PART I
Part I provides key concepts, vital components, and definitions fundamental to integrating effective information assurance. Chapter 1 focuses on the development of an information assurance strategy based on the size and complexity of the organization. Chapter 2 discusses the importance and drivers of information assurance, such as why information assurance is important, fundamental principles in information assurance, and the consequence of failure.
Chapter 3 explains the requirements in information assurance, namely, confidentiality, integrity, and availability (CIA); identification, authentication, authorization, and accountability (IAAA); and nonrepudiation and information assurance’s association with privacy. Chapter 4 defines the key elements of risks, namely, assets, threats, and vulnerabilities, as well as their interrelationship in managing information assurance. The chapter also provides examples of common threats, vulnerabilities, and controls to manage risks.
Expertise and professionalism are important in the management of information assurance. Chapter 5 provides pointers to organizations with resources for information assurance professionals. In addition, it discusses the code of ethics that information assurance professionals should observe. Chapter 6 discusses the Information Assurance Management System (IAMS) and the Plan-Do-Check-Act (PDCA) implementation model.
Chapter 7 highlights the need to ensure that the implementation of information assurance is done in accordance with existing laws and regulations to ensure compliance. Chapter 7 also provides information about common laws, regulations, standards, and other guidelines in the global enterprise.
Quick Answers
Q: Why is there a need for information assurance?
A: The advancement of technology has caused an increase in vulnerabilities and associated threats. Increased complexity and increased innovation often lead to increased vulnerabilities. This has increased the need to protect the confidentiality, integrity, and availability (CIA) of critical information assets. This minimizes risk. Organizations should comply with relevant laws and regulations, including its own internal policy to increase information assurance.
Q: What are the common concepts in information assurance?
A: Common concepts in information assurance are confidentiality, integrity, and availability (CIA); privacy, nonrepudiation, and authentication; and identification, authentication, authorization, and accountability (IAAA). These concepts are summarized in the internationally recognized Association for Computing Machinery (ACM) Maconachy-Schou-Ragsdale (MSR) model.
Q: There are differing schools of thought on certain concepts in information assurance. How do I know I am following or practicing the right one?
A: True, there are many schools of thought on information assurance. There are no right or wrong choices; the selection of which concept or practice to use depends on the relevant regulations and organizational requirements. One key to success is to have certified security professionals in your organization. They will be able to guide your organization about the right ones to practice. Alternatively, your organization may engage the services of certified security consultants.
Q: What are the differences between the terms assets, threats, vulnerabilities, risks, and controls?
A: Some assets are critical and have high value to organizations that need to be protected. Threats can cause harm to these assets, and vulnerabilities are items that can allow threats to happen. Risks are a combination of exposure (threats and vulnerabilities) together with potential impact. Controls are measures, mechanisms, or tools used to protect assets.
Q: In what situations are typical approaches such as the top-down and bottom-up approaches effective in implementing information assurance efforts?
A: A top-down approach is more suitable when organization-wide support is needed and you want to gain management buy-in throughout the information assurance life cycle. A bottom-up approach is appropriate when business functions need immediate action to implement controls. It is a good approach for a decentralized environment.
Q: There are various security organizations offering different courses and certifications. How do I know which one to choose?
A: You should know the professional path you want to embark upon and the business requirements of the organization before deciding to seek particular certification or to attend a preparation course.
For example, the CISSP from (ISC)2 is for professionals who want to be certified in a broad range of security areas; the CISA from ISSA or CAP is more for professionals who want certified auditing credentials, and the CBCP is for professionals who want to be certified in business continuity or disaster recovery planning. The SANS certification known as Global Information Assurance Certification (GIAC) is a job-specific certification that reflects upon the current practice in lower-level tactical or operational information security. Other certifications from (ISC)2 include those that focus on computer forensics (CCFP), the software development life cycle (CSSLP), healthcare security and privacy (HCISPP), and cloud security (CCSP).
Q: We often hear security is a continuous improvement process. Is implementing information assurance in a process manner truly the best way?
A: By implementing information assurance in a process manner, you are able to see phases of information assurance improvement efforts systematically, such as planning activities, implementing activities, checking/reviewing activities, and monitoring/tracking activities. A task becomes more manageable when it can be implemented in a systematic way.
Q: What is the difference between a process and a procedure?
A: A process is a set of interdependent activities, which are applied to add value. A procedure is a systematic method of describing the way in which all or part of that process is to be performed.
Q: How can the Plan-Do-Check-Act (PDCA) cycle be used in the process approach?
A: The PDCA cycle is an established, logical method that can be used to improve a process. This requires the following:
• P Planning (figuring out what to do and how to do it)
• D Executing the plan (doing what was planned)
• C Checking the results (verifying that things happened according to plan)
• A Acting to improve the process (figuring out how to improve next time)