Add to collection(s) Add to saved
  1. No category
Uploaded by Paulo Romero

GROUP1 BSCS4A

advertisement 
INFORMATION
ASSURANCE
INFORMATION
SECURITY
01
02
03
04
INFORMATION
PROTECTION
CYBER
SECURITY
05 INFORMATION ASSURANCE
06 INFORMATION ASSURANCE
07 INFORMATION ASSURANCE
08
INFORMATION ASSURANCE:
09 INFORMATION ASSURANCE
10
INFORMATION ASSURANCE:
:
Business Enabler
:
Cost Effective and Cost Beneficial
:
Robust Approach
11
:
Protects the Fabric of an
Organization’s Systems
Shared Responsibilities
INFORMATION ASSURANCE:
Restricted by Social Obligations
Reassessed Periodically
INFORMATION ASSURANCE
 is the overarching approach for
identifying,
understanding,
and
managing
risk
through
an
organization’s use of information and
information systems. As noted in the
MSR model, information assurance is
concerned with the life cycle of
information in an organization through
the objectives of maintaining the
following services or attributes:
CONFIDENTIALITY
 assures that the unauthorized
parties do not have access to
information. The information
which is being transmitted
must be encrypted. Only
those who are authorized can
decrypt and access this
information.
INTEGRITY
 assures that the information remains in its original state,
meaning the system should safeguard data's accuracy and
completeness. Integrity ensures that unauthorized individuals do
not tamper with or modify the information.
AVAILABILITY
 ensures that the authorized
parties have easy and timely
access to the information
system. This pillar ensures the
system remains robust and
fully functional even during
adverse conditions. It involves
protection against threats that
can block access to the
information system.
AUTHENTICATION
 ensures
the validity of a
transmission of a message or
the verification of a party's
authorization
to
receive
specific
information.
It
prevents impersonation and
requires confirmation of the
identities of the party before
giving
access
to
the
information
system
and
resources.
NON-REPUDIATION
 ensures that the sender is provided with proof of delivery and the
receiver is provided with proof of sender's identity. This attribute
assures the sender of data is provided with proof of delivery and
the recipient is provided with proof of the sender's sending the
message so that neither can deny sending or receiving data,
respectively.
MUST REMEMBER about Info. Assurance!
• Information assurance includes all information an
organization may process, store, transmit, or
disseminate regardless of media. Thus, information
on paper, on a hard drive, in the mind of an
employee, or in the cloud is considered to be “in
scope.”
• Information security, information protection, and
cybersecurity are subsets of information assurance.
INFORMATION SECURITY

covers the tools and processes that
organizations
use
to
protect
information. This includes policy
settings that prevent unauthorized
people from accessing business or
personal information
 Information security is a subdomain of
information assurance. As noted in the
MSR model, information security
focuses on the CIA triad.
The CIA Triad— Confidentiality, Integrity, and
Availability—is a guiding model in information security.
CONFIDENTIALITY

Prevents sensitive
information from
reaching wrong people
while making sure that
the right people can use
it.
INTEGRITY

Maintain information
consistency,
accuracy, and
trustworthiness of
information over it
life cycle.
AVAILABILITY

Ensures that the
information is
available when it is
needed.
MUST REMEMBER about Info. Security!
• Like information assurance, information security
includes all information an organization may process,
store, transmit, or disseminate regardless of media.
Thus, information on paper, on a hard drive, in the
mind of an employee, or in the cloud is considered in
scope.
• Information protection and cybersecurity are subsets
of information security.
INFORMATION PROTECTION
 Information protection is best viewed
as a subset of information security.
 It is often defined in terms of
protecting the confidentiality and
integrity of information through a
variety of means such as policy,
standards, physical controls, technical
controls, monitoring, and information
classification or categorization.
MUST REMEMBER about Info. Protection!
• Like information security, information protection includes all information
an organization may process, store, transmit, or disseminate
regardless of media. Thus, information on paper, on a hard drive, in
the mind of an employee, or in the cloud is considered in scope.
• Some laws, regulations, and rules specifically cite information
protection as a requirement for sensitive information such as
personally identifiable information and personal health information.
CYBERSECURITY
 Cybersecurity is a relatively new term
that has largely replaced the term
computer security.
 Cybersecurity is used to describe the
measures taken to protect electronic
information
systems
against
unauthorized
access
or
attack.
Cybersecurity is primarily concerned
with the same objectives of information
security within the scope of electronic
information systems’ CIA.
MUST REMEMBER about Cybersecurity!
• Cybersecurity is primarily focused on the protection of networks and electronic
information systems. Other media such as paper, personnel, and in some
cases stand-alone systems that rely on physical security are often outside
the scope of cybersecurity.
• Cybersecurity often focuses on the vulnerabilities and threats of an information
system at the tactical level. System scanning, patching, and secure
configuration enforcement are common foci of cybersecurity.
• Intrusion detection and incident response and other functions commonly run
from a security operations center (SOC) are often identified as cybersecurity
functions.
INFORMATION ASSURANCE:
Business Enabler

