Information Assurance
Encyclopedia
Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. While focused dominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form.
Information assurance as a field has grown from the practice of information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

 which in turn grew out of practices and procedures of computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...

.

There are three models used in the practice of IA to define assurance requirements and assist in covering all necessary aspects or attributes.

The first is the classic information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

 model, also called the CIA Triad, which addresses three attributes of information and information systems, confidentiality
Confidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...

, integrity, and availability
Availability
In telecommunications and reliability theory, the term availability has the following meanings:* The degree to which a system, subsystem, or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time...

. This C-I-A model is extremely useful for teaching introductory and basic concepts of information security and assurance; the initials are an easy mnemonic to remember, and when properly understood,
can prompt systems designers and users to address the most pressing aspects of assurance.

The next most widely known model is the Five Pillars of IA model, promulgated by the U.S. Department of Defense (DoD) in a variety of publications, beginning with the National Information Assurance Glossary
National Information Assurance Glossary
Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, published by the United States federal government, is an unclassified glossary of Information security terms intended to provide a common vocabulary for discussing Information Assurance...

, Committee on National Security Systems Instruction CNSSI-4009.
Here is the definition from that publication:
"Measures that protect and defend information and information systems by ensuring their availability
Availability
In telecommunications and reliability theory, the term availability has the following meanings:* The degree to which a system, subsystem, or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time...

, integrity, authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

, confidentiality
Confidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...

, and non-repudiation
Non-repudiation
Non-repudiation refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract. The term is often seen in a legal setting wherein the authenticity of a signature is being challenged...

. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities."
The Five Pillars model is sometimes criticized because authentication and non-repudiation are not attributes of information or systems; rather, they are procedures or methods useful to assure the integrity and authenticity of information, and to protect the confidentiality of those same.

A third, less widely known IA model is the Parkerian Hexad
Parkerian hexad
The Parkerian hexad is a set of six elements of information security proposed by Donn B. Parker in 2002. The term was coined by M. E. Kabay. The Parkerian hexad adds three additional attributes to the three classic security attributes of the CIA triad .The Parkerian Hexad attributes are the...

, first introduced by Donn B. Parker
Donn B. Parker
Donn B. Parker, CISSP, Information Security Researcher and Consultant, 2008 Fellow of the Association for Computing Machinery- Biography:Donn Parker earned BA and MA degrees in mathematics from the University of California at Berkeley...

 in 1998. Like the Five Pillars, Parker's hexad begins with the C-I-A model but builds it out by adding authenticity, utility, and possession (or control). It is significant to point out that the concept or attribute of authenticity, as described by Parker, is not identical to the pillar of authentication as described by the U.S. DoD.

Overview

Information assurance is closely related to information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

 and the terms are sometimes used interchangeably. However, IA’s broader connotation also includes reliability and emphasizes strategic
Strategy
Strategy, a word of military origin, refers to a plan of action designed to achieve a particular goal. In military usage strategy is distinct from tactics, which are concerned with the conduct of an engagement, while strategy is concerned with how different engagements are linked...

 risk management
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...

 over tools and tactics. In addition to defending against malicious hackers
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...

 and code (e.g., virus
Virus
A virus is a small infectious agent that can replicate only inside the living cells of organisms. Viruses infect all types of organisms, from animals and plants to bacteria and archaea...

es), IA includes other corporate governance
Corporate governance
Corporate governance is a number of processes, customs, policies, laws, and institutions which have impact on the way a company is controlled...

 issues such as privacy
Privacy
Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...

, compliance, audits, business continuity
Business continuity planning
Business continuity planning “identifies [an] organization's exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization, whilst maintaining competitive advantage and value system integrity”. It is also called...

, and disaster recovery
Disaster recovery
Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity...

. Further, while information security draws primarily from computer science
Computer science
Computer science or computing science is the study of the theoretical foundations of information and computation and of practical techniques for their implementation and application in computer systems...

, IA is interdisciplinary and draws from multiple fields, including accounting, fraud
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...

 examination, forensic science, management science, systems engineering
Systems engineering
Systems engineering is an interdisciplinary field of engineering that focuses on how complex engineering projects should be designed and managed over the life cycle of the project. Issues such as logistics, the coordination of different teams, and automatic control of machinery become more...

