LESSON 1: Introduction to Information Assurance and Information Security

Information

- Information is organized or classified data, which has some meaningful values for the receiver.
- Information is the processed data on which decisions and actions are based.

Assurance

- A positive declaration intended to give confidence.

Security

- The state of being free from danger or threat.

Information Assurance

- Focuses on gathering data.

- Measures that protect and defend information and information systems by ensuring their
availability, integrity, authentication, confidentiality, and nonrepudiation.
- Defines and applies a collection of policies, standards, methodologies, services, and mechanisms
to maintain mission integrity concerning people, processes, technology, information, and
supporting infrastructure.
- Information assurance, which focuses on ensuring the availability, integrity, authentication,
confidentiality, and non-repudiation of information and systems. These measures may include
providing for the restoration of information systems by incorporating protection, detection, and
reaction capabilities.

Information Assurance vs Information Security

- Are often used interchangeably.

- Both involve people, processes, techniques, and technology.

Information Security

- Is about keeping the data safe.

- Information security, which centers on the protection of information and information systems
from unauthorized access, use, disclosure, disruption, modification, or destruction to provide
confidentiality, integrity, and availability.

Information Assurance and Security

- Is the management and protection of knowledge, information, and data.

Lesson 2: Developing an Information Assurance Strategy

Information Assurance Strategy

- A plan of action or policy designed to protect information systems (such as computer and
network systems) or certain data throughout application usage, storage, processing, and
transmission.

Proactive

- Creating or controlling a situation by causing something to happen rather than responding to

it after it has happened.

Reactive

- Acting in response to a situation rather than creating or controlling it.

Comprehensive

- An organization’s information assurance strategy and resulting policies and programs should
cover topics, areas, and domains needed for modern organizations. Each topic, domain, and
area within a policy should contain sufficient breadth and detail to support strategic, tactical,
and operational implementation.

Independent

- An organization’s information assurance strategy should contain independent contents and

perspectives related to the defined mission. Organizations are of various sizes and use products
and services from vendors. To be useful for a heterogenous community, an organization’s
information assurance strategy should provide a neutral view of information assurance.
Constituent parts within the organizations should identify their assurance needs and develop
tactical and operational controls through the strategic plan. Organizations must be cautious
not to specify mechanisms, products, or procedural steps to attain organizational information
assurance objectives at a strategic level. Organizations should consider vendor-independent
strategies while incorporating vendor-specific information into tactical and operational plans.
Legal and Regulatory Requirements

- An organization’s information assurance strategy must be consistent with existing laws and
regulations applicable to but not limited to information assurance, human resources, health
care, finance, disclosure, internal control, and privacy within the organizational context.
Organizations should refer to existing legal frameworks and regulations in their information
assurance strategies so leaders understand how to fulfill the regulatory requirements of their
industry or environment.

Living Document

- An organization’s information assurance strategy should be written as a living document

comprised of independent components. In smaller organizations with little employee turnover,
culture may sustain practices. However, organizations benefit from updated written policies,
procedures guidance, and standards to direct operations. Organizations should be the ideas,
concepts, and approaches outlined in this work to keep their policies, procedures, standards,
and practices up to date.

Long Life Span

- Although information assurance is a dynamic, fast-moving, and raid-changing discipline, it

requires a stable strategic foundation. To increase the value and relevance of an organization’s
information assurance strategy, the strategy must focus on the fundamentals of information
assurance that remain constant over time. This is supported by tactical and operational
components.

Customizable & Pragmatic

- Organizations should develop a flexible information assurance strategy. The strategy should be
applicable to a broad spectrum of organization functions independent of size and should
consider varied objectives and infrastructure complexity. Organizations should adopt and adapt
their tactical and operational plans to reflect identified organizational information assurance
requirements and risk profiles. The suggested controls provided throughout this work can serve
as guidance.

