CHAPTER 1

Developing an Information Assurance Strategy

The information assurance strategy presented is based on ten core principles, as shown in Figure 1-1. The principles fulfill the information assurance requirements and objectives of the majority of organizations. The size, complexity, and organizational environment will drive the relative importance of each of the principles.

Figure 1-1 Information assurance strategy principles

Comprehensive

An organization’s information assurance strategy and resulting policies and programs should cover topics, areas, and domains needed for modern organizations. Each topic, domain, and area within a policy should contain sufficient breadth and detail to support strategic, tactical, and operational implementation.

Independent

An organization’s information assurance strategy should contain independent contents and perspectives related to the defined mission. Organizations are various sizes and use products and services from vendors. To be useful for a heterogeneous community, an organization’s information assurance strategy should provide a neutral view of information assurance. Constituent parts within organizations should identify their assurance needs and develop tactical and operational controls in accordance with the strategic plan. Organizations must be cautious not to specify mechanisms, products, or procedural steps to attain organizational information assurance objectives at a strategic level. That level of detail is best left at the tactical and operational level. Organizations should consider vendor-independent strategies while incorporating vendor-specific information into tactical and operational plans.

Legal and Regulatory Requirements

An organization’s information assurance strategy must be consistent with existing laws and regulations applicable to but not limited to information assurance, human resources, healthcare, finance, disclosure, internal control, and privacy within the organizational context. Organizations should refer to existing legal frameworks and regulations in their information assurance strategies so leaders understand how to fulfill the regulatory requirements of their industry or environment.

Living Document

An organization’s information assurance strategy should be written as a living document comprised of independent components. In smaller organizations with little employee turnover, culture may sustain practices. However, organizations benefit from updated written policies, procedures guidance, and standards to direct operations. Organizations should use the ideas, concepts, and approach outlined in this work to keep their own policies, procedures, standards, and practices up to date.

Long Life Span

Although information assurance is a dynamic, fast-moving, and rapid-changing discipline, it requires a stable strategic foundation. To increase the value and relevance of an organization’s information assurance strategy, the strategy must focus on the fundamentals of information assurance that remain constant over time. This is supported by tactical and operational components.

Customizable and Pragmatic

Organizations should develop a flexible information assurance strategy. The strategy should be applicable to a broad spectrum of organization functions independent of size and should consider varied objectives and infrastructure complexity. Organizations should adopt and adapt their tactical and operational plans to reflect identified organizational information assurance requirements and risk profiles. The suggested controls provided throughout this work can serve as guidance.

Risk-Based Approach

In a risk-based approach, organizations identify their risk profiles and prioritize them. Since each organization has a unique risk profile, it must select controls appropriate to its risk tolerance. An organization’s information assurance strategy must be broad enough to give guidance to sub-components with diverse risk profiles. This is analogous to risk portfolio approaches in finance. Risk tolerance and profiles are explained later in this work.

Organizationally Significant

Information assurance should be considered significant in an organization’s strategy and ongoing operations, and it is a significant investment and area of concern for any organization. Information assurance is part of an organization just like basic accounting. For example, if organizations choose to ignore accounting, they will be subject to possible fines and issues with shareholders, but more importantly, they will be subject to fraud and internal control issues. Information assurance provides controls for an organization’s most important assets while bringing visibility into operational and strategic risk.

Strategic, Tactical, and Operational

The organization’s information assurance strategy provides a framework to assist senior managers and executives in making strategic (long-term) planning and decisions. It provides information to aid in tactical (midterm) planning and decisions for managers. In addition, an organization’s information assurance strategy contains information useful to employees and line managers who make operational (short-term) planning and decisions.

Concise, Well-Structured, and Extensible

Ideally, an organization’s information assurance strategy addresses wide-ranging information assurance topics, organized systematically. To help maximize benefits, the structure of a strategy document should facilitate the easy retrieval and use by readers.

The structure and contents of the organization’s information assurance strategy should demonstrate high cohesion and low coupling. Each topic should be discussed to the appropriate level completely on its own (high cohesion), and its contents should not be highly dependent (low coupling) on other topics. This approach makes the policy extensible by enabling the easy addition of new information (topics) and by providing a modular approach to information assurance for the user.

Critical Thinking Exercises

        1. An organization is considering developing an encryption policy in its organization. The penetration tester from the team starts documenting specific products and configurations to put into the policy. Should the policy contain these details?

        2. An organization is considering placing all its policies, procedures, standards, and guidance in a single handbook so executive management has to sign off only once. What are the advantages and disadvantages to this approach?