, security engineering
Security engineering
Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...

, and criminology
Criminology
Criminology is the scientific study of the nature, extent, causes, and control of criminal behavior in both the individual and in society...

, in addition to computer science. Therefore, IA is best thought of as a superset of information security (i.e. umbrella term).

History

In the 1960s, IA was not as complex as it is today. IA was as simple as controlling access to the computer room by locking the door and placing guards to protect it.

IA Concepts

Since the 1970s, information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

 has held confidentiality, integrity and availability (known as the CIA triad) as the core principles. One newer model of Information Assurance adds Authentication and Non-repudiation to create the 5 Pillars of IA.

In contrast, Donn B. Parker
Donn B. Parker
Donn B. Parker, CISSP, Information Security Researcher and Consultant, 2008 Fellow of the Association for Computing Machinery- Biography:Donn Parker earned BA and MA degrees in mathematics from the University of California at Berkeley...

 developed a model that added three attributes of authenticity, utility, and possession to the core C-I-A.

Confidentiality

CNSSI-4009: "Assurance that information is not disclosed to unauthorized individuals, processes, or devices. "

Confidential information must only be accessed, used, copied, or disclosed by users who have been authorized, and only when there is a genuine need. A confidentiality breach occurs when information or information systems have been, or may have been, accessed, used, copied, or disclosed, or by someone who was not authorized to have access to the information.

For example: Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it would be a breach of confidentiality if they were not authorized to have the information. If a laptop computer, which contains employment and benefit information about 100,000 employees, is stolen from a car (or is sold on eBay) could result in a breach of confidentiality because the information is now in the hands of someone who is not authorized to have it. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information.

Integrity

CNSSI-4009:
"Quality of an IS reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data. Note that, in a formal security mode, integrity is interpreted more narrowly to mean protection against unauthorized modification or destruction of information."

Some practitioners make the mistake of thinking of the integrity attribute as being only data integrity. While data integrity is a major part of this attribute, it is not everything. This attribute also addresses whether the physical and electronic systems have been maintained without breach or unauthorized change. It even refers to the people involved in handling the information; are they acting with proper motivation and integrity.

Integrity means data can not be created, changed, or deleted without proper authorization. It also means that data stored in one part of a database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...

 system is in agreement with other related data stored in another part of the database system (or another system).

For example: A loss of integrity occurs when an employee accidentally, or with malicious intent, deletes important data files. A loss of integrity can occur if a computer virus is released onto the computer. A loss of integrity can occur when an on-line shopper is able to change the price of the product they are purchasing.

Availability

CNSSI-4009:
"Timely, reliable access to data and information services for authorized users."

Availability means that the information, the computing systems used to process the information, and the security controls used to protect the information are all available and functioning correctly when the information is needed. The opposite of availability is the lack thereof, one example of this is a common attack known as a denial of service (DoS) attack.

For example: In 2000 Amazon, CNN, eBay, and Yahoo! were victims of a DoS attack.

Authentication

CNSSI-4009:
"Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information."

Authentication is very important in Information Assurance. It means that a user is who they say they are, and can prove their identity. If an intruder can get access into the system by impersonating an authorized user, he will then have that user’s access privileges.

Authentication breach can occur when a user's login id and password is used by un-authorized users to send un-authorized information.

Authenticity

Authenticity is necessary to ensure that the users or objects (like documents) are genuine (they have not been forged or fabricated).

As files are shared across multiple organizations, there can be circumstances when duplicate copies of that file may exist. In such cases it is important to establish not only which copy is the master, but also to allow those who use the data to know the source of both the file, and all of the tagged data sets in the file. A Tagged Data Authority Engine is one way to do this.

Non-repudiation

CNSSI-4009:
"Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the data."

Non-repudiation implies that one party of a transaction can not deny having received a transaction nor can the other party deny having sent a transaction.

Non-repudiation is a major issue in credit card transactions, on-line auctions and various business contracts. The best way to secure confidential applications such as credit card transcations is to use a convertible authenticated encryption (CAE) scheme simultaneously satisfying the properties of authenticity, confidentiality and non-repudiation. It allows the user to ensure that the message has been sent and received by the correct person.

For example: Electronic commerce uses technology such as digital signature
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...

s to establish authenticity and non-repudiation.