Risk-Based Approach

- In a risk-based approach, organizations identify their profiles and prioritize them. Since each
organization has a unique risk profile, it must select controls appropriate to its risk tolerance. An
organization’s information assurance strategy must be broad enough to give guidance to sub-
 components with diverse risk profiles. This is analogous to risk portfolio approaches in finance.
Risk tolerance and profiles are explained later in this work.

Organizationally Significant

- Information assurance should be considered significant in an organization’s strategy and

ongoing operations, and it is a significant investment and area of concern for any organization.
Information assurance is part of an organization just like basic accounting. For example, if
organizations choose to ignore accounting, they will be subject to possible fines and issues with
shareholders, but more importantly, they will be subject to fraud and internal control issues.
Information assurance provides controls for an organization’s most important assets while
bringing visibility into operational and strategic risk.

Strategic, Tactical, & Operational

- The organization’s information assurance strategy provides a framework to assist senior

managers and executives in making strategic(long-term) planning and decisions. It provides
information to aid in tactical(midterm) planning and decisions for managers. In addition, an
organization’s information assurance strategy contains information useful to employees and
line managers who make operational(short-term) planning and decisions.

Concise, Well-Structured, Extensible

- Ideally, an organization’s information assurance strategy addresses wide-ranging information

assurance topics, organized systematically. To help maximize benefits, the structure of a
strategy document should facilitate easy retrieval and use by readers.
Lesson 3: Information Assurance Principles

THE MSR MODEL OF INFORMATION ASSURANCE

Maconachy-Schou-Ragsdale model (MSR) described:

1. Information States

a. Transmission

b. Storage

c. Processing

2. Security Countermeasures

a. Technology

b. Policy and Practice

c. People

3. Security Services

a. Availability

b. Integrity

c. Authentication

d. Confidentiality

e. Nonrepudiation

1. Information States
- Information is referred to as the interpretation of data which can be found in three states:
transmitted, stored, or processed.

1.1. Transmission

- It defines time wherein data is between processing steps.

Example:
- In transit over networks when the user sends an email to the reader, including memory and
storage encountered during delivery.

1.2. Storage

- It defines the time during which data is saved on a medium such as a hard drive.

Example:

- Saving documents on the file server’s disk by the user.

1.3. Processing

- It defines the time during which data is in the processing state.

Example:

- Data is processed in the random-access memory (RAM) of a workstation.

2. Security Countermeasures

- This dimension has functionalities to save the system from immediate vulnerability by
accounting for technology, policy & practice, and people.

2.1. Technology

- Appropriate technology such as firewalls, routers, and intrusion detection must be used to
defend the system from vulnerabilities, and threats. The technology used must facilitate quick
response whenever information security gets compromised.

2.2. Policy and Practice

- Every organization has some set of rules defined in form of policies that must be followed by
every individual working in the organization. These policies must be practiced to properly handle
sensitive information whenever the system gets compromised.

2.3. People

- People are the heart of the information system. Administrators and users of information
systems must follow policies and practice for designing a good system. They must be informed
regularly regarding information systems and ready to act appropriately to safeguard the system.
3. Security Services

- It is the fundamental pillar of the model which provides security to the system and consists of
five services namely availability, integrity, confidentiality, authentication, and non-repudiation.

3.1. Availability

- It guarantees reliable and constant access to sensitive data only by authorized users. It involves
measures to sustain access to data despite system failures and sources of interference. To
ensure availability, corrupted data must be eliminated, recovery time must be sped up and
physical infrastructure must be improved.

Example:

- Accessing and throughput of e-mail service.

3.2. Integrity

- It ensures that sensitive data is accurate and trustworthy and cannot be created, changed, or
deleted without proper authorization. Maintaining integrity involves the modification or
destruction of information by authorized access. To ensure integrity backups should be planned
and implemented to restore any affected data in case of a security breach. Besides this
cryptographic, a checksum can also be used for the verification of data.

Example:

- Implementation of measures to verify that e-mail content was not modified in transit. This can
be achieved by using cryptography which will ensure that the intended user receives correct and
accurate information.

