Information assurance

Information assurance (IA) is the practice of assuring information and managing risks related to
the use, processing, storage, and transmission of information. Information assurance includes
protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user
data.[1] IA encompasses both digital protections and physical techniques. These methods apply to data
in transit, both physical and electronic forms, as well as data at rest. IA is best thought of as a superset
of information security (i.e. umbrella term), and as the business outcome of information risk
management.

Overview
Information assurance (IA) is the process of processing, storing,
and transmitting the right information to the right people at the
right time.[1] IA relates to the business level and strategic risk
management of information and related systems, rather than the
creation and application of security controls. IA is used to benefit
business through the use of information risk management, trust
management, resilience, appropriate architecture, system safety,
and security, which increases the utility of information to only
their authorized users.

Besides defending against malicious hackers and code (e.g.,

viruses), IA practitioners consider corporate governance issues The McCumber Cube: one of the
such as privacy, regulatory and standards compliance, auditing, common information assurance
business continuity, and disaster recovery as they relate to schematics
information systems. Further, IA is an interdisciplinary field
requiring expertise in business, accounting, user experience, fraud
examination, forensic science, management science, systems engineering, security engineering, and
criminology, in addition to computer science.

Evolution
With the growth of telecommunication networks also comes the dependency on networks, which
makes communities increasing vulnerable to cyber attacks that could interrupt, degrade or destroy
vital services.[2] Starting from the 1950s the role and use of information assurance has grown and
evolved. These feedback loop practices were employed while developing WWMCCS military decision
support systems.

In the beginning information assurance involved just the backing

up of data.[3] However once the volume of information increased,
the act of information assurance began to become automated,
reducing the use of operator intervention, allowing for the creation
of instant backups.[3] The last main development of information
OODA Feedback Loop Diagram
assurance is implementing distributed systems for the processing and storage of data through
techniques like SANs and NAS plus using cloud computing.[4][5][3]

These three main developments of information assurance parallel the three generations of
information technologies, the first used to prevent intrusions, the 2nd to detect intrusion and the 3rd
for survivability.[6][7] Information assurance is a collaborative effort of all sectors of life to allow a free
and equal exchange of ideas.

Pillars
Information assurance is built between five pillars: availability, integrity, authentication,
confidentiality and nonrepudiation.[8] These pillars are taken into account to protect systems while
still allowing them to efficiently provide services; However, these pillars do not act independently
from one another, rather they interfere with the goal of the other pillars.[8] These pillars of
information assurance have slowly changed to become referred to as the pillars of Cyber Security. As
an administrator it is important to emphasize the pillars that you want in order to achieve your
desired result for their information system, balancing the aspects of service, and privacy.

Authentication

Authentication refers to the verification of the validity of a transmission, originator, or process within
an information system.[9] Authentication provides the recipient confidence in the data senders
validity as well as the validity of their message.[8] There exists many ways to bolster authentication,
mainly breaking down into three main ways, personally identifiable information such as a person's
name, address telephone number, access to a key token, or known information, like passwords.[10]

Integrity

Integrity refers to the protection of information from unauthorized alteration.[3] The goal of
information integrity is to ensure data is accurate throughout its entire lifespan.[11][12] User
authentication is a critical enabler for information integrity.[8] Information integrity is a function of
the number of degrees-of-trust existing between the ends of an information exchange .[12] One way
information integrity risk is mitigated is through the use of redundant chip and software designs.[13] A
failure of authentication could pose a risk to information integrity as it would allow an unauthorized
party to alter content. For example, if a hospital has inadequate password policies, an unauthorized
user could gain access to an information systems governing the delivery of medication to patients and
risk altering the treatment course to the detriment of a particular patient.[12]

Availability

The pillar of availability refers to the preservation of data to be retrieved or modified from authorized
individuals. Higher availability is preserved through an increase in storage system or channel
reliability.[8] Breaches in information availability can result from power outages, hardware failures,
DDOS, etc. The goal of high availability is to preserve access to information. Availability of
information can be bolstered by the use of backup power, spare data channels, off site capabilities and
continuous signal.[12]

Confidentiality

Confidentiality is in essence the opposite of Integrity. Confidentiality is a security measure which

protects against who is able to access the data, which is done by shielding who has access to the
information.[8] This is different from Integrity as integrity is shielding who can change the
information. Confidentiality is often ensured with the use of cryptography and steganography of
data.[3] Confidentiality can be seen within the classification and information superiority with
international operations such as NATO[14] Information assurance confidentiality in the United States
need to follow HIPAA and healthcare provider security policy information labeling and need-to-know
regulations to ensure nondisclosure of information.[12]

Non-repudiation

Nonrepudiation is the integrity of the data to be true to its origin, which prevents possible denial that
an action occurred.[3][1] Increasing non-repudiation makes it more difficult to deny that the
information comes from a certain source. In other words, it making it so that you can not dispute the
source/ authenticity of data. Non-repudiation involves the reduction to data integrity while that data
is in transit, usually through the use of a man-in-the-middle attack or phishing.[15]

Interactions of Pillars

As stated earlier the pillars do not interact independently of one another, with some pillars impeding
on the functioning of other pillars or in the opposite case where they boost other pillars.[8] For
example, the increasing the availability of information works directly against the goals of three other
pillars: integrity, authentication and confidentiality.[8]

Process
The information assurance process typically begins with the enumeration and classification of the
information assets to be protected. Next, the IA practitioner will perform a risk assessment for those
assets.[16] Vulnerabilities in the information assets are determined in order to enumerate the threats
capable of exploiting the assets. The assessment then considers both the probability and impact of a
threat exploiting a vulnerability in an asset, with impact usually measured in terms of cost to the
asset's stakeholders.[17] The sum of the products of the threats' impact and the probability of their
occurring is the total risk to the information asset.

With the risk assessment complete, the IA practitioner then develops a risk management plan. This
plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the
risks, and considers prevention, detection, and response to threats.

A framework published by a standards organization, such as NIST RMF, Risk IT, CobiT, PCI DSS or
ISO/IEC 27002, may guide development. Countermeasures may include technical tools such as
firewalls and anti-virus software, policies and procedures requiring such controls as regular backups
and configuration hardening, employee training in security awareness, or organizing personnel into
dedicated computer emergency response team (CERT) or computer security incident response team
(CSIRT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA
practitioner does not seek to eliminate all risks; but, to manage them in the most cost-effective
way.[18]

After the risk management plan is implemented, it is tested and evaluated, often by means of formal
audits.[16] The IA process is an iterative one, in that the risk assessment and risk management plan
are meant to be periodically revised and improved based on data gathered about their completeness
and effectiveness.[2]

There are two meta-techniques with information assurance: audit and risk assessment.[16]

Business Risk Management

Business Risk Management breaks down into three main processes Risk Assessment, Risk Mitigation
and Evaluation and assessment. Information Assurance is one of the methodologies which
organizations use to implement business risk management. Through the use of information assurance
policies like the "BRICK" frame work.[1] Additionally, Business Risk Management also occurs to
comply with federal and international laws regarding the release and security of information such as
HIPAA.[19]

Information assurance can be aligned with corporates strategies through training and awareness,
senior management involvement and support, and intra-organizational communication allowing for
greater internal control and business risk management.[20]

Many security executives in are firms are moving to a reliance on information assurance to protect
intellectual property, protect against potential data leakage, and protect users against themselves.[17]
While the use of information assurance is good ensuring certain pillars like, confidentiality, non-
repudiation, etc. because of their conflicting nature an increase in security often comes at the expense
of speed.[8][17] Using information assurance in the business model improves reliable management
decision-making, customer trust, business continuity and good governance in both public and private
sectors.[21]

Standards organizations and standards

There are a number of international and national bodies that issue standards on information
assurance practices, policies, and procedures. In the UK, these include the Information Assurance
Advisory Council and the Information Assurance Collaboration Group.[4]

See also
Business and
economics portal

Asset (computing) Factor Analysis of Information Risk

COBIT (benchmark) Fair information practice
Countermeasure (computer) Information Assurance Vulnerability Alert
Decision support system Information security
 ISO/IEC 27001 Security controls
ISO 9001 Threat
ISO 17799 Vulnerability
Mission assurance Gordon–Loeb model for cyber security
Risk investments
Risk IT Hawaii International Conference on System
Risk management framework Sciences

