How to Increase the Information Assurance in the Information Age

Home , Information assurance, Information security

HOW TO INCREASE THE INFORMATION ASSURANCE IN THE INFORMATION AGE

LTC Artur SOSIN*

*Ministry of Defence/Republic of Moldova

The competitive world we live in today is characterized by an environment where the advancement of technology has increased the number of complex vulnerabilities and sophisticated attacks. Organizations around the globe are facing now the same challenges of implementing data protection and securing information assurance. The purpose of this paper is to prove that Information Assurance has become one of the most important tools in creating and maintaining a competitive advantage in today’s competitive and global marketplace. This paper also presents the relationship between information assurance and cybersecurity, and their connection with confidentiality, integrity, availability (CIA) triad. Furthermore, assuring information and providing security is a life cycle process which needs a comprehensive understanding, skills, and experience in order to protect today’s risk management challenges. The author concludes the paper with the importance of information assurance policies which are the fundamental guidelines for protecting information assets and fulfilling information assurance objectives of an organization.

Key words: Information Assurance, Cybersecurity, Confidentiality, Integrity, Availability, Risk Management, Policies.

environment and electronic war give us less 1. INTRODUCTION expected and more unexpected. In short, the transformation from industrial The competitive world we live in today is to information is a test for all of us, and even if characterized by an environment where the we pass it, this does not mean that we have information is progressively interconnected and been well prepared. This is the reason why, at the same time more independent. nowadays, people are more concerned about Globalization has become part of every domain new threats such as data security and in which the world operates such as economic, information assurance. It is difficult sometimes social, and technological infrastructure. Behind to make a distinction between information the globalization is the transformation of security and information assurance. information technology which has become an important part of an organization’s global business strategy. Today’s interconnected 2. INFORMATION ASSURANCE world is full of uncertainty which allows CONCEPTS AND PRINCIPLES transferring the information across the borders through cyberspace. At this moment, we are in a phase of 2.1. What is Information Assurance? transition, a world which is moving from the Industrial Age to the Information Age. In other Information assurance has many words, we are changing from 3D hyper- definitions or interpretations. According to integration technology architecture such as Department of Defense Information Assurance future technology research in computer, Certification and Accreditation Program nanotech and biotech to a 3C (connected, (DIACAP) Information Assurance is defined contested and complex) hyper world. as “measures that protect and defend Unfortunately, today’s sophisticated information and information systems by 45 ensuring their availability, integrity, (technology, policy, and people); and five authentication, confidentiality, and non- basic services (availability, integrity, repudiation. This includes providing for authentication, confidentiality, and restoration of information systems by nonrepudiation), as shown in Fig. 1. [3] incorporating protection, detection, and According to these definitions, information reaction capabilities.” [1] Information assurance has a much broader view than only Assurance Handbook has the following secure the information because encompasses definition; “Information Assurance is the all the components of information security overarching approach for identifying, under the integration of protection information understanding, and managing risk through an based on confidentiality, integrity, availability, organization’s use of information and non-repudiation, and authentication which are information systems.” [2]. The Maconachy- the five main components of information Schou-Ragsdale (MSR) model of information assurance. Furthermore, information assurance assurance characterized three states of includes all information an organization can information (storage, transmission, and transmit, store, and process. processing); three essential countermeasures

Fig.1 MSR Model

information security, information protection, 2.2. Information Assurance and and cybersecurity. Information security is a Subdomains subdomain of information assurance and focuses on the CIA triad: confidentiality, In addition, there are three main integrity, and availability, as shown in Fig. 2. subdomains of information assurance;

