Information assurance can be defined as the hardware, software, policies, procedures, standards, and personnel that are used to secure data residing in information systems. Information assurance has disparate definitions, but the term has evolved over time to imply information security and beyond. It seeks to emphasize on ensuring that information is sufficiently available on demand, information integrity is sound, authenticity is verifiable, information privacy, and confidentiality is upheld, and provision of origin of data and proof of data integrity. Information assurance is an increasingly growing field in computer technology (Bishop, 2003).
Nearly all aspects of today’s society rely on computer systems – hardware and software. The world has seen increased usage of computing devices and systems than never before. The proliferation of mobile and handheld devices some having computing capabilities exceeding that of most PCs has led to an increase in data creation and circulation across individuals and organizations over the world (Birchall, Ezingeard, McFadzean, Howlin & Yoxall, 2004). Today, computer systems are in wide use in all industries: Transportation, mining, banking, manufacturing, agriculture, shipping, communication among others. However, computer systems infrastructure is increasingly faced with threats of attack from malware, spyware, adware, hacking, information theft, unauthorized access, denial of service, man-in-the-middle attack, and other security breaches (Mowbray, 2013). Therefore, every organization wants an assurance that its information is secure from such threats.
Companies and state agencies need to effectively protect their computer systems. A malware attack can cause unwanted delays and costs, but attacks such as information theft or distributed denial of service can be extremely disastrous. Organizational information stolen from computing systems can be used for extortion, reveal sensitive information related to intellectual property, blackmail individuals and businesses, or steal money from unsuspecting people. Information assurance with respect to computer systems has been practised for over 30 years, but with improvements in computer technology and the ever-growing use of computers for capturing, storage, and transfer of information has significantly changed the field towards increased necessity to improve the security of private and sensitive information.
This paper seeks to discuss the importance of information assurance in businesses. In addition, it explores aspects of building secure and trusted systems, security policies and security/system testing.
Blyth & Kovacich (2006) defines information assurance as the approach to assuring information and risk management with respect to access, use, processing, transmission, and storage of data and information and the information systems, processes and procedures used for such purposes. Information misuse may arise from corporate spies, hackers, disgruntled staff, or former employees who may want to damage or sabotage business operations. It is the work of an information assurance specialist to create robust systems that can effectively and efficiently prevent computer systems security breaches or recover quickly in case of an attack. Information security is the umbrella domain with many components where information assurance constitutes one of the components (Birchall et al., 2004). Therefore, it is difficult to separate the two component and information assurance specialists works closely with security professionals. Failure to build strong working relationships implies that information security and assurance leaves potential points of vulnerabilities. When the entire set of information security elements are functional and roles among responsible personnel understood, then the risk to organizational information is greatly reduced. Information assurance specialist works within the confines of information security to ensure information conformance with complete mitigation of security risks.
The information assurance team also helps remedy security weaknesses in systems by creating a checklist framework to allow an organization trace security transgressors. The computer technology is a constantly changing area, and with continued usage of computer systems in day-to-day business transactions, there are potential risks of security breaches. Therefore, the work of information assurance specialist is never ending. The specialist is involved in all arrangements and implementations targeted at protecting information’s confidentiality, integrity, availability, privacy, and accountability. Information assurance team is tasked with protecting, monitoring, analyzing, detecting, and responding to any form of unauthorized activity in computer networks and organizational information systems. Information assurance specialists employ principles related to action plans associated with information threat. The specialists’ mission is geared towards detecting, reporting, and responding to all kinds of cyber threats and attacks, while allowing for concrete encryption to enable secure information sharing between individuals and computer systems. Therefore, information assurance professionals seek to provide solutions that can effectively and efficiently keep organizational systems and information safe (Mowbray, 2013).
The Importance of Information Assurance in Business
Although information assurance does not mean information security, Bishop (2003) recognizes the crucial role played by information assurance in systems security by protecting an organization’s key computer systems and information assets as well as other critical computing infrastructures. First, information systems are truly unhelpful without correct and verifiable data, because compromised data residing in these systems would be detrimental: No worth turnaround decisions can be drawn from such data. In the corporate world, organizations continue to enhance their reliance on computer technology, and potential threats targeted to organization’s IT infrastructure increases, thus calling for optimal information assurance to counter the wide array of potential threats. The consumer community is likely to feel comfortable when transacting with businesses that have a better information assurance infrastructure in place.
Generally, information assurance enables risk management with regard to the capture, processing, storage, access, and transfer of information. It bolsters devices and systems capability to uphold privacy, confidentiality, governance, disaster recovery, regulatory compliance, business continuity, integrity, and other aspects of information and data quality. According to Blyth & Kovacich (2006), information assurance offers a concrete risk management platform that effectively and efficiently defines how security threats and risks should be mitigated, accepted, or transferred.
