Information assurance

Information assurance (IA) is the practice of managing information-related risks. More specifically, IA practitioners seek to protect the confidentiality, integrity, and availability of data and their delivery systems. These goals are relevant whether the data are in storage, processing, or transit, and whether threatened by malice or accident. In other words, IA is the process of ensuring that the right people get the right information at the right time. Information assurance is closely related to information security and the terms are sometimes used interchangeably. However, IA’s broader connotation also includes reliability and emphasizes strategic risk management over tools and tactics. In addition to defending against malicious hackers and code (e.g., viruses), IA includes other corporate governance issues such as privacy, compliance, audits, business continuity, and disaster recovery. Further, while information security draws primarily from computer science, IA is interdisciplinary and draws from multiple fields, including fraud examination, forensic science, military science, management science, systems engineering, security engineering, and criminology, in addition to computer science. Therefore, IA is best thought of as a superset of information security. Information assurance is not just Computer Security because it includes security issues that do not involve computers. The U.S. Government's National Information Assurance Glossary defines IA as:

Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

Contents 1 Information assurance process 2 See also 3 External links 3.1 Documentation 3.2 Organizations 3.3 Education and certifications

Information assurance process

The IA process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a risk assessment. This assessment considers both the probability and impact of the undesired events. The probability component may be subdivided into threats and vulnerabilities. The impact component is usually measured in terms of cost. The product of these values is the total risk. Based on the risk assessment, the IA practitioner will develop a risk management plan. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response. A framework, such as ISO 17799 or ISO/IEC 27002, may be utilized in designing this plan. Countermeasures may include tools such as firewalls and anti-virus software, policies and procedures such as regular backups and configuration hardening, training such as security awareness education, or restructuring such as forming an computer security incident response team (CSIRT) or computer emergency response team (CERT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most cost-effective way. After the risk management plan is implemented, it is tested and evaluated, perhaps by means of formal audits. The IA process is cyclical; the risk assessment and risk management plan are continuously revised and improved based on data gleaned from evaluation.

See also

• CIA triad
• ISO 17799
• McCumber cube

External links

Documentation

• UK Government
• IA References
• Information Assurance XML Schema Markup Language

_EMSEC_

• AFI 33-203, Vol 1, Emission Security (Soon to be AFSSI 7700)
• AFI 33-203, Vol 3, EMSEC Countermeasures Reviews (Soon to be AFSSI 7702)
• AFI 33-210, Vol 8, Protected Distributed Systems (Soon to be AFSSI 7703)

_COMPUSEC_

• AFMAN 33-223, Identification and Authentication (Soon to be AFSSI 8520)
• AFI 33-202, Vol 6, Identity Management (Soon to be AFSSI 8520)
• (Biometrics) (Soon to be AFSSI 8521)
• AFI 33-202, Vol 1, Chapter 5, Access to Information Systems (Soon to be AFSSI 8522)
• AFI 33-202, Vol 1, Para 3.11, Cross-Domain Solutions (CDS) (Soon to be AFSSI 8540)
• AFI 33-202, Vol 1, Para 4.2, Network Security (Soon to be AFSSI 8550)
• AFI 33-137, Ports, Protocols, and Services (PPS) Management (Soon to be AFSSI 8551)
• AFI 33-230, Information Assurance Assessment and Assistance Program (Soon to be AFSSI 8560)
• AFI 33-219, Section C, Notice and Consent Procedures (Soon to be AFSSI 8561)
• AFSSI 5020, Remanence Security (Soon to be AFSSI 8580)

Organizations

• Government - Central Sponsor for Information Assurance (UK)
• National Information Assurance Partnership (US)
• Information Assurance Advisory Council (UK)
• Information Assurance Technical Framework Forum (US)
• Information Assurance Technology Analysis Center, IATAC (US)
• Interagency Working Group on Cyber Security and Information Assurance (US)
• DoD Information Assurance Certification and Accreditation Process (DIACAP)(US)

Education and certifications

• US Centers of Academic Excellence in Information Assurance
• The SANS Institute’s Global Information Assurance Certification Program
• CERT: Survivability and Information Assurance Curriculum
• Book: Managing Information Assurance in Financial Services
• security blog: Information Assurance
• National Centers of Academic Excellence in Information Assurance Education (CAEIAE)
• National Information Assurance Training and Education Center
• IA Education, Training and Awareness
• Information Assurance Education Graduate Certificate Program