Utility

Utility means usefulness and usability. For example, suppose someone encrypted data on disk to prevent unauthorized access or undetected modifications – and then lost the decryption key: that would be a breach of utility. The data would be confidential, controlled, integral, authentic, and available – they just wouldn’t be useful in that form. Similarly, conversion of salary data from one currency into an inappropriate currency would be a breach of utility, as would the storage of data in a format inappropriate for a specific computer architecture; e.g., EBCDIC instead of ASCII or 9-track magnetic tape instead of DVD-ROM. A tabular representation of data substituted for a graph could be described as a breach of utility if the substitution made it more difficult to interpret the data. Utility is often confused with availability because breaches such as those described in these examples may also require time to work around the change in data format or presentation. However, the concept of usefulness is distinct from that of availability.

Information assurance process

The IA process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a risk assessment
Risk assessment
Risk assessment is a step in a risk management procedure. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat...

. This assessment considers both the probability and impact of the undesired events. The probability component may be subdivided into threats and vulnerabilities. The impact component is usually measured in terms of cost. The product of these values is the total risk.

Based on the risk assessment, the IA practitioner will develop a risk management plan
Risk Management Plan
A Risk Management Plan is a document prepared by a project manager to foresee risks, to estimate the impacts, and to create response plans to mitigate them...

. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response. A framework, such as Risk IT
Risk IT
Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...

, CobiT
COBIT
COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...

, PCI DSS
PCI DSS
The Payment Card Industry Data Security Standard is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards....

, ISO 17799 or ISO/IEC 27002
ISO/IEC 27002
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission , entitled Information technology - Security techniques - Code of practice for information security management.ISO/IEC 27002:2005...

, may be utilized in designing this plan. Countermeasures
Countermeasure (computer)
In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...

 may include tools such as firewalls
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....

 and anti-virus software, policies and procedures such as regular backups and configuration hardening, training such as security awareness education, or restructuring such as forming an computer security incident response team (CSIRT
CSIRT
Computer Emergency Response Team is a name given to expert groups that handle computer security incidents. Most groups append the abbreviation CERT or CSIRT to their designation where the latter stands for Computer Security Incident Response Team...

) or computer emergency response team (CERT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most cost-effective way.

After the risk management plan is implemented, it is tested and evaluated, perhaps by means of formal audits. The IA process is cyclical; the risk assessment and risk management plan are continuously revised and improved based on data gleaned from evaluation.

Standards Organizations and Standards

There are a number of international and national bodies that issued standards in Information Assurance

Education and certifications

See also

  • Asset (computing)
  • Countermeasure (computer)
    Countermeasure (computer)
    In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...

  • Factor Analysis of Information Risk
    Factor Analysis of Information Risk
    Factor analysis of information risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events...

  • Fair information practice
  • Information Assurance Vulnerability Alert
    Information Assurance Vulnerability Alert
    An information assurance vulnerability alert is an announcement of a computer application software or operating system vulnerability notification in the form of alerts, bulletins, and technical advisories identified by DoD-CERT, a division of the United States Cyber Command...

  • Information security
    Information security
    Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

  • ISO/IEC 27001
    ISO/IEC 27001
    ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission...

  • ISO 9001
  • ISO 17799
  • IT risk
    IT risk
    Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...

  • McCumber cube
    McCumber cube
    In 1991, John McCumber created a model framework for establishing and evaluating information security programs, now known as The McCumber Cube.This security model is depicted as a three dimensional Rubik's Cube-like grid....

  • Mission assurance
    Mission assurance
    Mission Assurance is a full life-cycle engineering process to identify and mitigate design, production, test, and field support deficiencies of mission success.- Aspects of Mission Assurance :...

  • Risk
    Risk
    Risk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...

  • Risk IT
    Risk IT
    Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...

  • Security controls
    Security controls
    Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...

  • Tabernus
  • Threat
    Threat (computer)
    In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...

  • Vulnerability
    Vulnerability (computing)
    In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...


External links


Documentation


EMSEC

  • AFI 33-203 Vol 1, Emission Security (Soon to be AFSSI 7700)
  • AFI 33-203 Vol 3, EMSEC Countermeasures Reviews (Soon to be AFSSI 7702)
  • AFI 33-201 Vol 8, Protected Distributed Systems (Soon to be AFSSI 7703)


The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK