Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. While focused dominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form. Information assurance as a field has grown from the practice of information security which in turn grew out of practices and procedures of computer security.
Information assurance is related to the field of information security, in that it is primarily concerned with the protection of information systems and their contents. Generally considered the more broadly-focused of these two fields, IA consists more of the strategic risk management of information systems rather than the creation and application of security controls. In addition to defending against malicious hackers and code (e.g., viruses), IA practitioners consider corporate governance issues such as privacy, regulatory and standards compliance, auditing, business continuity, and disaster recovery as they relate to information systems. Further, while information security draws primarily from computer science, IA is an interdisciplinary field requiring expertise in accounting, fraud examination, forensic science, management science, systems engineering, security engineering, and criminology, in addition to computer science. Therefore, IA is best thought of as a superset of information security.
Information assurance process
The information assurance process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a risk assessment for those assets. Vulnerabilities in the information assets are determined in order to enumerate the threats capable of exploiting the assets. The assessment then considers both the probability and impact of a threat exploiting a vulnerability in an asset, with impact usually measured in terms of cost to the asset's stakeholders. The sum of the products of the threats' impact and the probability of their occurring is the total risk to the information asset.
With the risk assessment complete, the IA practitioner then develops a risk management plan. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response to threats. A framework published by a standards organization, such as Risk IT, CobiT, PCI DSS, ISO 17799 or ISO/IEC 27002, may guide development. Countermeasures may include technical tools such as firewalls and anti-virus software, policies and procedures requiring such controls as regular backups and configuration hardening, employee training in security awareness, or organizing personnel into dedicated computer emergency response team (CERT) or computer security incident response team (CSIRT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most cost-effective way.
After the risk management plan is implemented, it is tested and evaluated, often by means of formal audits. The IA process is an iterative one, in that the risk assessment and risk management plan are meant to be periodically revised and improved based on data gathered about their completeness and effectiveness.
- Asset (computing)
- Countermeasure (computer)
- Factor Analysis of Information Risk
- Fair information practice
- Information Assurance Vulnerability Alert
- Information security
- ISO/IEC 27001
- ISO 9001
- ISO 17799
- IT risk
- McCumber cube
- Mission assurance
- Risk IT
- Security controls
- Data Encryption; Scientists at Chang Gung University Target Data Encryption. (2011, May). Information Technology Newsweekly,149. Retrieved October 30, 2011, from ProQuest Computing. (Document ID: 2350804731).
- Stephenson, P.. (2010, January). Authentication: A pillar of information assurance. SC Magazine, 21(1), 55. Retrieved October 30, 2011, from ProQuest Computing. (Document ID: 1939310891).
- Roger Cummings. 2002. The Evolution of Information Assurance. Computer 35, 12 (December 2002), 65-72. DOI=10.1109/MC.2002.1106181 http://dx.doi.org/10.1109/MC.2002.1106181 Available in full at: Concurrent Systems Architecture Group
- GCHQ: Britain's Most Secret Intelligence Agency
- Quantitative Risk Analysis in Information Security from Digital Threat
- Verrimus 'Privacy Protected'
- UK Government
- HMG INFOSEC STANDARD NO. 2 Risk management and accreditation of information systems (2005)
- IA References
- Information Assurance XML Schema Markup Language
- DoD Directive 8500.01 Information Assurance
- DoD Instruction 8500.02 Information Assurance (IA) Implementation
- DoD IA Policy Chart DoD IA Policy Chart
- Archive of Information Assurance Archive of Information Assurance
- AFI 33-203 Vol 1, Emission Security (Soon to be AFSSI 7700)
- AFI 33-203 Vol 3, EMSEC Countermeasures Reviews (Soon to be AFSSI 7702)
- AFI 33-201 Vol 8, Protected Distributed Systems (Soon to be AFSSI 7703)
- AFMAN 33-223, Identification and Authentication (Soon to be AFSSI 8520)
- AFI 33-202, Vol 6, Identity Management (Soon to be AFSSI 8520)
- (Biometrics) (Soon to be AFSSI 8521)
- AFI 33-202, Vol 1, Chapter 5, Access to Information Systems (Soon to be AFSSI 8522)
- AFI 33-202, Vol 1, Para 3.11, Cross-Domain Solutions (CDS) (Soon to be AFSSI 8540)
- AFI 33-202, Vol 1, Para 4.2, Network Security (Soon to be AFSSI 8550)
- AFI 33-137, Ports, Protocols, and Services (PPS) Management (Soon to be AFSSI 8551)
- AFI 33-230, Information Assurance Assessment and Assistance Program (Soon to be AFSSI 8560)
- AFI 33-219, Section C, Notice and Consent Procedures (Soon to be AFSSI 8561)
- AFSSI 8580, Remanence Security