- Information assurance
Information assurance (IA) is the practice of managing information-related risks. More specifically, IA practitioners seek to protect and defend information and information systems by ensuring
confidentiality, integrity, authentication, availability, and non-repudiation. These goals are relevant whether the information are in storage, processing, or transit, and whether threatened by malice or accident. In other words, IA is the process of ensuring that authorized users have access to authorized information at the authorized time.
Information assurance is closely related to
information securityand the terms are sometimes used interchangeably. However, IA’s broader connotation also includes reliability and emphasizes strategic risk managementover tools and tactics. In addition to defending against malicious hackers and code (e.g., viruses), IA includes other corporate governanceissues such as privacy, compliance, audits, business continuity, and disaster recovery. Further, while information security draws primarily from computer science, IA is interdisciplinary and draws from multiple fields, including fraudexamination, forensic science, military science, management science, systems engineering, security engineering, and criminology, in addition to computer science. Therefore, IA is best thought of as a superset of information security. Information assurance is not just Computer Securitybecause it includes security issues that do not involve computers.
The U.S. Government's
National Information Assurance Glossarydefines IA as:
:"Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities."
In the 1960s, IA was not as complex as it is today. IA was as simple as controlling access to the computer room by locking the door and placing guards to protect it.
Since the 1970s, information security has held that confidentiality, integrity and availability (known as the CIA triad) as the core principles.
Confidential information must only be accessed, used, copied, or disclosed by users who have been authorized, and only when there is a genuine need. A confidentiality breech occurs when information or information systems have been, or may have been, accessed, used, copied, or disclosed, or by someone who was not authorized to have access to the information.
For example: Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it would be a breach of confidentiality if they were not authorized to have the information. If a laptop computer, which contains employment and benefit information about 100,000 employees, is stolen from a car (or is sold on eBay) could result in a breach of confidentiality because the information is now in the hands of someone who is not authorized to have it. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information.
Integrity means data can "not" be created, changed, or deleted without proper authorization. It also means that data stored in one part of a
databasesystem is in agreement with other related data stored in another part of the database system (or another system).
For example: A loss of integrity occurs when an employee accidentally, or with malicious intent, deletes important data files. A loss of integrity can occur if a computer virus is released onto the computer. A loss of integrity can occur when an on-line shopper is able to change the price of the product they are purchasing.
Authenticity is necessary to ensure that the users or objects (like documents) are genuine (they have not been forged or fabricated).
For example: Authentication breech can occur when a user's login id and password is used by un-authorized users to gain un-authorized access to information and/or information systems.
Availability means that the information, the computing systems used to process the information, and the security controls used to protect the information are all available and functioning correctly when the information is needed. The opposite of availability is denial of service (DOS).Fact|date=January 2008
For example: In 2000 Amazon, CNN, eBay, and Yahoo! were victims of a DOS attack. cite web
url = http://www.royans.net/rant/2000/06/06/feb-attack-2000-ddos-attack-analysis/
title = Feb Attack 2000: DDOS Attack - analysis.
accessdate = 2008-04-09
author = Techhawking
date = February 2000
format = HTML]
Non-repudiation implies that one party of a transaction can not deny having received a transaction nor can the other party deny having sent a transaction.
For example: Electronic commerce uses technology such as
digital signatures to establish authenticity and non-repudiation.
Information assurance process
The IA process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a
risk assessment. This assessment considers both the probability and impact of the undesired events. The probability component may be subdivided into threats and vulnerabilities. The impact component is usually measured in terms of cost. The product of these values is the total risk.
Based on the risk assessment, the IA practitioner will develop a risk management plan. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response. A framework, such as
ISO 17799or ISO/IEC 27002, may be utilized in designing this plan. Countermeasures may include tools such as firewallsand anti-virus software, policies and procedures such as regular backups and configuration hardening, training such as security awareness education, or restructuring such as forming an computer security incident response team ( CSIRT) or computer emergency response team (CERT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most cost-effectiveway.
After the risk management plan is implemented, it is tested and evaluated, perhaps by means of formal audits. The IA process is cyclical; the risk assessment and risk management plan are continuously revised and improved based on data gleaned from evaluation.