Ensures business confidence and acts as a
competitive advantage rather than an obstacle

assists in achieving organization's vision and
mission by protecting its critical assets and
resources
INFORMATION ASSURANCE:
Protect the Fabric of an Organization’s System
 Information systems provide the interconnecting elements of
effective management of organizations. If, however, the
information system does not demonstrate the security elements
of the MSR model, management cannot make informed
decisions.
 Information assurance is a shared responsibility and involves not
only the IT organization and other employees. Information
assurance should be incorporated into the current management
strategy system and requires participation from all functional
units.
INFORMATION ASSURANCE:
Cost Effective and Cost Beneficial
 Cost-effective: Information assurance refers to implementing measures that provide
the necessary level of protection while minimizing the cost of implementation and
maintenance. In other words, it is about achieving the desired level of security while
keeping the costs low.
 Cost beneficial: A thorough analysis of the costs and benefits of information
assurance may examine either quantitative or qualitative aspects to ensure
investment on controls meet expectations. Security investments should take into
consideration the cost of designing, implementing, and maintaining the controls; the
values of information assets; the degree of dependency on the information systems;
and the potential risk and impact the organization is likely to face. Investing in
information assurance is both a horizontal and vertical effort.
INFORMATION ASSURANCE:
Shared Responsibilities

Security is a team effort and a shared
responsibility. No single individual or group—from
development to operations to security—carries the
burden of security in totality.

Shared responsibility means holding everyone
accountable for information security best practices
(shutting down laptops, closing office doors,
maintaining good passwords, etc.)
INFORMATION ASSURANCE:
Robust Approach

Information assurance requires a complete and
integrated approach that considers a wide range
of processes. This comprehensive approach
extends throughout the entire information life
cycle. Security controls operate more effectively
in concert with the proper functioning of other
business process controls
INFORMATION ASSURANCE:
Reassessed Periodically
 To maintain the security of their information systems and minimize
the risk of negative impacts on their mission, organizations must
continuously monitor their controls, conduct regular assessments,
and ensure information assurance is incorporated into change
and configuration management processes.

This will alert management to new risks and the condition of the
information systems, data, and networks that may have a
negative impact on the mission of the organization.
INFORMATION ASSURANCE:
Restricted by Social Obligations
 Organizations must consider social obligations in the implementation of security
controls. Organizations should balance the rights and desires of the organization
versus the rights of organizational employees and customers. This involves
understanding the security needs of information owners and users. Expectations
and policies may change concerning the suitable use of security controls.
Organizations need to balance between security risks they are willing to accept
versus human rights or social factors. This can lead to solving issues such as
security and the workplace privacy conflict. Employee monitoring and a bringyour-own-device (BYOD) policy are areas where social obligations and
information assurance often require extensive analysis.
Related documents
Quality Review and Assurance Committee Terms of Reference
Quality Review and Assurance Committee Terms of Reference
cH 19 qUALITY aSSURANCE QC TQM
cH 19 qUALITY aSSURANCE QC TQM
142-1592198790981-HND MSCP W6 Project Quality Management
142-1592198790981-HND MSCP W6 Project Quality Management
UM Case Study - MOR Associates
UM Case Study - MOR Associates
STQA Assignment 2
STQA Assignment 2
Download
advertisement