Information Assurance is the exercise conducted to assure information i.e. make it available to the right users at the right time. It is related to managing risks associated with the usage, processing, warehousing and passing over of information through systems and processes devoted for such activities. Information Assurance is concerned with the safeguarding of user data integrity, availability, authenticity, secrecy and non-repudiation. Such tasks are accomplished by deployment of physical, technical and administrative checks. Information Assurance is primarily concerned with digital information, and can be extended to cover analogous or physical form too. The protection holds good for information being transmitted over heterogeneous networks and at rest stored in various electronic storage media.
Information Assurance is more focused on strategic risk mitigation pertaining to information infrastructures, rather than creating and applying security controls. The scope includes defense against malicious users, scripts and providing privacy, complying with regulations and standards, audit, business continuity and disaster recovery for corporate governance. Information Assurance is basically interdisciplinary with system administrators required to possess skills relating to computer forensics, fraud detection, accounting, management science, systems and security engineering, computer science and criminology.
Information Assurance Process
The process starts by enumerating and classifying the information assets that are required to be safeguarded against threats. The Information Assurance practitioner will conduct a risk assessment survey for the selected assets. The potential vulnerabilities and loopholes in the assets are mapped to figure out the threats that can hinder the smooth functioning of the system. The assessment takes into consideration the chances and potential impact of a threat by taking advantage of system’s vulnerability. The impact is calculated in the light of cost incurred by stakeholders of the asset.
Following close on the heels of risk assessment comes the phase of risk management plan development. The plan suggests countermeasures which involve mitigation, elimination, acceptance or transference of risks. It also takes into account steps to prevent and detect the threat by preparing adequate response to threat. Development can be carried out in accordance to the framework set down by leading standards organization like CobiT. Countermeasures will feature large scale implementation of technical tools like antivirus applications and firewalls, security policies emphasizing on induction of controls like backups at regular intervals and hardening of configuration, training employees for heightened sense of cyber security and constituting CERT and CSIRT which respectively will look after emergency response and incident response. Each countermeasure is carefully weighed to figure out the cost involved and benefits drawn. A proactive and cost-efficient approach is adopted to manage the risks as elimination of entire array of risks is virtually impossible.
Close on the heels of risk management plan implementation, testing and evaluation of the plan is conducted by formal audits. Assessing and managing risks should be based on norms that are revised and improved upon after a set period.