46 social security number, and other types of data if there is no encryption of information. This is why only authorized people who have the equivalent level of secrecy must have access to folders, and permission to access this type of information. Furthermore, in order to protect data and information every organization has to have all the information about the administrators who are in charge of their security control and must be monitored also. Information must always be accessed by the correct users in order to be Fig.2 CIA Triad secure. However, even if the information is well secured but there is no authenticity that In the same context, information security is can create another problem. responsible for all information an organization Another fundamental component of is storing and transmitting, electronic or paper information security is integrity. It is about format. As information assurance, information making sure that data has not been modified or security is responsible for both domains: changed. Authentication comes with “trust” information protection and cybersecurity. because it is very important to trust the person Information protection has the role of with whom you are interacting with. In other protecting the integrity and confidentiality of words, only by joining together integrity and information by using a diversity of means such authentication we will get to the level of as monitoring information classification, authenticity. For example, if a database information categorization, and all the follows rules such data integrity, the database strategies. [4] Moreover, from other point of will increase performance, stability, accuracy, view, information protection has to be in and will not allow entering data in an incorrect charge of sensitive information such as format in database. personal information and information related The last part of the triangle is availability. to person’s health. This part describes the restriction and For example, Central Intelligence Agency limitation of using data, and the access to the (CIA) of the United States is focusing on this device must be available only with the given “triad” when it needs to put into place a new permission by the authorized administrators. security control policy into computer The access to the information must be environment. [5] This triad facilitate the restricted, or available only with the understanding of Information Technology (IT) permission and approval of the authorized Governance to ensure the efficiency and people. These attacks can easily damage the effectiveness of information technology in whole system by shutting down the system. making possible that the organizations achieve This is why security policies must be put into their goals and produce measurable results place in order to remediate these unwanted toward accomplishing their strategies. The attacks before the event happens to help keep Figure 2 shows how CIA is represented by information safe and secure. these three pylons that are the security policy core fundamentals. 2.3. Information Assurance and Every component has its own significance, Cybersecurity because an organization cannot achieve success if one of these is not fully integrated. The twenty-first century has become an Confidentiality is very important nowadays interconnected corporate IT system for because it is very easy for hackers to obtain managing and distributed computing which private data and information such as birth date, provided the possibility to work from anywhere around the globe, and has created a 47 new era of vulnerabilities. [6] This is the test, and should not be accessed by the reason why cyber crimes cannot be controlled receptionist. [10] and the cyber risk is the newest indicator of an For this reason information assurance out of control world. [7] Despite the fact that becomes one of the most important issues and big companies around the globe spend every must be encrypted before transmission from year millions of dollars in order to secure their end-to-end. Today anyone can start a computer information assurance, the next generation of and can access all the files from the hard drive. cyber risk has the potential to have a negative Furthermore, after gaining access many impact on their data base and network systems. attackers will try to escalate the system in The main goal of cybersecurity is to protect order to become the administrator of the electronic information systems and networks computer. For example, in September 2014 from being attacked by threats and Home Depot was one of the targets of such an vulnerabilities. Organizations start paying attack which give the attackers the advantage more attention to cybersecurity domain to discover of 53 million customer e-mail because both public and private sectors are not addresses, and also 56 million credit cards sufficiently protected against sophisticated accounts. [11] This is another example that attacks, and they need to develop defensive shows the importance of information actions in order to be ready to secure the assurance, and what happens when the information. attackers break the network system of an The efficiency and effectiveness of organization only by compromising the cybersecurity requires that governments, username and password. There are many areas private companies and non-governmental the companies have to focus on when they organizations must concentrate their efforts to speak in terms of protecting confidentiality, understand the threats from a common point of but not all the time they succeed on doing so. view and to share the information and Today, many organizations do not want to resources in order to mitigate them. [8] As our pay attention to cyber threats or often they try world is more interconnected at the same time to neglect the area of information security is more insecure. Cyber domain is an without investment in this domain. These environment where there are many actors situations bring to the conclusion that big involved that may affect the security network companies spend a colossal amount of money at the national and international level. to this domain. Cybersecurity is an area where Numerous companies have been victims of nations need to continuously take actions in cybercrime, by losing their integrity and order to raise the level of information security, confidentiality. It is very important for the and to sustain their competitiveness on the companies to assure themselves that only the business global market. Figure 3 illustrates the right and authorized individuals have access to connection between information assurance and data and information, otherwise the its relationship with subdomains such as information will not be secured. [9] For information security, information protection, example, in the healthcare scenario, the doctor cybersecurity, and their relationship with who sends the information to the laboratory confidentiality, integrity, availability, needs to be sure that the orders can be read authentication, and nonrepudiation. [12] only by technicians in order to perform the

