CHAPTER 2
The Need for Information Assurance
The information assets and infrastructure of organizations are constantly threatened. The dynamic threat environment has increased the need for information assurance. Information assurance is not just a technology issue but is a business and social issue as well. Ultimately, the goal of information assurance is to protect the information and infrastructure that supports the mission and vision of an organization through compliance to regulations, risk management, and organizational policies. A related term, information technology, focuses on processing, storing, ensuring the availability of, and sharing information assets.
How does information assurance tackle these problems? Information assurance consists of protecting information and services against disclosure, transfer, modification, or destruction (either intentional or unintentional) and ensuring the availability of information in a timely manner. Information assurance also considers the authentication used in a system and how strongly actions can be repudiated. Basically, it ensures only the approved entities receive the accurate information they require when they need it. Securing information by implementing suitable and cost-effective controls ensures critical and sensitive information assets are protected adequately. This chapter focuses on the importance of information assurance, its principles, and the implications of the failure of information assurance.
To be successful, it is vital for organizations to evaluate the sensitivity and criticality of applications and data as well as the organization’s acceptable risk level. As exemplified by the past several years of Verizon Data Breach Investigations Reports, you need only to read the news to see the ongoing assault on organizations’ information technology use worldwide. As a fundamental part of doing business, organizations must take inventory of their information assets and evaluate them against threats and vulnerabilities. The evaluation should include customer information, e-mail, financial information, program resources, social media, outsourcing arrangements, and the use of cloud computing technologies. Subsequently, the organization should deploy security controls to protect information assets at an acceptable cost. (For more information, see the 2013 Data Breach Investigations Report at www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf.)
Protection of Critical and Sensitive Assets
It is a sound business practice to require that critical and sensitive assets be protected. Prior to implementing security controls, an organization must identify the critical business processes and value of the associated assets. The interdependencies between different business processes should be understood for a precise model of the prioritized security control to be implemented.
Compliance to Regulations and Circulars/Laws
Compliance to regulations ensures organizational sustainability. Each day there are new regulatory compliance requirements. Organizations operating in multiple economies or regulatory environments require extra effort to analyze regulatory urgency. Whether requirements stem from international or local laws and regulations, the organization is required to analyze how the requirements can be addressed without compromising the policies and procedures already available within the organization. Understanding how the relevant regulations and standards are in line with one another is the foundation of an effective, efficient, and sustainable compliance.
From a governmental perspective in addition to guidelines and laws, some governments have “enforcement controls” required for public- or private-sector organizations. Examples of these would be general circulars, advisories, and directives. The particular terms used for this vary from one nation, economy, and industry to another.
Meeting Audit and Compliance Requirements
From an information assurance point of view, auditing is a process that checks and verifies compliance with generally accepted standards, a particular regulation, or a specific requirement. In addition, an audit ensures compliance efforts meet established organizational objectives and follow agreed-upon risk management controls. These different considerations lead to a common goal of compliance through meeting one or more audit requirements and regulations.
Ideally, auditors work with intimate knowledge of the organization to understand the resources subject to audit. Security audits are part of the continuous process of establishing and maintaining practical policies; they are not just something to “put up with.” An audit is a sampling process applicable generally to the entire organization. Among other things, a good audit should review the effectiveness of the organization’s security policies and practices. A complete audit provides a report on the areas of noncompliance and nonconformity regarding the effectiveness of that policy within the context of the organization’s objectives, structure, and activities. Certification and Accreditation (C&A), ISO 17799/27001, NIST, COBIT, OCTAVE, and several other standards and guidelines provide information assurance audit frameworks. These are common frameworks used by auditors.
Providing Competitive Advantage
Frequently, individuals fail to recognize that information assurance is a competitive advantage. However, it becomes obvious in the case of a bank. Would you choose to put assets into a bank if it had an inadequate information system? Organizations with proactive controls stay competitive and survive longer. Further, the use of personally identifiable information and personal finance information is now considered commonplace in almost any organization. Breeches of this information not only can be costly from a financial perspective but can also damage an organization’s goodwill or public perception.
Viewing information assurance as a differentiator may not be as clear-cut in other markets. For example, one may argue information assurance has no place in a social networking site. However, a social networking site that leaks pictures, message board posts, and user information to the wrong audience will quickly lose its users and therefore possibly its greatest asset (marketing information about its users).
Maintaining a competitive advantage means remaining responsive to current or potential challenges. Successful organizations and those that achieve consistent milestones that exceed the average for its industry have a competitive advantage. A company with strong information assurance practices can build a trusted brand that enhances its business proposition.
There are typically two identified types of competitive advantage. They are cost advantage and differentiation advantage. A competitive advantage exists when the organization is able to give the same benefits as competitors at a lower cost (cost advantage) or to give benefits that outdo those of competing products (differentiation advantage). Having a competitive advantage enables the organization to create value for its customers and make a profit or succeed in its mission. Organizations with strong information assurance are differentiated from their competition as noted in the prior examples of the bank and social media site. Figure 2-1 shows the concept of competitive advantage.
Figure 2-1 Competitive advantage model
Critical Thinking Exercises
1. An organization’s board of directors has recently experienced a substantial change in leadership. The new members of the board have demanded an external audit for internal control and information assurance. What should the president or leader of the organization be prepared to provide to ensure the board is comfortable with the audit results?
2. The senior leadership of a large organization has never considered the need for information assurance in the organization’s operations. After a series of attacks have crippled similar competitors, senior leadership is now concerned about information assurance. The information technology staff (both in-house and outsourced) has assured senior leadership repeatedly that there is nothing to worry about. Are they right?