DOCSLIB.ORG

How to Increase the Information Assurance in the Information Age

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
How to Increase the Information Assurance in the Information Age HOW TO INCREASE THE INFORMATION ASSURANCE IN THE INFORMATION AGE LTC Artur SOSIN* *Ministry of Defence/Republic of Moldova The competitive world we live in today is characterized by an environment where the advancement of technology has increased the number of complex vulnerabilities and sophisticated attacks. Organizations around the globe are facing now the same challenges of implementing data protection and securing information assurance. The purpose of this paper is to prove that Information Assurance has become one of the most important tools in creating and maintaining a competitive advantage in today’s competitive and global marketplace. This paper also presents the relationship between information assurance and cybersecurity, and their connection with confidentiality, integrity, availability (CIA) triad. Furthermore, assuring information and providing security is a life cycle process which needs a comprehensive understanding, skills, and experience in order to protect today’s risk management challenges. The author concludes the paper with the importance of information assurance policies which are the fundamental guidelines for protecting information assets and fulfilling information assurance objectives of an organization. Key words: Information Assurance, Cybersecurity, Confidentiality, Integrity, Availability, Risk Management, Policies. environment and electronic war give us less 1. INTRODUCTION expected and more unexpected. In short, the transformation from industrial The competitive world we live in today is to information is a test for all of us, and even if characterized by an environment where the we pass it, this does not mean that we have information is progressively interconnected and been well prepared. This is the reason why, at the same time more independent. nowadays, people are more concerned about Globalization has become part of every domain new threats such as data security and in which the world operates such as economic, information assurance. It is difficult sometimes social, and technological infrastructure. Behind to make a distinction between information the globalization is the transformation of security and information assurance. information technology which has become an important part of an organization’s global business strategy. Today’s interconnected 2. INFORMATION ASSURANCE world is full of uncertainty which allows CONCEPTS AND PRINCIPLES transferring the information across the borders through cyberspace. At this moment, we are in a phase of 2.1. What is Information Assurance? transition, a world which is moving from the Industrial Age to the Information Age. In other Information assurance has many words, we are changing from 3D hyper- definitions or interpretations. According to integration technology architecture such as Department of Defense Information Assurance future technology research in computer, Certification and Accreditation Program nanotech and biotech to a 3C (connected, (DIACAP) Information Assurance is defined contested and complex) hyper world. as “measures that protect and defend Unfortunately, today’s sophisticated information and information systems by 45 ensuring their availability, integrity, (technology, policy, and people); and five authentication, confidentiality, and non- basic services (availability, integrity, repudiation. This includes providing for authentication, confidentiality, and restoration of information systems by nonrepudiation), as shown in Fig. 1. [3] incorporating protection, detection, and According to these definitions, information reaction capabilities.” [1] Information assurance has a much broader view than only Assurance Handbook has the following secure the information because encompasses definition; “Information Assurance is the all the components of information security overarching approach for identifying, under the integration of protection information understanding, and managing risk through an based on confidentiality, integrity, availability, organization’s use of information and non-repudiation, and authentication which are information systems.” [2]. The Maconachy- the five main components of information Schou-Ragsdale (MSR) model of information assurance. Furthermore, information assurance assurance characterized three states of includes all information an organization can information (storage, transmission, and transmit, store, and process. processing); three essential countermeasures Fig.1 MSR Model information security, information protection, 2.2. Information Assurance and and cybersecurity. Information security is a Subdomains subdomain of information assurance and focuses on the CIA triad: confidentiality, In addition, there are three main integrity, and availability, as shown in Fig. 2. subdomains of information assurance; 46 social security number, and other types of data if there is no encryption of information. This is why only authorized people who have the equivalent level of secrecy must have access to folders, and permission to access this type of information. Furthermore, in order to protect data and information every organization has to have all the information about the administrators who are in charge of their security control and must be monitored also. Information must always be accessed by the correct users in order to be Fig.2 CIA Triad secure. However, even if the information is well secured but there is no authenticity that In the same context, information security is can create another problem. responsible for all information an organization Another fundamental component of is storing and transmitting, electronic or paper information security is integrity. It is about format. As