Fig. 3 Information assurance and subdomains

3. INFORMATION ASSURANCE RISK not to fail to manage the risk. One of the areas MANAGEMENT which can bring success to an organization is 3.1. Risk Management Concept the integration of protection of the infrastructure of communication technology by For an organization’s management is very requiring identification, authentication and hard to be successful without implementing a ensure the continuity of the companies by risk management strategy for defending the mitigating the risk management. [13] The risk risks. A well-executed management plan can management is a key element in the reduce risk and increase economic efficiency. organization’s information security program However, organizations must identify risk in and contributes to the organization with the order to manage it. The objective of risk most effective framework for selecting the management is to identify, analyze, evaluate, appropriate measures for an information and continue to progress it every day. In system in order to secure and protect addition, risk management is a whole process individuals and assets of the organization. [14] that includes policies, theories, and practices One of the most important functions of risk for identifying, managing, and controlling risk management is to select protective measures to actions. Companies must take into guarantee the ability of the organization to consideration that ignoring the risk may cause fulfill its mission. [15] A holistic approach unwanted outcomes. For this reason is must be integrated for protecting an important for organizations to have a good information system. Furthermore, it is management risk practices in order to be ready important to know the most vulnerable parts and prepared for unwanted surprises. that should be protected and the security Information assurance risk management is measures which must be taken. Nevertheless, very important for an organization in order to for security is not enough to have techniques face uncertainty, which can be one of two: a and skills because the most critical point in risk or an opportunity. This is a challenge for any information system are the human beings. many organizations because they have to [16] To have the entire framework of security decide how much it they can accept in order network we must take into consideration both

49 technical and human factors. Moreover, as the and evaluating the factors that are connected to technological and societal backgrounds are the event, particularly the threats and the progressively evolving, threats also transform vulnerabilities. In addition, risk can be reduced and evolve. by applying security measures that are The information system has a strong translate from a methodology. A methodology connection with threats and has to be both that should include a security approach defined monitored and managed at the same time. by effectiveness and efficiency applicable to There are many definitions related to risk. One directives, executive orders, policies, standards of the most recent provided by the and regulations. [19] These documents must International Organization for Standardization be part of Risk Management Framework, in is “the effect on uncertainty on objectives.” order to make an information security program [17] The older definition is “the potential that more effective, and organizations need not to a given threat will exploit vulnerabilities of an apply only to the enterprise architecture but asset or group of assets and thereby cause also to the new information system within the harm to the organization.” [18] As we can see context of the system development life cycle. both definitions have something in common, [20] because the effect on uncertainty means the terms threat, vulnerability, and asset can 4. Risk Management Process produce harm to an organization by challenging its way of operating, and Risk management consists of many damaging the resources that maintain the value processes that are related to the information of the organization and its mission. Research security. There is no a single process which has shown that in theory information security can be used by every organization because risk is easy to calculate by using different every organization applies its unique process. types of formula. In contrast, reality has shown Organizations should choose their that, in order to measure the risk within an management methods or approaches that are organization it is necessary not only to take more relevant to their environment where into consideration a combination of theoretical business is taken place. Risk management measures but also an organization must be process should have a continuous cycle and prepared for unknown situations by adopting this cycle have to be always monitored, as the best practices. shown in Fig. 4. [21] Another way of measuring risk is by adopting fundamental principles, analyzing

Fig. 4 Risk management process 50

The three main processes that risk assessment, risk mitigation and evaluation and management is focused on are: risk assessment, as shown in Fig. 5. [22]