References
Notes

1. Sosin, Artur (2018-04-01). "HOW TO INCREASE THE INFORMATION ASSURANCE IN THE

INFORMATION AGE" (https://doaj.org/). Journal of Defense Resources Management. 9 (1): 45–
57. ISSN 2068-9403 (https://www.worldcat.org/issn/2068-9403).
2. McConnell, M. (April 2002). "Information assurance in the twenty-first century" (https://ieeexplore.i
eee.org/document/1012425). Computer. 35 (4): supl16–supl19. doi:10.1109/MC.2002.1012425 (ht
tps://doi.org/10.1109%2FMC.2002.1012425). ISSN 0018-9162 (https://www.worldcat.org/issn/001
8-9162).
3. Cummings, R. (December 2002). "The evolution of information assurance" (https://ieeexplore.iee
e.org/document/1106181). Computer. 35 (12): 65–72. doi:10.1109/MC.2002.1106181 (https://doi.o
rg/10.1109%2FMC.2002.1106181). ISSN 0018-9162 (https://www.worldcat.org/issn/0018-9162).
4. Pringle, Nick; Burgess, Mikhaila (May 2014). "Information assurance in a distributed forensic
cluster" (https://doi.org/10.1016%2Fj.diin.2014.03.005). Digital Investigation. 11: S36–S44.
doi:10.1016/j.diin.2014.03.005 (https://doi.org/10.1016%2Fj.diin.2014.03.005).
5. Chakraborty, Rajarshi; Ramireddy, Srilakshmi; Raghu, T.S.; Rao, H.Raghav (July 2010). "The
Information Assurance Practices of Cloud Computing Vendors" (https://dx.doi.org/10.1109/mitp.20
10.44). IT Professional. 12 (4): 29–37. doi:10.1109/mitp.2010.44 (https://doi.org/10.1109%2Fmitp.
2010.44). ISSN 1520-9202 (https://www.worldcat.org/issn/1520-9202). S2CID 8059538 (https://ap
i.semanticscholar.org/CorpusID:8059538).
6. Luenam, P.; Peng Liu (2003). "The design of an adaptive intrusion tolerant database system".
Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information
Systems] (https://dx.doi.org/10.1109/fits.2003.1264925). IEEE. pp. 14–21.
doi:10.1109/fits.2003.1264925 (https://doi.org/10.1109%2Ffits.2003.1264925). ISBN 0-7695-2057-
X. S2CID 14058057 (https://api.semanticscholar.org/CorpusID:14058057).
7. Liu, Peng; Zang, Wanyu (2003). "Incentive-based modeling and inference of attacker intent,
objectives, and strategies" (https://dx.doi.org/10.1145/948109.948135). Proceedings of the 10th
ACM conference on Computer and communications security. New York, New York, USA: ACM
Press. p. 179. doi:10.1145/948109.948135 (https://doi.org/10.1145%2F948109.948135). ISBN 1-
58113-738-9. S2CID 3897784 (https://api.semanticscholar.org/CorpusID:3897784).
8. Wilson, Kelce S. (July 2013). "Conflicts Among the Pillars of Information Assurance" (https://dx.do
i.org/10.1109/mitp.2012.24). IT Professional. 15 (4): 44–49. doi:10.1109/mitp.2012.24 (https://doi.
org/10.1109%2Fmitp.2012.24). ISSN 1520-9202 (https://www.worldcat.org/issn/1520-9202).
S2CID 27170966 (https://api.semanticscholar.org/CorpusID:27170966).
9. Sadiku, Matthew; Alam, Shumon; Musa, Sarhan (2017). "Information Assurance Benefits and
Challenges: An Introduction" (http://procon.bg/article/information-assurance-benefits-and-challeng
es-introduction). procon.bg. Retrieved 2020-11-28.
10. San Nicolas-Rocca, Tonia; Burkhard, Richard J (2019-06-17). "Information Security in Libraries" (h
ttps://doi.org/10.6017%2Fital.v38i2.10973). Information Technology and Libraries. 38 (2): 58–71.
doi:10.6017/ital.v38i2.10973 (https://doi.org/10.6017%2Fital.v38i2.10973). ISSN 2163-5226 (http
s://www.worldcat.org/issn/2163-5226).
11. Boritz, J. Efrim (December 2005). "IS practitioners' views on core concepts of information
integrity" (https://linkinghub.elsevier.com/retrieve/pii/S1467089505000473). International Journal
of Accounting Information Systems. 6 (4): 260–279. doi:10.1016/j.accinf.2005.07.001 (https://doi.o
rg/10.1016%2Fj.accinf.2005.07.001).
12. Schou, C.D.; Frost, J.; Maconachy, W.V. (January 2004). "Information assurance in biomedical
informatics systems" (https://ieeexplore.ieee.org/document/1297181). IEEE Engineering in
Medicine and Biology Magazine. 23 (1): 110–118. doi:10.1109/MEMB.2004.1297181 (https://doi.or
g/10.1109%2FMEMB.2004.1297181). ISSN 0739-5175 (https://www.worldcat.org/issn/0739-517
5). PMID 15154266 (https://pubmed.ncbi.nlm.nih.gov/15154266). S2CID 7746947 (https://api.sem
anticscholar.org/CorpusID:7746947).
