Information assurance is the process of managing information to keep it safe from unauthorized access and use. The top five responsibilities to ensure the safety of information are:
- Authentication: Verifying authorized users (through the use of passwords, security questions, etc.).
- Availability: Making sure information is available to users authorized to access it and not to hackers or other unauthorized persons.
- Confidentiality: Maintaining the privacy of information and only letting authorized users access the information.
- Integrity: Making sure the information is not changed or otherwise tampered with.
- Nonrepudiation: Maintaining proof about users’ actions in accessing information so that they cannot deny any actions they took.
People, processes, and technology are all an important part of the information assurance process.
Aspects of Information Assurance
The many aspects of information assurance include:
- Access control: Access to information, including methods of access control (physical, administrative, technical, and logical) and their vulnerabilities
- Business continuity and disaster recovery planning: Responding to incidents, responding to emergencies, developing a disaster recovery plan to guide an organization’s response to facility damage or major loss of enterprise capability, and developing a business continuity plan containing procedures about how an organization will continue business functions during and after a significant disruption.
- Cryptography: The encryption of information
- Information security and risk management: Conducting a risk assessment, implementing a risk mitigation strategy, continuous monitoring of information system security, and documenting the risk management program.
- Legal, regulations, investigations, and compliance: Staying up-to-date on legal and regulatory requirements.
- Operations security: Managing and protecting operational resources, including input and output controls and penetration testing.
- Physical (environmental) security: Assessing threats to a physical site, implementing environmental mechanisms to protect a site, and securing a site.
- Security architecture and design: Developing a process and controls that address the security requirements of a particular environment/scenario.
- Software development security
- Security models and architecture: Understanding the different models for setting up security and how they fit specific situations.
- Telecommunications and network security: Understanding security controls, and power and environmental issues (blackouts, brownouts, and power surges), along with policy and management issues.
Information Assurance Framework
An information assurance framework for an organization provides a plan of action with the required tools, trained personnel, and tested procedures to protect valuable information. One approach is to use the Information Technology Assurance Framework (ITAF) provided by the the Information Systems Audit and Control Association (ISACA). This framework defines IT assurance terms and concepts, provides guidance on designing, conducting, and reporting IT audit and assurance assignments, and sets standards concerning the roles and responsibilities of IT audit and assurance professionals.
- Cybersecurity and Information Assurance (white paper)
- Journal of Information Assurance and Security
- National Institute of Standards and Technology (Computer Security Division)
- National Information Assurance (IA) Glossary