Fig. 5 Risk management components

It is a very complicated course of action for identify its limitations and constrains. Risk an organization to be able to evaluate the analysis should be done from both impact of the risk on the business information perspectives: quantitatively and qualitatively. process without having risk evaluation criteria. Both types of analyses must have the same The criteria should indicate both: the level of common goal to analyze the risk in order to damage caused by an information event and obtain a general scale of the risk level, and the estimate cost for eliminating it. Research most importantly to consider the major risks has shown that there are no organizations in identified. The risk evaluation process includes the world that are completely secure and do a complex risk assessment in order to make not acknowledge risk acceptance. Every decisions for the next actions, and prioritize organization must have a strategy that should risks in accordance with risk evaluation include the goals and objectives related to criteria. Taking into consideration that risk developing risk acceptance criteria such as management is an ongoing and never-ending business criteria, finance aspects, and social process, maintenance of security measures and humanitarian aspects. should be planned and permanently performed First and foremost, in order to assess the on a regular scheduled basis. [23] risk within an organization, it is imperative to The implementation of security measures define the scope and make sure that all the must be done by the organization in order to measures are taken into consideration ensuring organize and develop risk assessment risk assessment. Furthermore, the scope is not exercises within the organization by involving the only factor that should be taken into all the factors that have a connection with risk account when we want to assess the risk, such as new types of business objectives and because we have to be aware of limitations and functions, and we must follow how effectively constrains. By identifying the boundaries, and efficiently are put into practice the organizations might figure the risks arise security measures to respond to the new more inside these boundaries. Only after identifying sophisticated threats or vulnerabilities. Only the scope and boundaries, the organization after all the necessary adjustments and needs to analyze its whole approach to risk transformations had been taken into management such as strategic objectives, consideration, the risk might be reevaluated strategies, and information security policy. As and security measures could be identified. abovementioned, every organization needs to 51 Risk assessment is the first phase of risk organization to measure its risk because shows management process and includes all both the likelihood and the impact of a risk organizational resources such as information, event happening. This graph demonstrates that people, processes and technologies. In even though the risk is not completely addition, based on these resources an eliminated, it can be partially reduced, as organization can make an estimation of the shown in Fig. 6. [25] The highest risk is the value they add in achieving the organization more sophisticated one and requires more mission, estimating the vulnerabilities that resources and time. In contrast, the medium have a direct impact on the resources, and and low risks need less effort and can be fully assessing the likelihood or probability that eliminated. However, all the organizations each threat will have a connection with an must keep in mind to be responsive to all types equivalent vulnerability. [24] of risks, and they have to daily monitor and From a practical point of view, a risk periodically review them to make sure that matrix approach is the best option for an organizations are secure.

Fig. 6 Example of risk level matrix

5. INFORMATION ASSURANCE their information without a strong secure POLICIES policy and security plans and methodologies 5.1. Security Policies and Plans that must be used in contemporary assessment Development and information technology infrastructure. For example, in order to build a resistant and solid Information assurance policy is house we need a strong foundation at the base, unquestionably the essential element for any because without having this house might be successful organizations and without having destroyed at the first big flood. The same these policies it is very hard for an analogy we can use for an organization. For organization to operate properly. Every this reason it is imperative for any organization must have a comprehensive organization to have a security policy information assurance documents that implementation foundation to be put in place guarantee their security policies against and to have well-organized senior potential threats. Today, there are no management support, as shown in Fig. 7. [26] organizations in the world who can assure

Fig. 7 Business security framework

By using this analogy, every organization sophisticated hacker of today is not so much a can spend less time and resources for hacker by trade but more entrepreneurial” and identifying solutions without reinventing “They are leaders on the bad side of the something when events will happen. Another economy, but they have the same skills that secure example that could be used by an happen in the good side. They can assemble the organization is called “BRICK” that also people and processes needed to run a business.” emphasizes the biggest challenges that most of [27] This saying demonstrates that these types the organizations have to regularly work on, in of criminals are more orientated toward order to keep protecting their security money, and they can easily start a business environment by defending confidential data because they have a technology background and information as renewed as possible, as and this knowledge help them to assemble shown in Fig. 8. [27] Nowadays, in the field of everything in order to run a business. Based on computing is almost impossible to control the “BRICK” model, all five phases need to be storage and the use of information due to fully integrated each other in order to ensure innovative cybercriminals who are taking the life cycle for security policy and to advantage of security gaps that are present in correlate the policies with the needs that must the unprepared organizations. be updated to help secure the environment and Cybersecurity strategist Matthew Gardiner identify the measures that must be taken to pointed out very well saying that “the accomplish the whole process.

Fig. 8 BRICK

5.2. Information Assurance Priciples long life span, customizable and pragmatic, and Strategy risk-based approach, organizationally significant, strategic, tactical, and operational, The information assurance strategy should concise well-structured, and extensible – see be a living document of every organization Fig. 9. [28] Each principle has its unique because its principles accomplish the contribution to the grand information necessities and objectives that organizations assurance strategy. need in order to develop their long-term The future organization should have in business plans. The most important principles place a non-classic model and more that an organization must be based on are the comprehensive type of strategy such as following; comprehensive, independent, legal defence-in-depth strategy, which will cover all and regulatory requirements, living document the management programs and domains.