Information assurance also plays another role in analysis, control, and management of all systems that runs on computer networks within an organization. Information assurance provide the required risk assessment of a specific software, and depending on the actual or perceived degree of need and benefit that it provides, responsible personnel will approve or reject the software for use. Assessing all systems prior to being installed or hosted on an enterprise host or network, the information assurance personnel has a better knowledge base and understanding of risks when faced by potential threats, for example, a new malware affecting a specific browser version (Blyth & Kovacich, 2006).
IT applications and data have been faced with a wide range of security threats from human errors, environmental disruptions, intentional attacks, and hardware and software failures. In addition, there is a growing trend in complexity and frequency of cyber attacks; therefore, organizations commitment to information assurance plays a critical role in providing sufficient information security. Additionally, information assurance ensures that security risks associated with computer systems are adequately managed to guarantee a smooth operational environment. For example, when alerts are displayed, indicating unapproved or unpatched software running on the network, the information assurance team follows the established plan to handle that incident (Birchall et al., 2004). Therefore, threats and risks are accurately and sufficiently assessed and mitigated.
Information assurance ensures that a business is continually transforming towards a platform that can always withstand the ever-changing operation environment. Information assurance guarantees adaptability by ensuring that business operations and customer experience are supported optimally at all times. Blyth & Kovacich (2006) argues that information assurance builds and maintains the most needed consumer trust and confidence in a particular business since customers undertaking their day-to-day shopping activities are assured of information security and privacy.
According to Schou & Shoemaker (2006), information assurance seeks to resolve issues related to protection of the integrity, availability, and confidentiality of an organization’s computer systems, databases, documents, records, and reports. However, only authorized users should be allowed to access, modify or save information into organizational data repository. Thus, information assurance is unsurprisingly an integral part of almost all disciplines in an organization. Areas of accounting, auditing, business analysis, and reporting can only be successful with a robust information assurance framework in place. Otherwise, important facets of data such as correctness and confidentiality may be lost leading to flawed decision-making (Blyth & Kovacich, 2006). For example, the integrity and accuracy of information is important in achieving reliable financial analysis and reporting and creation of relevant and timely accounting results for purposes of decision-making.
Information assurance plays a critical role in implementing crucial functionalities in information systems and data. It demands a number of requirements that are of great importance to an organization. According to Blyth & Kovacich (2006), the key requirements include:
- Automation: Businesses can easily implement certification and accreditation suites for management of information systems. This way, staffs are relieved of manual monitoring of systems since certified and accredited software possess industry best practices and standards with respect to information security. These systems carry out normal workflow operations while notifying users of current security status with information assurance and security team receiving alerts in real time. Consequently, corrective measures are applied in a timely manner.
- Accountability: Data running in approved business systems is tracked for access and modification through audit trails, thus the business can track each transaction. This is implemented through role-based access control systems that enhance information security.
- Extensibility: Well-managed and secured information systems across an organization provide a better framework for scaling and integration. Data and information resources can be shared across an organization’s environment without risks of unauthorized exposure regardless of their complexity or size.
- Flexibility: Multiple information assurance requirements, such as integrity, confidentiality, availability and others are supported in all organization’s information systems.
Information assurance offers the much needed end-to-end visibility in information creation, process, sharing, and storage. Information residing in an organization’s enterprise network can be easily monitored for suspected malicious activity. Through robust information assurance mechanisms, the end-to-end visibility is gained regardless of the computing devices used, including handhelds, laptops, PDAs, PCs and other computer technologies. It also ensures that systems have proper data management, sharing and control policies based on laws and regulations. Appropriate access plans and procedures are created for all pieces of information produced by approved computer systems, and the established privileges and roles are consistent across the business (Birchall et al., 2004).
Bishop (2003) argues that information assurance adds business benefits through use of information and data risk management, which enhances the value information and data to authorized users. On the other hand, unauthorized users are denied the opportunity to access or use the utility contained in those data and information. This increases the perceived value of information to mend users. Schou & Shoemaker (2006) claims that information assurance is inclined towards business-level risk management strategies in systems and information security, as opposed to creation and implementation of IT security controls. As a result, information assurance defends against hackers and malware in addition to corporate governance aspects regarding compliance to regulations and standards.
Building secure and trusted systems
Security in all facets of computer technology has been a hot topic ever since introduction of computer systems in businesses. Computer network design is one the major areas that forms the security foundation for a business. A secure network perimeter is a big step towards protecting business resources, including hardware, applications and data, because cybercriminals typically exploit a network node before launching the attack to the wider business infrastructure. A solid network perimeter meeting all business needs and objectives with respect to computer systems security can play a big role in safeguarding information (Blyth & Kovacich, 2006). This way, the network infrastructure is designed in a manner that meets all the organization operation goals with safeguarding the core business information.