information assurance, information making sure that data has not been modified or security is responsible for both domains: changed. Authentication comes with “trust” information protection and cybersecurity. because it is very important to trust the person Information protection has the role of with whom you are interacting with. In other protecting the integrity and confidentiality of words, only by joining together integrity and information by using a diversity of means such authentication we will get to the level of as monitoring information classification, authenticity. For example, if a database information categorization, and all the follows rules such data integrity, the database strategies. [4] Moreover, from other point of will increase performance, stability, accuracy, view, information protection has to be in and will not allow entering data in an incorrect charge of sensitive information such as format in database. personal information and information related The last part of the triangle is availability. to person’s health. This part describes the restriction and For example, Central Intelligence Agency limitation of using data, and the access to the (CIA) of the United States is focusing on this device must be available only with the given “triad” when it needs to put into place a new permission by the authorized administrators. security control policy into computer The access to the information must be environment. [5] This triad facilitate the restricted, or available only with the understanding of Information Technology (IT) permission and approval of the authorized Governance to ensure the efficiency and people. These attacks can easily damage the effectiveness of information technology in whole system by shutting down the system. making possible that the organizations achieve This is why security policies must be put into their goals and produce measurable results place in order to remediate these unwanted toward accomplishing their strategies. The attacks before the event happens to help keep Figure 2 shows how CIA is represented by information safe and secure. these three pylons that are the security policy core fundamentals. 2.3. Information Assurance and Every component has its own significance, Cybersecurity because an organization cannot achieve success if one of these is not fully integrated. The twenty-first century has become an Confidentiality is very important nowadays interconnected corporate IT system for because it is very easy for hackers to obtain managing and distributed computing which private data and information such as birth date, provided the possibility to work from anywhere around the globe, and has created a 47 new era of vulnerabilities. [6] This is the test, and should not be accessed by the reason why cyber crimes cannot be controlled receptionist. [10] and the cyber risk is the newest indicator of an For this reason information assurance out of control world. [7] Despite the fact that becomes one of the most important issues and big companies around the globe spend every must be encrypted before transmission from year millions of dollars in order to secure their end-to-end. Today anyone can start a computer information assurance, the next generation of and can access all the files from the hard drive. cyber risk has the potential to have a negative Furthermore, after gaining access many impact on their data base and network systems. attackers will try to escalate the system in The main goal of cybersecurity is to protect order to become the administrator of the electronic information systems and networks computer. For example, in September 2014 from being attacked by threats and Home Depot was one of the targets of such an vulnerabilities. Organizations start paying attack which give the attackers the advantage more attention to cybersecurity domain to discover of 53 million
Load more

Recommended publications
  • A Theory on Information Security
    Australasian Conference on Information Systems Horne et al. 2016, Wollongong, Australia A Theory on Information Security A Theory on Information Security Craig A. Horne Department of Computing and Information Systems The University of Melbourne Victoria, Australia Email: [email protected] Atif Ahmad Department of Computing and Information Systems The University of Melbourne Victoria, Australia Email: [email protected] Sean B. Maynard Department of Computing and Information Systems The University of Melbourne Victoria, Australia Email: [email protected] Abstract This paper proposes a theory on information security. We argue that information security is imperfectly understood and aim to bring about an altered understanding of why efforts are made to engage in information security. The goal of information security is widely recognised as the confidentiality, integrity and availability of information however we argue that the goal is actually to simply create resources. This paper responds to calls for more theory in information systems, places the discussion in philosophical context and compares various definitions. It then identifies the key concepts of information security, describes the relationships between these concepts, as well as scope and causal explanations. The paper provides the theoretical base for understanding why information is protected, in addition to theoretical and practical implications and suggestions for future research. Keywords Information security, resources, controls, threats, theory development. 1 Australasian Conference on Information Systems Horne et al. 2016, Wollongong, Australia A Theory on Information Security 1 INTRODUCTION Despite the concept of information security being very well established, the reasons and motivations behind it are imperfectly understood. This paper seeks to explain how and why the phenomena that comprise the concepts of information security occur.