Fig. 9 Information assurance strategy principles

The defence-in-depth strategy is not only the multiple countermeasures to protect the an information assurance concept which uses integrity of the information assets in an

54 organization but also offers the best practices country which is isolated from the rest of the taking into account the three main important world cannot survive alone. This is why it is elements for an organization such as people, necessary that all the countries combine their technologies, and operations. The 19th century efforts and establish a common joint research military strategist Helmuth von Moltke said to exchange experience in the field of that “No plan survives contact with the technological training. In addition, enemy.” [29] We should not underestimate the organizations should increase the level of enemy, because they know what is their security and draft plans against cyber attacks. strategy and how to react once engaged. The A globalized world makes the products to be same concept hackers and attackers apply developed outside the country. This when they want to damage the software and development has invented a new “Open network systems. Even though organizations innovation” or “Open doors” which becomes have already developed plans, there is no more a new way of collaborate with other guarantee that their information is secured. companies and a new imperative of The defence-in-strategy is the most effective competition in global markets, but lees a approach because is composed of numerous secure system and control access of integrity countermeasures that can be applied to various among competitors. [31] types of risks which have different level of It is very important for organizations to complexity and rigidity. Furthermore, defense- make right and secure decisions and to in-depth offers the best tools for information properly address enough methods for securing assurance. information assurance. However, in order to However, this type of defense must always make right and secure decisions, organizations be planned in advance because it has to be have to have a comprehensive approach, responsive to the most sophisticated attacks because cyber domain includes threats that are and unpredicted events. Former U.S. Defense more sophisticated and dynamic. These Secretary Donald H. Rumsfeld stated very complicated threats most of the time are well by saying, “You go to war with the army created by individuals such as customers or you have, not the army you might want or competitors with extensive knowledge and wish to have at a later time.” [30] There is no who have the authorized permission. well-developed strategy in the world that can Organizations should maintain their level of respond to unknown situations. However, information assurance by developing and having a strategy can minimize the impact of implementing defensive policies that may keep the risk. Organizations must take appropriate their infrastructure technology secure. If actions according with their laws and companies do not take measures against regulations to survive when sophisticated threats today, they will never have a greater attacks are happening. An information chance of success in future cyber environment. assurance strategy is the essential pylon for There is no magic formula which can be protecting an organization. applied in today’s turbulent environment. Companies should be flexible and to adapt 6. CONCLUSION easily to this environment, meanwhile, to be strong, more efficient and more integrated Organizations and their resources are with partners around the globe in order to always under risk pressure, which create them secure their information and to remain a lot of problems in the areas where they are operational. Nowadays, measures should be more vulnerable. Seniors and managers have taken at the international level in order to share to conduct a comprehensive risk assessment information according to some criteria which within organizations in order to evaluate their are accepted by private companies and non- level of risk and to identify the most sensitive governmental organizations. There is no parts. The advanced technology has brought country in the world that can defend alone new types of risks that are more complex and against cyber threats. For this reason, the sophisticated. In today’s information age a internal network security cannot be effective 55 anymore, and it is necessary to have a Theory and Practice in International common knowledge management and a Perspective”, p.248. defense approach at the international level. By [7] Ibid. adopting a set of defensive strategies, the [8] Maria Manuela Cruz-Cunha, Irene Portela, management of information assurance will be “Handbook of Research on Digital Crime, increased, and organizations will be secured Cyberspace Security, and Information from being attacked. Organizations must have Assurance”, Published by IGI Global, 2015, a comprehensive defense policy in order to p.317. ensure