3.3. Authentication

- It is a security service that is designed to establish the validity of the transmission of a message
by verifying of individual’s identity to receive a specific category of information. To ensure the
availability of various single factors and multi-factor authentication methods are used. A single-
factor authentication method uses a single parameter to verify a user’s identity whereas two-
factor authentication uses multiple factors to verify a user’s identity.
Example:

- Entering a username and password when we log in to the website is an example of

authentication. Entering the correct login information lets the website verify our identity and
ensure that only we access sensitive information.

3.4. Confidentiality

- It assures that information of the system is not disclosed to unauthorized access and is read and
interpreted only by persons authorized to do so. Protection of confidentiality prevents malicious
access and accidental disclosure of information. Information that is considered to be
confidential is called sensitive information.

Example:

- Protecting email content to read by only desired set of users. This can be insured by data
encryption. Two-factor authentication, strong passwords, security tokens, and biometric
verification are some popular norms for authentication users to access sensitive
data/information.

3.5. Nonrepudiation

- It is a mechanism to ensure sender or receiver cannot deny the fact that they are part of data
transmission. When a sender sends data to the receiver, it receives delivery confirmation. When
the receiver receives a message, it has all information attached to the message regarding the
sender.

Example:

- A common example is sending an SMS from one mobile phone to another. After the message is
received confirmation message is displayed that the receiver has received the message. In
return, the message received by the receiver contains all information about the sender.

4. Time

- This dimension can be viewed in many ways. At any given time, data may be available offline or
online, and information and system might be in flux, thus, introducing the risk of unauthorized
access. Therefore, in every phase the of System Development Cycle, every aspect of the
Information Assurance model must be well-defined and well-implemented to minimize the risk
of unauthorized access.
Information Assurance and Subdomains

Information Assurance

- Information assurance is the overall approach for identifying, understanding and managing risk
through an organization’s use of information and information systems. As noted in the MSR
model, information assurance is concerned with the life cycle of information in an organization
through the objectives of maintaining the following services or attributes:
 Confidentiality
 Integrity
 Availability
 Nonrepudiation
 Authentication

The following are critical elements to remember about Information Assurance:

- Information assurance includes all information an organization may process, store, transmit, or
disseminate regardless of media. Thus, information on paper, on a hard drive, in the mind of an
employee, or the cloud is considered to be “in scope.”

- Information security, information protection, and cybersecurity are subsets of information

assurance.

Information Security

- Information security is a subdomain of information assurance. As noted in the MSR model,

information security focuses on the CIA triad.
 Confidentiality
 Integrity
 Availability

The following are critical elements to remember about Information Security:

 - Like information assurance, information security includes all information an organization may
process, store, transmit, or disseminate regardless of media. Thus, information on paper, on a
hard drive, in the mind of an employee, or the cloud is considered in scope.

- Information protection and cybersecurity are subsets of information security.

Information Protection

- It is often defined in terms of protecting the confidentiality and integrity of information through
a variety of means such as policy, standards, physical controls, technical controls, monitoring,
and information classification or categorization.

The following are critical elements to remember about Information Protection:

- Like information security, information protection includes all information an organization may
process, store, transmit, or disseminate regardless of media. Thus, information on paper, on a
hard drive, in the mind of an employee, or the cloud is considered in scope.

- Some laws, regulations, and rules specifically cite information protection as a requirement for
sensitive information such as personally identifiable information and personal health
information.

Cybersecurity

- Cybersecurity is a relatively new term that has largely replaced the term computer security.

- Cybersecurity is used to describe the measures taken to protect electronic information systems
against unauthorized access or attack. Cybersecurity is primarily concerned with the same
objectives of information security within the scope of electronic information systems’ CIA.

The following are critical elements to remember about Cybersecurity:

- Cybersecurity is primarily focused on the protection of networks and electronic information

systems. Other media such as paper, personnel, and in some cases stand-alone systems that rely
on physical security are often outside the scope of cybersecurity.

- Cybersecurity often focuses on the vulnerabilities and threats of an information system at the
tactical level. System scanning, patching, and secure configuration enforcement are common
foci of cybersecurity.