Defending data and the platforms that house it is quickly becoming one of the most important technical jobs in any major corporation. Information assurance (IA) is the technical discipline of data protection. Keeping information and its warehousing safe are a part of overall information security, but it also includes the practice of forecasting future dangers and preparing offensively for any possible risk factors that are detected. Of all that is accomplished by information assurance, likely the most important factor for most firms is keeping privileged and proprietary information out of the hands of the public. A second high priority of information assurance is keeping information platforms safe from the kind of intrusion that could potentially dismantle warehousing, thus endangering or causing the loss of vital company information.
The purpose and function of information assurance can be broken down into three main categories: keeping information confidential; maintaining the integrity of stored data; and making data readily available to those who need access to it. Of these three major functions, maintaining confidentiality of important data is often deemed the highest priority of information assurance. At its most essential core, information assurance means that only those who have permission will have access to the specific information that they have the authorization to access. Additionally, information assurance is time sensitive, meaning that authorized figures will have access to data only when it is deemed necessary or allowed by the systems in place. This is achieved in a number of ways, but mainly with the use of passwords and login names and other similar “sign in” type methodologies.
Information assurance means protection against those who wish to do harm to information and information storage systems as well as the viruses and other coded programs created by hackers to destroy data and the storage facilities for data. The ways in which information is kept secure must comply with government standards but must also be “smart” and progressive enough to keep up with the ever-changing demands associated with handling the constantly evolving viruses and malware that destroys data that is not properly defended.
Information assurance also means the reconstituting of data and its housing after it has been compromised. This means refurbishing, rehousing, and resecuring data as well as reestablishing the list of those who are authorized to have access to it and assigning new login names and pass codes for all authorized parties.
THE FIVE PILLARS OF INFORMATION ASSURANCE
According to the Central Security Service, successful information assurance can be broken down into five pillars: availability, integrity, authentication, confidentiality, and nonrepudiation. These five pillars make up a specific information assurance strategy that ensures the highest level of success for the corporate entities that apply it to their day-to-day business and operations.
Used by the United States government for their information assurance, the five pillars will each receive different amounts of use depending on the type of threat in play. The same is true for any company that uses the five pillars for the protection of information. Additionally, each firm will have varying needs for security based on the industry they are in as well as their size, reputation, Internet presence, and other factors. Of the tools that fall under the headings of the five pillars, those most widely used involve the education of personnel, the use of encryption, the implementation of the most up-to-date information technologies, and the use of some form of alarm system with the ability to warn personnel of an intrusion.
TOOLS OF THE TRADE
The ways in which data is protected vary based on need and the amount of data as well as the types of risks the particular data is likely to face. For example, the enormous amounts of proprietary information at Wal-Mart headquarters in Bentonville, Arkansas, will need a much higher level of protection than the recipe book for a local
bakery. Not to lessen the importance of the recipes, but the data contained in the Wal-Mart files involves not just insider information about Wal-Mart, but information about its thousands of suppliers, merchandisers, and affiliates, as well as thousands of other entities that interact with the retailer. So, information that is leaked from the Wal-Mart information system could conceivably impact the entire global economy, whereas a leaked cookie recipe, while important, only causes problems for the local baker.
Some of the tools of information assurance are physical, such as combination locks or keyed entries, paid guards, and access controlled by keycards. Other tools of information assurance are logical, meaning they are able to control people's access to information by way of computers and networks. These security tools include login names and passwordsaswellasfirewalls, encryptionofinformation, alarms that sound when they detect intrusions or irregularities in the system, and access control that is monitored and managed by system administrators. Still other information assurance tools are purely procedural, meaning they are tools that are used only by upper management and those with administrative access. These kinds of tools include the rules and regulations of an individual firm, often found in an employee handbook or appendix of company policies. These kinds of regulations determine how both physical and logical security measures will be used, monitored, and controlled; typically, the regulations also outline what kinds of disciplinary actions will be taken in the event that the laws or regulations of the firm are broken or disregarded. Sometimes procedural information assurance tools are the rules and regulations of a particular industry, and not those of an individual company. In these cases, the bending or breaking of rules and what the consequences are will not be determined by a firm, but by the regulating body in charge of that industry or the state or federal governments.
