CHAPTER 3

Information Assurance Principles

Once you understand the importance of information assurance, you need to embrace some fundamental expectations prior to and during the implementation of security, independent of the size or nature of the business. A common model and understanding of information assurance is necessary if an organization is to speak a common risk language and understand common objectives. The information assurance model used throughout this work is the Maconachy-Schou-Ragsdale (MSR) model.

The MSR Model of Information Assurance

In 2001, the Maconachy-Schou-Ragsdale model described three states of information (storage, transmission, and processing); three essential countermeasures (technology, policy, and people); and five basic services (availability, integrity, authentication, confidentiality, and nonrepudiation). The internationally recognized Association for Computing Machinery (ACM) adopted this as an extension of the basic confidentiality, integrity, and availability (CIA) model and an extension of John McCumber’s work in the early 1990s.

We have identified fundamental expectations and common beliefs acquired through business practices over the years, and we refer to them here as information assurance principles. The seven principles specify that information assurance should do the following:

      • Be a business enabler

      • Protect the interconnecting element of an organization’s systems

      • Be cost effective and cost beneficial

      • Establish responsibilities and accountability

      • Require a robust method

      • Be assessed periodically

      • Be restricted by social obligations

These seven principles enable you to implement the MSR model shown in Figure 3-1. The MSR model identifies security services, states, and countermeasures, as explained earlier. In addition, the model demonstrates the interlocking relationship among these 45 unique combinations. It reinforces the idea that senior management and senior executives are responsible for the life cycle of the system and an organization’s information, from inception to dissolution.

Figure 3-1 MSR model

Understanding the distinction between the following terms is crucial for identifying not only the market space but also fundamental concepts in protecting organizations’ information assets:

      • Information assurance

      • Information security

      • Information protection

      • Cybersecurity

The following sections define each term.

Information Assurance

Information assurance is the overarching approach for identifying, understanding, and managing risk through an organization’s use of information and information systems. As noted in the MSR model, information assurance is concerned with the life cycle of information in an organization through the objectives of maintaining the following services or attributes:

      • Confidentiality

      • Integrity

      • Availability

      • Nonrepudiation

      • Authentication

The following are critical elements to remember about information assurance:

      • Information assurance includes all information an organization may process, store, transmit, or disseminate regardless of media. Thus, information on paper, on a hard drive, in the mind of an employee, or in the cloud is considered to be “in scope.”

      • Information security, information protection, and cybersecurity are subsets of information assurance.

Information Security

Information security is a subdomain of information assurance. As noted in the MSR model, information security focuses on the CIA triad.

      • Confidentiality

      • Integrity

      • Availability

The following are critical elements to remember about information security:

      • Like information assurance, information security includes all information an organization may process, store, transmit, or disseminate regardless of media. Thus, information on paper, on a hard drive, in the mind of an employee, or in the cloud is considered in scope.

      • Information protection and cybersecurity are subsets of information security.

Information Protection

Information protection is best viewed as a subset of information security. It is often defined in terms of protecting the confidentiality and integrity of information through a variety of means such as policy, standards, physical controls, technical controls, monitoring, and information classification or categorization.

The following are critical elements to remember about information protection:

      • Like information security, information protection includes all information an organization may process, store, transmit, or disseminate regardless of media. Thus, information on paper, on a hard drive, in the mind of an employee, or in the cloud is considered in scope.

      • Some laws, regulations, and rules specifically cite information protection as a requirement for sensitive information such as personally identifiable information and personal health information.

Cybersecurity

Cybersecurity is a relatively new term that has largely replaced the term computer security. This term is often confused with information assurance and information security. Cybersecurity is used to describe the measures taken to protect electronic information systems against unauthorized access or attack. Cybersecurity is primarily concerned with the same objectives of information security within the scope of electronic information systems’ CIA.

The following are critical elements to remember about cybersecurity:

      • Cybersecurity is primarily focused on the protection of networks and electronic information systems. Other media such as paper, personnel, and in some cases stand-alone systems that rely on physical security are often outside the scope of cybersecurity.

      • Cybersecurity often focuses on the vulnerabilities and threats of an information system at the tactical level. System scanning, patching, and secure configuration enforcement are common foci of cybersecurity.

      • Intrusion detection and incident response and other functions commonly run from a security operations center (SOC) are often identified as cybersecurity functions.

Figure 3-2 illustrates the relationship among information protection, cybersecurity, information security, and information assurance and their relationship with confidentiality, integrity, availability, and nonrepudiation.

Figure 3-2 Information assurance and subdomains

Information Assurance: Business Enabler

Information assurance is a business enabler and a competitive advantage rather than an obstacle. It allows the organization to achieve its intended objectives. The imposition of disruptive rules and procedures comes from a lack of understanding of business requirements. Frequently, these rules and procedures unnecessarily disrupt normal business operations. Through the implementation and operation of suitable controls, information assurance assists in achieving the organization’s vision and mission by protecting its critical assets and resources. Prior to implementation, organizations should identify which controls are to be implemented and weigh the pros and cons associated with each. Security rules or procedures used to protect vital assets while simultaneously supporting the organization’s overall vision and mission should be a goal of every senior manager or executive.

When information assurance is properly implemented, it ensures business confidence and competitive advantage; therefore, assurance should be a primary agenda and not a hindrance or an afterthought. Situations exist where a decision may be made not to pursue a new venture or not to adopt a new technology because it cannot be secured appropriately because of unacceptable risk. An example is wireless networking. Some financial organizations have banned the use of IEEE 802.11 (Wi-Fi) networks until enhanced security standards for these networks become available. Thus, information assurance may act as an essential barrier to prevent the adoption of unsafe business practices, rather than as an enabler for business. However, a bank developing a secure mobile application for banking may increase customer satisfaction, reduce personnel costs, and gain customers because of convenience differentiation.

Information Assurance: Protects the Fabric of an Organization’s Systems

Information systems provide the interconnecting elements of effective management of organizations. If, however, the information system does not demonstrate the security elements of the MSR model, management cannot make informed decisions. Effective protection from threats requires not only information systems but also information assurance to be an interconnecting, essential part of the entire management system. Security efforts are not silo efforts; they are the essential binding fiber.

Information assurance is a shared responsibility and involves not only the IT organization and other employees. Information assurance should be incorporated into the current management strategy system and requires participation from all functional units. Any information assurance protection program should take into consideration the people, processes, and technology aspects from the MSR model. If one does not do this, the organization will be unable to garner the required support and will not meet its business objectives effectively. Information assurance involves constant review, monitoring, and improvement based on the risk decisions made by management.

Information Assurance: Cost Effective and Cost Beneficial

Information has varying value based on its criticality and sensitivity. Therefore, the protection requirements should be proportional to the value of the information/assets protected and the associated risk. A thorough analysis of the costs and benefits of information assurance may examine either quantitative or qualitative aspects to ensure investment on controls meet expectations. Security investments should take into consideration the cost of designing, implementing, and maintaining the controls; the values of information assets; the degree of dependency on the information systems; and the potential risk and impact the organization is likely to face. Investing in information assurance is both a horizontal and vertical effort.

Information assurance is also a crosscutting program. All information systems and services of an organization have an information assurance requirement. Therefore, an investment should be made in every project for information assurance. This can be thought of as a variable cost. The more services, projects, and information the organization chooses to process, store, or transmit, the greater the information assurance requirements will be.

There is also a fixed-cost aspect to information assurance, which is often the “vertical” aspect of information assurance. Organizations need to have an information assurance program firmly established. This function of an organization is the anchor for the horizontal security efforts and the management area of information assurance for the organization. From this function, common controls and cost-effective security are designed, implemented, and monitored (Figure 3-3).

Figure 3-3 Information assurance as a program and service provider

Investments made based on the choice of controls after a risk assessment exercise reduce the impact of information assurance–related losses. For example, by implementing an effective incident-handling process, an organization can avoid losses in terms of unnecessary resources devoted to recovering from a major disruptive incident.

Information Assurance: Shared Responsibilities

System owners, including cloud or outsourced service providers, should share information about planned and implemented security controls so that users can be aware of current efforts and know that the relevant systems are sufficiently secure. Identified critical systems should meet a predefined baseline acceptance level of security. System owners should remember to inform their business users or clients about security controls selected, the nature of the controls implemented, and why the controls are necessary.

Peter Drucker’s 1968 book The Age of Discontinuity reminds us that knowledge work knows no hierarchy. In addition, information itself knows no individual or organizational boundaries. Information is available to those who need it.

As an information assurance corollary, information can be secured adequately only when all who have access follow established procedures. Thus, information assurance is a team effort that transcends the IT function. The assignment of responsibilities may be to internal or external parties. Clearly defined security responsibilities (both individual and functional level) encourage best practices by users. Refer to Chapter 9 for detailed information assurance roles and responsibilities.

Information Assurance: Robust Approach

Information assurance requires a complete and integrated approach that considers a wide range of processes. This comprehensive approach extends throughout the entire information life cycle. Security controls operate more effectively in concert with the proper functioning of other business process controls. Interdependencies within an information system exist by definition; therefore, a thorough study should be performed before a determination of compatibility and feasibility of controls is made.

