurance that information is not disclosed to unauthorized individuals, processes, or devices. "
Confidential information must only be accessed, used, copied, or disclosed by users who have been authorized, and only when there is a genuine need. A confidentiality breach occurs when information or information systems have been, or may have been, accessed, used, copied, or disclosed, or by someone who was not authorized to have access to the information.
For example: Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it would be a breach of confidentiality if they were not authorized to have the information. If a laptop computer, which contains employment and benefit information about 100,000 employees, is stolen from a car (or is sold on eBay) could result in a breach of confidentiality because the information is now in the hands of someone who is not authorized to have it. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information.
CNSSI-4009: "Quality of an IS reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data. Note that, in a formal security mode, integrity is interpreted more narrowly to mean protection against unauthorized modification or destruction of information."
Some practitioners make the mistake of thinking of the integrity attribute as being only data integrity. While data integrity is a major part of this attribute, it is not everything. This attribute also addresses whether the physical and electronic systems have been maintained without breach or unauthorized change. It even refers to the people involved in handling the information; are they acting with proper motivation and integrity.
Integrity means data can not be created, changed, or deleted without proper authorization. It also means that data stored in one part of a database system is in agreement with other related data stored in another part of the database system (or another system).
For example: A loss of integrity occurs when an employee accidentally, or with malicious intent, deletes important data files. A loss of integrity can occur if a computer virus is released onto the computer. A loss of integrity can occur when an on-line shopper is able to change the price of the product they are purchasing.
CNSSI-4009: "Timely, reliable access to data and information services for authorized users."
Availability means that the information, the computing systems used to process the information, and the security controls used to protect the information are all available and functioning correctly when the information is needed. The opposite of availability is the lack thereof, one example of this is a common attack known as a denial of service (DoS) attack.
For example: In 2000 Amazon, CNN, eBay, and Yahoo! were victims of a DoS attack.[3]
| “ | Yahoo Attacked. No one knows what happened except that it was inaccesible for more than 3 hours. It was also known that the attack was co-ordinated and hence the standard firewall algorithms failed to figure out what was happening. | ” |
|
— -Techhawking[3] |
||
CNSSI-4009: "Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information."
Authentication is very important in Information Assurance. It means that a user is who they say they are, and can prove their identity. If an intruder can get access into the system by impersonating an authorized user, he will then have that user’s access privileges.
Authentication breach can occur when a user's login id and password is used by un-authorized users to send un-authorized information.
Authenticity is necessary to ensure that the users or objects (like documents) are genuine (they have not been forged or fabricated).
As files are shared across multiple organizations, there can be circumstances when duplicate copies of that file may exist. In such cases it is important to establish not only which copy is the master, but also to allow those who use the data to know the source of both the file, and all of the tagged data sets in the file. A Tagged Data Authority Engine is one way to do this.[4]
CNSSI-4009: "Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data."
Non-repudiation implies that one party of a transaction can not deny having received a transaction nor can the other party deny having sent a transaction.
Non-repudiation is a major issue in credit card transactions, on-line auctions and various business contracts. The best way to secure confidential applications such as credit card transcations is to use a convertible authenticated encryption (CAE) scheme simultaneously satisfying the properties of authenticity, confidentiality and non-repudiation. It allows the user to ensure that the message has been sent and received by the correct person.
For example: Electronic commerce uses technology such as digital signatures to establish authenticity and non-repudiation.
Utility means usefulness and usability. For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications – and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available – they just wouldn’t be useful in that form. Similarly, conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM. A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data. Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.
The IA process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a risk assessment. This assessment considers both the probability and impact of the undesired events. The probability component may be subdivided into threats and vulnerabilities. The impact component is usually measured in terms of cost. The product of these values is the total risk.
Based on the risk assessment, the IA practitioner will develop a risk management plan. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response. A framework, such as Risk IT, CobiT, PCI DSS, ISO 17799 or ISO/IEC 27002, may be utilized in designing this plan. Countermeasures may include tools such as firewalls and anti-virus software, policies and procedures such as regular backups and configuration hardening, training such as security awareness education, or restructuring such as forming an computer security incident response team (CSIRT) or computer emergency response team (CERT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most cost-effective way.
After the risk management plan is implemented, it is tested and evaluated, perhaps by means of formal audits. The IA process is cyclical; the risk assessment and risk management plan are continuously revised and improved based on data gleaned from evaluation.
There are a number of international and national bodies that issued standards in Information Assurance
Information security professionalism is the set of knowledge, skills and work ethic that people working in Information security and similar fields (Information Assurance and Computer security) should have. Some advocate that these characteristics should be demonstrated through certifications from respected organizations. Others question the maturity and effectiveness of certifications which exist today.