13. Yan, Aibin; Hu, Yuanjie; Cui, Jie; Chen, Zhili; Huang, Zhengfeng; Ni, Tianming; Girard, Patrick;
Wen, Xiaoqing (2020-06-01). "Information Assurance Through Redundant Design: A Novel TNU
Error-Resilient Latch for Harsh Radiation Environment" (https://dx.doi.org/10.1109/tc.2020.296620
0). IEEE Transactions on Computers. 69 (6): 789–799. doi:10.1109/tc.2020.2966200 (https://doi.or
g/10.1109%2Ftc.2020.2966200). ISSN 0018-9340 (https://www.worldcat.org/issn/0018-9340).
S2CID 214408357 (https://api.semanticscholar.org/CorpusID:214408357).
14. Hanna, Michael; Granzow, David; Bolte, Bjorn; Alvarado, Andrew (2017). "NATO Intelligence and
Information Sharing: Improving NATO Strategy for Stabilization and Reconstruction Operations" (h
ttps://doi.org/10.11610%2Fconnections.16.4.01). Connections: The Quarterly Journal. 16 (4): 5–
34. doi:10.11610/connections.16.4.01 (https://doi.org/10.11610%2Fconnections.16.4.01).
ISSN 1812-1098 (https://www.worldcat.org/issn/1812-1098).
15. Chen, Chin-Ling; Chiang, Mao-Lun; Hsieh, Hui-Ching; Liu, Ching-Cheng; Deng, Yong-Yuan
(2020-05-08). "A Lightweight Mutual Authentication with Wearable Device in Location-Based
Mobile Edge Computing" (https://dx.doi.org/10.1007/s11277-020-07240-2). Wireless Personal
Communications. 113 (1): 575–598. doi:10.1007/s11277-020-07240-2 (https://doi.org/10.1007%2
Fs11277-020-07240-2). ISSN 0929-6212 (https://www.worldcat.org/issn/0929-6212).
S2CID 218934756 (https://api.semanticscholar.org/CorpusID:218934756).
16. Such, Jose M.; Gouglidis, Antonios; Knowles, William; Misra, Gaurav; Rashid, Awais (July 2016).
"Information assurance techniques: Perceived cost effectiveness" (https://linkinghub.elsevier.com/
retrieve/pii/S0167404816300311). Computers & Security. 60: 117–133.
doi:10.1016/j.cose.2016.03.009 (https://doi.org/10.1016%2Fj.cose.2016.03.009).
17. Johnson, M. E.; Goetz, E.; Pfleeger, S. L. (May 2009). "Security through Information Risk
Management" (https://ieeexplore.ieee.org/document/5054909). IEEE Security Privacy. 7 (3): 45–
52. doi:10.1109/MSP.2009.77 (https://doi.org/10.1109%2FMSP.2009.77). ISSN 1558-4046 (https://
www.worldcat.org/issn/1558-4046). S2CID 30062820 (https://api.semanticscholar.org/CorpusID:3
0062820).
18. Singh, R.; Salam, A.F. (May 2006). "Semantic information assurance for secure distributed
knowledge management: a business process perspective" (https://ieeexplore.ieee.org/document/1
632282). IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.
36 (3): 472–486. doi:10.1109/TSMCA.2006.871792 (https://doi.org/10.1109%2FTSMCA.2006.871
792). ISSN 1083-4427 (https://www.worldcat.org/issn/1083-4427). S2CID 10191333 (https://api.se
manticscholar.org/CorpusID:10191333).
19. Park, Insu; Sharman, Raj; Rao, H. Raghav (2015-02-02). "Disaster Experience and Hospital
Information Systems: An Examination of Perceived Information Assurance, Risk, Resilience, and
HIS Usefulness" (https://dx.doi.org/10.25300/misq/2015/39.2.03). MIS Quarterly. 39 (2): 317–344.
doi:10.25300/misq/2015/39.2.03 (https://doi.org/10.25300%2Fmisq%2F2015%2F39.2.03).
ISSN 0276-7783 (https://www.worldcat.org/issn/0276-7783).
20. McFadzean, Elspeth; Ezingeard, Jean-Noël; Birchall, David (2011-04-08). "Information Assurance
and Corporate Strategy: A Delphi Study of Choices, Challenges, and Developments for the
Future" (http://www.tandfonline.com/doi/abs/10.1080/10580530.2011.562127). Information
Systems Management. 28 (2): 102–129. doi:10.1080/10580530.2011.562127 (https://doi.org/10.1
080%2F10580530.2011.562127). ISSN 1058-0530 (https://www.worldcat.org/issn/1058-0530).
S2CID 11624922 (https://api.semanticscholar.org/CorpusID:11624922).
21. Ezingeard, Jean-Noël; McFadzean, Elspeth; Birchall, David (March 2005). "A Model of Information
Assurance Benefits" (http://www.tandfonline.com/doi/abs/10.1201/1078/45099.22.2.20050301/872
74.3). Information Systems Management. 22 (2): 20–29.
doi:10.1201/1078/45099.22.2.20050301/87274.3 (https://doi.org/10.1201%2F1078%2F45099.22.
2.20050301%2F87274.3). ISSN 1058-0530 (https://www.worldcat.org/issn/1058-0530).
S2CID 31840083 (https://api.semanticscholar.org/CorpusID:31840083).