Information Assurance: Reassessed Periodically

Information systems and the environments in which they operate are always evolving. Security requirements change rapidly in parallel with emerging technologies, threats, and vulnerabilities. Therefore, there are always new risks. Changing from a centralized to a decentralized IT environment and the increasing amount of information processed in a complex environment make operations challenging and security matters an ongoing priority review.

To assure controls remain relevant, an audit or review should be performed to determine the level of compliance to implemented controls. Increases in complexity or rate of change will necessitate more mature change and configuration management (CM) approaches. Organizations should continuously monitor the performance of controls by conducting regular assessments of their information systems and ensure information assurance is part of any change management and configuration management processes. This will alert management to new risks and the condition of the information systems, data, and networks that may have a negative impact on the mission of the organization.

Information Assurance: Restricted by Social Obligations

Organizations must consider social obligations in the implementation of security controls. Organizations should balance the rights and desires of the organization versus the rights of organizational employees and customers. This involves understanding the security needs of information owners and users.

Expectations and policies may change concerning the suitable use of security controls. Organizations need to balance between security risks they are willing to accept versus human rights or social factors. This can lead to solving issues such as security and the workplace privacy conflict. Employee monitoring and a bring-your-own-device (BYOD) policy are areas where social obligations and information assurance often require extensive analysis.

Implications from Lack of Information Assurance

Despite the rise of information security incidents, organizations are still unaware of the criticality of information assurance. This section discusses the consequences and implications from a lack of information assurance. In general, you must apply both due care and due diligence to ensure a system is operating within acceptable social and legal norms.

Due care is the development and implementation of policies and procedures to aid in performing the ongoing maintenance necessary to keep an information assurance process operating properly to protect assets and people from threats. Systems must be working in accordance with the expectations of a reasonable person in a situation. Due care prevents negligence.

Due diligence is the reasonable investigation, research, and understanding of the risks an organization faces before committing to a particular course of action. The organization should do its homework and ensure ongoing monitoring.

Penalties from a Legal/Regulatory Authorities

In the wake of countless corporate scandals and acts of negligence, regulations and laws exist to ensure internal controls are implemented to protect the interests of the public and stakeholders. Common themes from various legal/regulatory authorities are

      • Abuse Hacking, theft, password sharing

      • Critical infrastructure protection Finance and banking, natural resources, power, water, food, logistics, and military

      • Intellectual property Copyright, patent, and trademark

      • Privacy Personal information

Together with the laws, acts, or regulations there are associated penalties. Depending on the type of information security breach, the penalty could be, for example, in the form of paying a fine, serving a jail term, or both.

Loss of Information Assets

Organizations regularly suffer loss because of the compromise of information assets. These losses may be caused by the theft of an asset, data corruption, and other threats. In addition to the direct costs involved in replacing assets (for example, the cost of replacing a stolen computer), additional hidden costs are involved. These losses may be in the form of additional time spent to reconstruct the data, disruption to the organization’s operation through hacking or other attacks, loss of reputation, financial loss, drop in morale, loss of competitive advantage, or cost of litigation, to name a few.

Operational Losses and Operational Risk Management

Although minimizing operational losses is not always recognized as a component of information assurance, in the final analysis it is the primary objective. Most organizations do not take the need to identify their sources of risk seriously. Despite wide coverage on security-related issues, most organizations are in the dark about the threats and risks to their business and missions. Recall that these risks cover the entire MSR model services/attributes (availability, integrity, authentication, confidentiality, and nonrepudiation).

The effect of operational or organization-wide risks may not appear to be significant initially, but hidden losses may incur over time. Ignoring small inefficiencies leads to higher costs and can eventually erode revenue and profits. For example, an organization, providing mobile phone services, is at risk of losing its customers if it cannot provide a call when the customer needs it (lack of availability). Unfortunately, ignoring this risk and its implications may be as detrimental to an organization as unplanned downtime of a critical IT system.

Annual computer crime and security surveys, such as the U.S. Federal Bureau of Investigations Internet Crime Report, have shown that organizations suffer millions of dollars in losses because of the poor implementation of security controls. It is easier to determine the action to be taken once the loss sources have been identified. There are books in the market on how to manage operations proactively to avoid unwanted operational losses; however, they often overlook information assurance. Operational risk management should be a priority concern to stakeholders just like those of other corporate risks.

Customer Losses

Organizations lose customers frequently because of poor information assurance practices. One example is software that fails to manage credit card data securely. Poorly implemented or nonexistent security controls lead to the loss of customer information (loss of privacy/confidentiality). As seen with the December 2013 Target compromise, reports of lost or stolen customer information raise alerts in two areas: poor security practices by the retailers themselves and weaknesses in the software used to process payments through credit card systems.