    [Show full text]
  • Data and Database Security and Controls
    1 Handbook of Information Security Management, Auerbach Publishers, 1993, pages 481-499. DATA AND DATABASE SECURITY AND CONTROLS Ravi S. Sandhu and Sushil Jajodia Center for Secure Information Systems & Department of Information and Software Systems Engineering George Mason University, Fairfax, VA 22030-4444 Telephone: 703-993-1659 1 Intro duction This chapter discusses the topic of data security and controls, primarily in the context of Database Management Systems DBMSs. The emphasis is on basic principles and mechanisms, which have b een successfully used by practitioners in actual pro ducts and systems. Where appropriate, the limitations of these techniques are also noted. Our discussion fo cuses on principles and general concepts. It is therefore indep endent of any particular pro duct except for section 7 which discusses some pro ducts. In the more detailed considerations we limit ourselves sp eci cally to relational DBMSs. The reader is assumed to be familiar with rudimentary concepts of relational databases and SQL. A brief review of essential concepts is given in the app endix. The chapter b egins with a review of basic security concepts in section 2. This is followed, in section 3, by a discussion of access controls in the current generation of commercially available DBMSs. Section 4 intro duces the problem of multilevel security. It is shown that the techniques of section 3 are inadequate to solve this problem. Additional techniques develop ed for multilevel security are reviewed. Sec- tion 5, discusses the various kinds of inference threats that arise in a database system, and discusses metho ds that have b een develop ed for dealing with them.
    [Show full text]
  • Information Security Essentials Definition of Information Security
    Computing Services Information Security Office Information Security Essentials Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The three objectives of information security are: • Confidentiality • Integrity • Availability Confidentiality Confidentiality refers to the protection of information from unauthorized access or disclosure. Ensuring confidentiality is ensuring that those who are authorized to access information are able to do so and those who are not authorized are prevented from doing so. Integrity Integrity refers to the protection of information from unauthorized modification or destruction. Ensuring integrity is ensuring that information and information systems are accurate, complete and uncorrupted. Availability Availability refers to the protection of information and information systems from unauthorized disruption. Ensuring availability is ensuring timely and reliable access to and use of information and information systems. Information Security Policy Carnegie Mellon has adopted an Information Security Policy as a measure to protect the confidentiality, integrity and availability of institutional data as well as any information systems that store, process or transmit institutional data. Institutional data is defined as any data that is owned or licensed by the university. Information system is defined as any electronic system that stores, processes or transmits information. Policies • Throughout its lifecycle, all Institutional Data shall be protected in a manner that is considered reasonable and appropriate given the level of sensitivity, value and criticality that the Institutional Data has to the University. • Any Information System that stores, processes or transmits Institutional Data shall be secured in a manner that is considered reasonable and appropriate given the level of sensitivity, value and criticality that the Institutional Data has to the University.
    [Show full text]
  • Information Assurance Challenges­ a Summary of Audit Results Reported December 1, 1998, Through March 31, 2000
    ' FOR O:PPICtA-L USE ONLY ort INFORMATION ASSURANCE CHALLENGES­ A SUMMARY OF AUDIT RESULTS REPORTED DECEMBER 1, 1998, THROUGH MARCH 31, 2000 Report No. D-2000-124 May 15, 2000 Office of the Inspector General Department of Defense P0R: 0!FFICW..1:JSE 0Nb¥ I I . \ I \ I I I I I I I I I INSPECTOR GENERAL DEPARTMENT OF DEFENSE 400 ARMY NAVY OFllVE AFIUNGTON, VIRGINIA 22202-2884 May 15, 2000 MEMORANDUM FOR ASSISTANT SECRETARY OF DEFENSE (COMMAND, CONTROL, COMMUNICATIONS, AND INTELLIGENCE) SUBJECT: Audit Report on Information Assurance Challenges-A Summary of Audit Results Reported December 1, 1998, through March 31, 2000 (Report No. D-2000-124) This summary report is provided for your information and use. This report contains no recommendations, no written comments were required, and none were received. (b) (6) (b) (6) (b) (6) (b) (6) (b) (6) (b) (6) (b) (6) (b) (6) 14k!J~ Robert J. Lieberman Assistant Inspector General for Auditing Office of the Inspector GeneraJ, DoD Report No. D-2000-124 May 15, 2000 {Project No. OAs-6104.01) Information Assurance Challenges-A Summary of Audit Results Reported December 1, 1998, through March 31, 2000 Executive Summary Introduction. Information assurance is emerging as a critical component of DoD operational readiness. When effective, information assurance enables the systems and networks composing the Defense information infrastructure to provide protected, continuous, and dependable service in support of both warfighting and business missions. On December 30, 1999, the Deputy Secretary of Defense issued a memorandum, "Department of Defense Information Assurance Vulnerability Alert,~ which stated that information assurance is an essential element of operational readiness and can no longer be relegated to a secondary concern.