Bibliography

Data Encryption; Scientists at Chang Gung University Target Data Encryption. (2011, May).
Information Technology Newsweekly,149. Retrieved October 30, 2011, from ProQuest Computing.
(Document ID: 2350804731).
Stephenson (2010). "Authentication: A pillar of information assurance". SC Magazine. 21 (1): 55.
Cummings, Roger (2002). "The Evolution of Information Assurance" (http://www-csag.ucsd.edu/pr
ojects/Optiputer/papers/IEEE200212_Information%20assurance.pdf) (PDF). Computer. 35 (12):
65–72. doi:10.1109/MC.2002.1106181 (https://doi.org/10.1109%2FMC.2002.1106181).

External links

Documentation
UK Government (http://webarchive.nationalarchives.gov.uk/20070701085630/http%3A//www.cabi
netoffice.gov.uk/csia/ia_review/)
HMG INFOSEC STANDARD NO. 2 (https://web.archive.org/web/20121119023649/http://www.
cpni.gov.uk/Documents/Publications/2005/2005003-Risk_management.pdf) Risk management
and accreditation of information systems (2005)
IA References (http://www.albany.edu/acc/courses/ia/classics)
Information Assurance XML Schema Markup Language (http://www.ism3.com/index.php?option=c
om_docman&task=doc_download&gid=5&Itemid=9)
DoD Directive 8500.01 (https://web.archive.org/web/20140429193839/http://www.dtic.mil/whs/dire
ctives/corres/pdf/850001_2014.pdf) Information Assurance
DoD IA Policy Chart (https://web.archive.org/web/20091015230309/http://iac.dtic.mil/iatac/ia_polic
ychart.html) DoD IA Policy Chart
Archive of Information Assurance (http://iaarchive.fi) Archive of Information Assurance

Information assurance has also evolved due to social media

Retrieved from "https://en.wikipedia.org/w/index.php?title=Information_assurance&oldid=1169297326"