Major credit card associations have adopted their own cardholder information assurance programs to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS). While compliance with standards such as PCI-DSS does not guarantee an organization will not have incidents, these standards are vital to retaining customer trust and confidence. If a customer fears theft of personal information due to lacking or poor security controls provided by a service or embedded in a product, a considerable loss of customers should be expected. Frequently, major credit card providers offer a zero-liability protection for online purchases. This offer ensures the customer maintains confidence in the credit card provider and that the credit card provider must manage unmitigated fraud risk by accepting a loss due to fraudulent transactions.

Loss of Image and Reputation

Reputation or image is another critical asset. Without a good reputation or image, sales drop, customer complaints increase, and revenue decreases. Reputation is valuable and must be well managed. In safeguarding the respect and good reputation of the organization, it is vital that personnel and business partners follow best-practice information assurance actions to reduce the probability of something bad happening to critical information. All partners share, in common, a risk assumed by one partner.

The following are some of the issues that affect corporate reputations that are addressed through effective and periodic information assurance training or awareness programs:

      • Employee misconduct

      • Customer complaints

      • Security incidents and breaches

Further Reading

      • ACM Computing Curricula Information Technology Volume: Model Curriculum. ACM, Dec. 12, 2008. http://campus.acm.org/public/comments/it-curriculum-draft-may-2008.pdf.

      • An Introduction to Computer Security: The NIST Handbook (Special Publication 800-100). NIST, p. 16.

      • An Introduction to Computer Security: The NIST Handbook (Special Publication 800-12). NIST, 1996.

      • Drucker, Peter F. Management: Tasks, Responsibilities, Practices. Harper & Row, 1973.

      • Drucker, Peter F. “The Age of Discontinuity: Guidelines to Our Changing Society.” 1969.

      • Herold, R. Multi-dimensional Enterprise-wide Security: Corporate Reputation and The Definitive Guide to Security Inside the Perimeter. Realtime Publishers. http://www.bandwidthco.com/whitepapers/itil/The%20Definitive%20Guide%20to%20Security%20Inside%20the%20Perimeter.pdf.

      • Little Inefficiencies Could Lead to Large Operational Losses/Risks in Hi-Tech Security Solutions, 004., Technews Publishing Ltd., 2006. www.securitysa.com/news.aspx?pklNewsId=144&pklIssueId=60&pklCategoryID=106.

      • Maconachy, V., et al. “A Model for Information Assurance: An Integrated Approach.” Proceedings of the 2nd Annual, IEEE Systems, Man, and Cybernetics Information Assurance Workshop, West Point, New York (June 5–6, pp. 306–310). The MSR Model. 2001.

      • Marlin, S. “Customer Data Losses Blamed on Merchants and Software.” Information Week, 2005. www.informationweek.com/showArticle.jhtml?articleID=161601930.

      • McConnell, P. A Perfect Storm: Why Are Some Operational Losses Larger Than Others? Portal Publishing Ltd. www.continuitycentral.com/Perfect_Basel.pdf.

      • Porter, Michael E. “Competitive Advantage.” Free Press, 2004. www.12manage.com/methods_ porter_competitive_advantage.html.

      • Schou, Corey D., and D.P. Shoemaker. Information Assurance for the Enterprise: A Roadmap to Information Security. McGraw-Hill Education, 2008.

      • Conklin, Wm. Arthur, et al. Introduction to Principles of Computer Security: Security+ and Beyond. McGraw-Hill Education, March 2004.

      • Security Standards Council. PCI SSC Data Security Standards Overview. https://www.pcisecuritystandards.org/security_standards/.

      • Sullivan, D. Balancing the Cost and Benefits of Countermeasures. RealTime Publishers, 2007. http://search security.techtarget.com/general/0, 295582, sid14_ gci1237327, 00.html.

      • Swanson, M., and B. Guttman. Generally Accepted Principles and Practices for Securing Information Technology Systems. NIST, 1996.

      • Tipton, Harold F., and S. Hernandez, ed. Official (ISC) ² Guide to the CISSP CBK 3rd edition. ((ISC)²) Press, 2012.

      • Verizon. The 2013 Data Breach Investigations Report. www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf.

Critical Thinking Exercises

        1. What assets or services do you think your organization considers critical for success? What is your organization’s responsibility for those assets or services, and how are they are currently protected? How do you know an appropriate level of due diligence and due care is being practiced in relation to your organization’s use of information systems and data?

        2. A member of your team informs you that the organization can purchase insurance for breaches of personally identifiable information (PII) and financial data such as credit card information. The insurance will cost less than the information assurance program proposed by the CISO. Would you purchase the insurance at the expense of an information assurance program?

        3. A breach has occurred, and according to the organization’s web site privacy policy and terms of service, your customers agreed to whatever level of security the organization deemed sufficient and reasonable. Is the organization protected from retaliation from customers or other entities?