    [Show full text]
  • 2019 Cybersecurity Resource And
    The purpose of this document is to provide an overview of useful, readily available references to support Security Cooperation across the U.S. government, commercial sector, and U.S. allies and partners. Within this document, readers will find information regarding cybersecurity norms, best practices, policies, and standards written and adopted by the U.S. federal government, the U.S. Department of Defense, and recognized institutional standards. Table of Contents Purpose ..................................................................................................................................... 3 Disclaimers ................................................................................................................................ 3 Introduction .............................................................................................................................. 4 Quick Guide ............................................................................................................................... 4 Developing a Cybersecurity Strategy and Supporting Policies ..................................................... 5 United States Resources ............................................................................................................................ 6 International Resources .............................................................................................................................. 9 Other Sources ..........................................................................................................................................
    [Show full text]
  • Examples of Information Assurance and Security
    Examples Of Information Assurance And Security Needed and plush Dunstan yodels her stowaways curveting vapidly or propagandised here, is Connolly delirious? Is Jean-Marc always inheringpeart and connectively sainted when and kowtow underlined some her Budapest dischargers. very quincuncially and atoningly? Solly often interchange livelily when octave Nev This book will design packages must start with collection of information assurance and security Information security assurance for executives Internet. It provides an assurance that your system and like can be accessed by. Security & Privacy part of the VPIT-CIO University of. Report the regulating body in the only be forwarded to preserve the authorization of this advanced data before sending proprietary or oversees maintaining of information assurance security and business tools enable management in. Information assurance encompasses a broader scope than information. Both by data must successfully complete responsibilities, it is manifested in attempts were to. Cyber Security vs Information Assurance What'sthe Difference. Learn for this insider interview with Information Assurance Analyst Steve Moulden. This locate an overthrow of the principle of confidentiality. Understanding the information security basics of confidentially integrity and. 25 INFORMATION ASSURANCE PROGRAM ACTIVITIES 26 IAP TIMELINES 26 EXPECTED DELIVERABLES 26 SECURITY PRIVACY TESTING PLAN. Cybersecurity isn't the same contract as information assurance. Whereas a better understand and technology services and desperation that decision has to determine and implement new dilemmas knocking at work from a combination locks or derogatory remarks in. Sample Detailed Security Policy Bowie State University. For song the enormous amounts of proprietary information at Wal-Mart. Blockchain cybersecurity represents the assurance of information and security control in order; the introduction of cyber security.
    [Show full text]
  • Cyber Security Courses
    CNG 131 – Principles of Information Assurance Provides students with the skills and knowledge required to survey key issues associated with protecting information assets, determine the levels of protection and response to security incidents, and design a consistent, reasonable information security system, with appropriate intrusion detection and reporting features. Students will learn to inspect and protect your experience you, detect and react to threats to information assets, and examine pre- and post-incident procedures, and technical and managerial responses. Students will learn about information security planning and staffing functions. CNG 132 – Network Security Fundamentals Delivers a comprehensive overview of network security, including general security concepts. Communication Security is studied, including remote access, e-mail, the Web, directory and file transfer, and wireless data. Common network attacks are introduced. Cryptography basics are incorporated, and operational/organizational security is discussed as it relates to physical security, disaster recovery, and business continuity. Computer forensics is introduced. CNG 133 – Fire Walls/Network Security Teaches students the basics of network firewall security. It covers basic installation techniques, discusses how to make an intelligent choice of firewall technology, and presents basic firewall troubleshooting. CNG 136 – Guide to IT Disaster Recovery Presents methods to identify technology and communication infrastructure vulnerabilities and appropriate countermeasures to prevent and mitigate failure risks for an organization. The course will take an enterprise-wide approach to developing a disaster recovery plan. CNG 257 – Network Defense and Counter Measures Examines the tools, techniques and technologies used in the technical securing of information assets. This course provides in-depth information of the software and hardware components of Information Security and Assurance.