INFORMATION ASSURANCE IN E-COMMERCE
The job of information assurance for Internet retailers and other e-commerce vendors is not only to secure vital company information, but to secure customer data that is used to make purchases or to retrieve data from a Web site. The most important person who will need to be convinced that information security is intact will be the customer. Above all other reasons for information security in the e-commerce setting, security and privacy of customer and company information are the most important factors.
Customer data such as credit card information, address, social security number, date of birth, or any other personal information obtained by an Internet merchant must be secured during transactions. Many Web assurance services will help to secure private information obtained by the customer, and often, putting the well-known logo or seal of some of these Internet security companies on the home page or bill-of-sale confirmation page of a merchant Web site will help customers feel safer about releasing personal information. WebTrust, BBBOnline, BizRate. com, Secure Site, and the Online Privacy Alliance are all Web assurance service companies that offer extensive transaction security and other online protection for both consumers and online merchants.
Due to the steady rise of Internet sales throughout the 2000s, information assurance in the field of e-commerce will likely be under development for many years to come. The future of successful e-commerce depends heavily on how well it can safely be conducted. This includes security and integrity of online transactions that are controlled by software, the establishment of stronger password and user-name generation technologies, better software for the detection of intrusion, and ironclad proxy servers. The implementation and consistent use of these logical, physical, and procedural tools will ensure consumer safety, lessen identity theft, and help to eradicate the Internet fraud that plagues e-commerce today.
According to the National Security Agency, bringing employees trained in information assurance together with the technology and specific company procedural guidelines across all levels of the corporate model will allow for the highest degree of information security. The practice of intentionally bringing the people, procedures, and technology together for the best and safest practice is referred to as defense-in-depth and calls for personnel trained in the technologies needed to achieve information security on every single level of the corporate model. Defense-in-depth is also an information assurance philosophy that mandates that regardless of where an enemy may stage his attack, he will encounter some level of security that makes the data he wants inaccessible. Additionally, when and if he is able to break through a specific secured area, the enemy will immediately encounter another form of defense, ideally until the attack is ultimately stopped altogether. This type of defense-in-depth barrier is only successful when the people, tools, and information assurance regulations are present on every level of a corporation's framework.
In addition to the most up-to-date technologies, the best training and education, and the most experienced personnel, many large corporations are now heading up information assurance teams with a chief information officer (CIO) who is responsible for keeping all pertinent company data accessible to authorized users and maintaining the safety and integrity of that information. A CIO should always be asking the questions: If information about my company's brand is compromised, what
will the repercussion to our finances and reputation be? Does the cost of security assurance solutions outweigh the cost of a potential threat? How at risk is our firm to dangers such as hackers and viruses? What types of security assurance measures will work best for our brand and in our industry? CIOs are becoming the mainstay for many IT departments and information safety branches of corporations and likely represent the future of the information assurance industry.
Boyce, Joseph and Daniel Jennings. Information Assurance: Managing Organizational IT Security Risks. Massachusetts: Elsevier Sciences, 2002.
Kim, Dan J. “Dimensions of Web Information Assurance in B2C E-Commerce.” Available from: http://www.ccs.msu.edu/workshop/kim.pdf.
Qian, Yi, David Tipper, Prashant Krishnamurthy, James Joshi. Information Assurance: Dependability and Security in Networked Systems Massachusetts: Elsevier Sciences, 2008.
Warkentin, Merrill and Rayford B. Vaughn. Enterprise Information Systems Assurance and System Security: Managerial and Technical Issues. Pennsylvania: The Idea Group, 2006.