* [http://www.cabinetoffice.gov.uk/csia/ia_review UK Government]
* [http://www.albany.edu/acc/courses/ia/classics IA References]
* [http://www.ism3.com/index.php?option=com_docman&task=doc_download&gid=5&Itemid=9 Information Assurance XML Schema Markup Language]
* [http://www.dtic.mil/whs/directives/corres/html/850002.htm DoD Instruction 8500.2] Information Assurance (IA) Implementation
* [http://www.dtic.mil/whs/directives/corres/pdf/851001p.pdf DoD Instruction 8510.01] DoD Information Assurance Certification and Accreditation Process (
* [http://www.e-publishing.af.mil/shared/media/epubs/AFI33-203V1.pdf AFI 33-203 Vol 1] , Emission Security (Soon to be AFSSI 7700)
* [http://www.e-publishing.af.mil/shared/media/epubs/AFI33-203V3.pdf AFI 33-203 Vol 3] , EMSEC Countermeasures Reviews (Soon to be AFSSI 7702)
*AFI 33-201 Vol 8, Protected Distributed Systems (Soon to be AFSSI 7703)
*AFMAN 33-223, Identification and Authentication (Soon to be AFSSI 8520)
*AFI 33-202, Vol 6, Identity Management (Soon to be AFSSI 8520)
*(Biometrics) (Soon to be AFSSI 8521)
*AFI 33-202, Vol 1, Chapter 5, Access to Information Systems (Soon to be AFSSI 8522)
*AFI 33-202, Vol 1, Para 3.11, Cross-Domain Solutions (CDS) (Soon to be AFSSI 8540)
*AFI 33-202, Vol 1, Para 4.2, Network Security (Soon to be AFSSI 8550)
*AFI 33-137, Ports, Protocols, and Services (PPS) Management (Soon to be AFSSI 8551)
*AFI 33-230, Information Assurance Assessment and Assistance Program (Soon to be AFSSI 8560)
*AFI 33-219, Section C, Notice and Consent Procedures (Soon to be AFSSI 8561)
*AFSSI 5020, Remanence Security (Soon to be AFSSI 8580)
* [http://www.nitrd.gov/subcommittee/csia.php Interagency Working Group on Cyber Security and Information Assurance (CSIA IWG) (US)]
* [http://www.nsa.gov/ia/ National Security Agency Information Assurance Directorate (NSA IAD) (US)]
* [http://www.cabinetoffice.gov.uk/csia/ia_review Government - Central Sponsor for Information Assurance (UK)]
* [http://www.nsa.gov/ia/industry/niap.cfm National Information Assurance Partnership (US)]
* [http://www.iaac.org.uk/ Information Assurance Advisory Council (UK)]
* [http://www.iatf.net/ Information Assurance Technical Framework Forum (US)]
* [http://iac.dtic.mil/iatac/ Information Assurance Technology Analysis Center, IATAC (US)]
* [http://iase.disa.mil/ditscap/ DoD Information Assurance Certification and Accreditation Process (DIACAP)(US)]
Education and certifications
The Master of Science in Information Assurance (
MSIA) is a multidisciplinary degree program offered by many leading institutions which combines theory with applied learning in order to enable security practitioners in the field of information security.
There is a current and future need for
information assuranceprofessionals to support the security needs of the world's information infrastructure. Information Assurance has become a critical issue for businesses in the current era as they wrestle with the problems of external and internal network attack, cyberterrorism, access control systems and regulatory compliancerequirements.
MSIAdegree is a multidisciplinary degree that creates professionals able to navigate and manage the many challenges presented by the demands of modern security and information science.
Colleges and universities in the United States with accredited
Master of Science in Information Assuranceor Masters of Information Assurancedegree programs
Capitol College, Master of Science in Information Assurance [http://www.capitol-college.edu/academicprograms/graduateprograms/msiae/index.shtml] Laurel, Maryland
Dakota State UniversityDakota State University [http://www.dsu.edu/msia/] Madison, South Dakota
Northeastern University, College of Computer an Information Science & College of Criminal Justice, [http://www.ccs.neu.edu/graduate/msia.html] Boston, MA
University of Detroit MercyCollege of Business Administration [http://business.udmercy.edu/ia.php] Detroit, Michigan
Walsh College of Accountancy and BusinessWalsh College [http://www.walshcollege.edu/?id=846&sid=1] Troy, Michigan
Norwich University* [http://www.graduate.norwich.edu/infoassurance] Northfield, Vermont
* [http://www.defenselink.mil/cio-nii/infoassurance/diap/ Defense-Wide Information Assurance Program]
* [http://security.isu.edu/ Idaho State University Information Assurance Program]
* [http://mbaia.mgt.unm.edu/ University of New Mexico Information Assurance Program (
Anderson School of Management)] Albuquerque, New Mexico
* [http://csepi.utdallas.edu/information_assurance.htm University of Texas at Dallas Information Assurance Program]
* [http://www.bus.iastate.edu/MSIA/ Iowa State Master of Science in Information Assurance]
* [http://www.nsa.gov/ia/academia/caeiae.cfm National Security Agency's Centers of Academic Excellence]
* [http://www.giac.org/ The SANS Institute’s Global Information Assurance Certification Program]
* [http://www.cert.org/sia/ CERT: Survivability and Information Assurance Curriculum]
* [http://www.amazon.com/dp/1599041715/ Book: Managing Information Assurance in Financial Services]
* [http://elamb.org/category/assurance/ security blog: Information Assurance]
* [http://www.nsa.gov/ia/academia/caeiae.cfm National Centers of Academic Excellence in Information Assurance Education (CAEIAE)]
* [http://niatec.info/(S(41xa2dq21etse3bfkbigso45))/index.aspx National Information Assurance Training and Education Center]
* [http://iase.disa.mil/eta/ IA Education, Training and Awareness]
* [http://www.cerias.purdue.edu/education/post_secondary_education/past_offerings/faculty_development/info_assurance_education/ Information Assurance Education Graduate Certificate Program]
* [http://coeia.edu.sa/en/ Center of Excellence in Information Assurance, King Saud University, Saudi Arabia]
Wikimedia Foundation. 2010.