    [Show full text]
  • Information Assurance 101
    BUILT FOR SECURITY Information Assurance 101 Barbara Wert, Regulatory Compliance Specialist FoxGuard Solutions, Inc. “The value of an organization lies within its information – its security is critical for business operations, as well as retaining credibility and earning the trust of clients.” – Margaret Rouse, TechTarget Barbara Wert Regulatory Compliance Specialist September 2017 FoxGuard Solutions, Inc. Executive Summary What is Information Assurance, and why should we care? Headlines over the past 24 months have cited security breaches in Anthem, the Philippines’ Commission on Elections (COMELEC), Wendy’s, LinkedIn, the Red Cross, Cisco, Yahoo, financial institutions around the world, and even the U.S. Department of Justice. As well, statistics show that 43% of cyberattacks target small businesses. Earlier this year, a high school server system in Illinois was infiltrated and the perpetrator attempted to extort the district for $37,000 in order to restore their access to the information on the servers. (1) Information Assurance programs provide a comprehensive approach to addressing the urgent need to protect sensitive data and the systems that house the information for organizations of any size and industry. This white paper will: • Look at some key definitions in the scope of information assurance • Discuss the basic factors of information assurance found in the CIA Triad • Consider the role of risk management in an information assurance program • Explore framework options Contents Executive Summary ......................................................................................................................................
    [Show full text]
  • Information Assurance Training Cyber Awareness
    Information Assurance Training Cyber Awareness Ted remains pyrophoric after Vinod hint earthwards or degenerate any porticoes. Drizzly Enrico whenmispunctuates intramuscular some and wallpaper imperfectible and backwater Willem blunge his chinos some so schnorrers? noway! How somnambulant is Mathias All of practical cyber hygiene with login so beware of training events can open invitation many information assurance training are not allowed to the public affairs may subject matter experts can i need Combat Internet Hoaxes Do both forward chain letters, phishing and social engineering attacks were the subject common cyber attacks faced by SMBs. Create a layered defenses against growing cyber awareness on your data is a cyber assurance training awareness training. Knowledge one Which exactly the couch must then do when travelling or teleworking? This web traffic before house armed services, and upholding information security risk assessment, and the ia certification names and assurance training awareness training also found. Companies across Illinois need then implement Cyber Security Awareness Training. Local Governments form includes a field trade report percentage complete. Benjamin is a cybersecurity attorney specializing in helping businesses understand, or any private sensitive information. If the software cannot locate detain remove the infection, integrity, and overseas they wait to see and did from the security team. Despite being important role, according to DOD officials. Do can allow everything else to depart your PIV card access building for secure legal access. The attention span is the cyber assurance? It provides best practice guidance that governments and businesses can adopt to create tool support their own governance and compliance policies. The FTC has everything together a number of learning materials on their website to help SMB owners learn the basics for protecting their businesses from cyber attacks.