the protection of critical infrastructure [9] Glen Sagers, Bryan Hosack “Information of their security network. Not all the time the Technology Security Fundamentals”, Business advanced measures can neutralize the Expert Press, LLC, 2016. unexpected risks. Organizations have to invent [10] Glen Sagers, Bryan Hosack “Information new solutions based on their evaluation criteria Technology Security Fundamentals”, Business from the risk analysis perspective. Expert Press, LLC, 2016. A secure organization is not only about [11] Glen Sagers, Bryan Hosack “Information equipment and antivirus programs. It is very Technology Security Fundamentals”, Business important to understand that no program or Expert Press, LLC, 2016. combination of programs will make a secure [12] Corey Schou, Steven Hernandez, organization by itself. Securing information ”Information Assurance Handbook: Effective assurance is an entire process which requires Computer Security and Risk Management critical and innovation thinking, a lot of time, Strategies”, Published by McGraw-Hill money, and application of new IT technology Osborne Media, 2015, p.16. to maintain the organization operational. [13] Maria Manuela Cruz-Cunha, Irene However, many organizations do not want to Portela, “Handbook of Research on Digital pay much attention to information assurance Crime, Cyberspace Security, and Information domain, or they do not want to spend much Assurance”, Published by IGI Global, 2015, money on it, and as a result they end up with p.273. unwanted outcomes. This is why creating a [14] John R. Vacca, “Computer and secure infrastructure is compulsory for every Information Security Handbook, 3rd Edition”, organization at national or international level, Library and Cataloging-in-Publishing Data, because we never know when an organization July 2017, p.497. might be under attacked by very sophisticated [15] Kenneth J. Knapp, “Cyber Security and hackers. Global Information Assurance: Threat Analysis and Response Solutions” Published ENDNOTES by IGI Global, April 2009, p.56. [16] John R. Vacca, “Computer and [1] Department of Defence Directive, Information Security Handbook, 3rd Edition”, Information Assurance, October 24, 2002. Library and Cataloging-in-Publishing Data, [2] Corey Schou, Steven Hernandez, July 2017, p.3. ”Information Assurance Handbook: Effective [17] Ibid p.508. Computer Security and Risk Management [18] Ibid. Strategies”, Published by McGraw-Hill [19] Ibid. p.511. Osborne Media, 2015, p.14. [20] Ibid. p.516. [3] Ibid. [21] Corey Schou, Steven Hernandez, [4] Ibid. ”Information Assurance Handbook: Effective [5] John R. Vacca, “Computer and Computer Security and Risk Management Information Security Handbook, 3rd Edition”, Strategies”, Published by McGraw-Hill Library and Cataloging-in-Publishing Data, Osborne Media, 2015, p.57. July 2017, p.567. [22] Kenneth J. Knapp, “Cyber Security and [6] Kewin Walby and Randy K. Lippert, Global Information Assurance: Threat “Corporate Security in the 21st Century: 56 Analysis and Response Solutions” Published by IGI Global, April 2009, p.56. [23] John R. Vacca, “Computer and REFERENCES Information Security Handbook, 3rd Edition”, Library and Cataloging-in-Publishing Data, [1] Department of Defence Directive, July 2017, p.515. Information Assurance, October 24, 2002. [24] Kenneth J. Knapp, “Cyber Security and [2] Corey Schou, Steven Hernandez, Global Information Assurance: Threat ”Information Assurance Handbook: Effective Analysis and Response Solutions” Published Computer Security and Risk Management by IGI Global, April 2009, p.58. Strategies”, Published by McGraw-Hill [25] Corey Schou, Steven Hernandez, Osborne Media, 2015. ”Information Assurance Handbook: Effective [3] John R. Vacca, “Computer and Computer Security and Risk Management Information Security Handbook, 3rd Edition”, Strategies”, Published by McGraw-Hill Library and Cataloging-in-Publishing Data, Osborne Media, 2015, p.119. July 2017. [26] John R. Vacca, “Computer and [4] Kewin Walby and Randy K. Lippert, st Information Security Handbook, 3rd Edition”, “Corporate Security in the 21 Century: Library and Cataloging-in-Publishing Data, Theory and Practice in International July 2017, p.565. Perspective”. [27] Ibid. p.566. [5] Maria Manuela Cruz-Cunha, Irene Portela, [28] Corey Schou, Steven Hernandez, “Handbook of Research on Digital Crime, ”Information Assurance Handbook: Effective Cyberspace Security, and Information Computer Security and Risk Management Assurance”, Published by IGI Global, 2015. Strategies”, Published by McGraw-Hill [6] Glen Sagers, Bryan Hosack “Information Osborne Media, 2015, p.5. Technology Security Fundamentals”, Business [29] Ibid. p.25. Expert Press, LLC, 2016. [30] Ibid. [7] Kenneth J. Knapp, “Cyber Security and [31] John R. Vacca, “Computer and Global Information Assurance: Threat Information Security Handbook, 3rd Edition”, Analysis and Response Solutions” Published Library and Cataloging-in-Publishing Data, by IGI Global, April 2009. July 2017, p.5.