In-Depth Notes on Information Assurance Principles

Seven Principles of Information Assurance

  • Information assurance principles help establish fundamental expectations in protecting information within organizations.
  • The following are the seven key principles:
    • Be a business enabler:
    • Proper implementation of information assurance fosters business confidence and offers a competitive edge, making it a primary agenda rather than an afterthought.
    • Protect the interconnecting elements of an organization’s systems:
    • Emphasizes shared responsibility across IT and other departments to effectively meet business objectives.
    • Be cost effective and cost beneficial:
    • All information systems and services require investment in information assurance for effective security.
    • Establish responsibilities and accountability:
    • System owners must inform users about the security controls in place and their necessity to ensure compliance and effectiveness.
    • Require a robust method:
    • Adequate studies should be conducted to evaluate the compatibility and feasibility of security controls applied.
    • Be assessed periodically:
    • Regular audits or reviews are necessary to confirm that security controls remain relevant and effective.
    • Be restricted by social obligations:
    • Organizations must balance security risks with human rights and social responsibilities.

Information Assurance Concept

  • Information assurance deals with identifying, understanding, and managing risks related to information and information systems within an organization.
  • Key elements of information assurance include:
    • It encompasses all forms of information (paper, digital, cloud-based, etc.) processed, stored, transmitted, or disseminated, which are all considered "in scope."
    • Information assurance is a broad field that includes:
    • Information Security: Focused on the CIA (Confidentiality, Integrity, Availability) triad.
    • Information Protection: Subset of information security aimed at maintaining confidentiality and integrity through policies and controls.
    • Cybersecurity: A newer term focusing specifically on securing electronic information systems against unauthorized access and threats.

Information Security

  • As a subdomain of information assurance, information security focuses on the CIA triad:
    • Confidentiality: Ensuring data is accessible only to those authorized.
    • Integrity: Ensuring data is accurate and unaltered by unauthorized actions.
    • Availability: Ensuring that authorized users have access to information when needed.
  • Similar to information assurance, it covers all types of information and incorporates laws and regulations for sensitive data management.

Information Protection

  • Information protection involves securing the confidentiality and integrity of information through:
    • Policy enforcement
    • Standards
    • Physical and technical controls
    • Continuous monitoring and classification of information types
  • It is crucial for compliance with legal requirements related to sensitive data such as personally identifiable information (PII) or personal health information (PHI).

Cybersecurity

  • Cybersecurity focuses on protecting electronic information systems from unauthorized access and attacks. Key focus areas include:
    • Monitoring vulnerabilities and threats at a tactical level.
    • Implementing system scanning, patching, and secure configurations.
    • Functions managed by security operations centers (SOC) such as intrusion detection.
  • It differs from information assurance and information security by concentrating primarily on electronic systems.