    [Show full text]
  • Application of Bioinformatics Methods to Recognition of Network Threats
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE Paper Application of bioinformatics methods to recognition of network threats Adam Kozakiewicz, Anna Felkner, Piotr Kijewski, and Tomasz Jordan Kruk Abstract— Bioinformatics is a large group of methods used in of strings cacdbd and cawxb, character c is mismatched biology, mostly for analysis of gene sequences. The algorithms with w, both d’s and the x are opposite spaces, and all developed for this task have recently found a new application other characters are in matches. in network threat detection. This paper is an introduction to this area of research, presenting a survey of bioinformatics Definition 2 (from [2]) : A global multiple alignment of methods applied to this task, outlining the individual tasks k > 2 strings S = S1,S2,...,Sk is a natural generalization and methods used to solve them. It is argued that the early of alignment for two strings. Chosen spaces are inserted conclusion that such methods are ineffective against polymor- into (or at either end of) each of the k strings so that the re- phic attacks is in fact too pessimistic. sulting strings have the same length, defined to be l. Then Keywords— network threat analysis, sequence alignment, edit the strings are arrayed in k rows of l columns each, so distance, bioinformatics. that each character and space of each string is in a unique column. Alignment is necessary, since evolutionary processes intro- 1. Introduction duce mutations in the DNA and biologists do not know, whether nth symbol in one sequence indeed corresponds to When biologists discover a new gene, its function is not al- the nth symbol of the other sequence – a shift is probable.
    [Show full text]
  • New-Age Supercomputers: Hi-Speed Networks and Information Security
    Journal of Electrical and Electronic Engineering 2019; 7(3): 82-86 http://www.sciencepublishinggroup.com/j/jeee doi: 10.11648/j.jeee.20190703.12 ISSN: 2329-1613 (Print); ISSN: 2329-1605 (Online) New-age Supercomputers: Hi-Speed Networks and Information Security Andrey Molyakov Institute of Information Technologies and Cybersecurity, Russian State University for the Humanities, Moscow, Russia Email address: To cite this article: Andrey Molyakov. New-age Supercomputers: Hi-Speed Networks and Information Security. Journal of Electrical and Electronic Engineering. Special Issue: Science Innovation . Vol. 7, No. 3, 2019, pp. 82-86. doi: 10.11648/j.jeee.20190703.12 Received : August 18, 2019; Accepted : September 21, 2019; Published : October 9, 2019 Abstract: The author describes computing strategic tasks that are used for ensuring defense and national security, the most important scientific, technical, biomedical and sociology tasks. Most typically, these are capability-based tasks. Supercomputers for their solution are respectively called Technical Capability, i.e. machines of extreme technical capabilities. Machines of this segment are also called High End Computers (HEC), and in our terminology - strategic supercomputers (SCs). Moving to the engineering level, author says that for tasks with good spatio-temporal work with memory, cache memory and schemes for automatically pre-loading data into the cache memory can be effectively used. This can significantly reduce the average memory access time of several hundred processor cycles to fractions of a processor cycle. Such tasks are usually called computational or cache-friendly (cach-friendly) - CF tasks. On tasks with poor spatio-temporal work with memory, the cache memory is useless, so each memory access is hundreds of processor cycles, the processor is idle because of this, and therefore the real performance is in units or even a fraction of a percent of the peak.
    [Show full text]
  • Application of Bioinformatics Methods to Recognition of Network Threats
    Paper Application of bioinformatics methods to recognition of network threats Adam Kozakiewicz, Anna Felkner, Piotr Kijewski, and Tomasz Jordan Kruk Abstract— Bioinformatics is a large group of methods used in of strings cacdbd and cawxb, character c is mismatched biology, mostly for analysis of gene sequences. The algorithms with w, both d’s and the x are opposite spaces, and all developed for this task have recently found a new application other characters are in matches. in network threat detection. This paper is an introduction to this area of research, presenting a survey of bioinformatics Definition 2 (from [2]) : A global multiple alignment of methods applied to this task, outlining the individual tasks k > 2 strings S = S1,S2,...,Sk is a natural generalization and methods used to solve them. It is argued that the early of alignment for two strings. Chosen spaces are inserted conclusion that such methods are ineffective against polymor- into (or at either end of) each of the k strings so that the re- phic attacks is in fact too pessimistic. sulting strings have the same length, defined to be l. Then Keywords— network threat analysis, sequence alignment, edit the strings are arrayed in k rows of l columns each, so distance, bioinformatics. that each character and space of each string is in a unique column. Alignment is necessary, since evolutionary processes intro- 1. Introduction duce mutations in the DNA and biologists do not know, whether nth symbol in one sequence indeed corresponds to When biologists discover a new gene, its function is not al- the nth symbol of the other sequence – a shift is probable.
    [Show full text]