Copyright © All rights reserved. www.databoxltd.co.uk

Information assurance (IA) is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. While focused dominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form. Information assurance as a field has grown from the practice of information security which in turn grew out of practices and procedures of computer security.

Information assurance is closely related to information security and the terms are sometimes used interchangeably. However, IA’s broader connotation also includes reliability and emphasizes strategic risk management over tools and tactics. In addition to defending against malicious hackers and code (e.g., viruses), IA includes other corporate governance issues such as privacy, compliance, audits, business continuity, and disaster recovery. Further, while information security draws primarily from computer science, IA is interdisciplinary and draws from multiple fields, including accounting, fraud examination, forensic science, management science, systems engineering, security engineering, and criminology, in addition to computer science. Therefore, IA is best thought of as a superset of information security (e.g. umbrella term).

Information assurance process

The IA process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a risk assessment. This assessment considers both the probability and impact of the undesired events. The probability component may be subdivided into threats and vulnerabilities. The impact component is usually measured in terms of cost. The product of these values is the total risk.

Based on the risk assessment, the IA practitioner will develop a risk management plan. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response. A framework, such as Risk IT, CobiT, PCI DSS, ISO 17799 or ISO/IEC 27002, may be utilized in designing this plan. Countermeasures may include tools such as firewalls and anti-virus software, policies and procedures such as regular backups and configuration hardening, training such as security awareness education, or restructuring such as forming an computer security incident response team (CSIRT) or computer emergency response team (CERT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most cost-effective way.

After the risk management plan is implemented, it is tested and evaluated, perhaps by means of formal audits. The IA process is cyclical; the risk assessment and risk management plan are continuously revised and improved based on data gleaned from evaluation.