As part of security design, cryptography is also key security element. Cryptography mechanisms may be used for controlling access to information, shared drives, and ensures that communication and file sharing is secure. Issues such as sniffing and subsequent exposure to sensitive data are resolved by cryptography. Business databases may also be encrypted to ensure all information is free from unwanted exposure (Suhasini, Marc, Hickey & McBride, 2012). Intrusion detection, control, and prevention systems help business discover inappropriate activities that may be targeted at the computer network and systems. Intrusion detection systems inspects all incoming and outgoing network traffic and activity in order to identify suspicious trends that may imply attempts to compromise or break into a network or computer system (Blyth & Kovacich, 2006; Mowbray, 2013).
User authentication and authorization is another aspect of building secure and trusted systems. With a solid authentication and authentication framework, computer systems are able to effectively grant or deny access to a computing resource in addition to specifying user access levels to different resources depending on the identity of the user. If authentication and authorization system is compromised, the victim’s data may be significantly compromised resulting into damages to data integrity (Mowbray, 2013). In extreme cases, massive data breaches may be cased making recovery difficult or almost impossible. Concrete authentication and authorization schemes enable businesses to control access to sensitive and private information to ensure that only legitimate individuals and applications are granted the opportunity to enjoy such privileges.
Disaster recovery plan is a key element in upholding business continuity. Business continuity is the major mission in most of the worlds corporate strategies, especially in matters related to information security. This can be attributed to the wide usage of computer technology in bolstering business operations and employee productivity. The business world can never function optimally without application of computer systems. Schou & Shoemaker (2006) argues that organizations must ensure that their customers feel comfortable when sharing any piece of information with organisations. Disaster recovery is a key enabler of consumer confidence; thus, businesses must understand the importance of upholding information security to bolster business continuity. Organizational data may be compromised through system crashes, human error, software bugs, denial of service, malware attack, or natural disasters. However, despite continued business operations, it is worth treating organizational data as the most valuable element of customer satisfaction. Information must be recoverable whenever possible to ensure that customers enjoy normal business operations at all times, and a disaster recovery plan plays a big role in ensuring that excessive downtime is not experienced. Backup systems and specialized software suites designed to withstand failures can accomplish securing valuable information. Suhasini et al. (2012) argues that backup systems can handle unforeseen incidents by providing a recovery or restore point in case of a security attack. Specialized failure-resistant software may help recover data and damaged drives and tapes, thus facilitating business continuity.
Securing critical computer systems and data require a comprehensive effort towards building an environment that implements information assurance through enhanced computer systems security. According to Suhasini et al. (2012), robust computer systems security is achieved through a solid IT security infrastructure, implementing a security plan and policy scheme, assessing systems’ threats and vulnerabilities, evaluating existing security architecture to identify weaknesses, bolstering personnel security, provision of security training and awareness, implementing disaster recovery plans and procedures, and promoting physical data center security.
How can organizations ensure their all-important IT infrastructure is behaving in the right manner? How can IT personnel determine whether specific computer systems and mobile devices are trusted hosts on their enterprise networks? How can devices attempting to remotely access information be authenticated? This is the general dilemma experienced by IT administrators in a typical organization setting. Secure and trusted systems attempts to resolve these challenges. These systems allows ensure that that systems running on networks are exclusively the legitimate ones, are up-to-date and exchange strictly authorized information (Suhasini et al., 2012). This way, networks are free from unwanted traffic and activity, while minimizing damages from malware and other internal and external threats.
Secure and trusted infrastructures are made of platforms, services, and networks with in-built security mechanisms and capabilities that provide administrators and end users with assurances that they can be relied upon to support operations. Next-generation high-tech data centers are expected to have built-in capability to support confidentiality, integrity, auditing, non-repudiation, and availability in a manner that is trustworthy and reliable by parties involved in a shared infrastructure (Suhasini et al., 2012). Rather than trying to close all potential security loopholes, organizations should focus on creating technically sound mechanisms to provide acceptable assurance that IT infrastructures are secure and trustworthy. Trusted systems behave in a way IT personnel expect and offer verifiable and accurate information about its state. This kind of acceptable assurance is important in helping IT teams retain maximum control over IT resources and instil a sense of confidence in them. The underlying objective of building secure and trusted systems is to provide a simpler and safer to use IT infrastructure (Proctor, 2009).
In the domain of secure and trusted computing, organizations are exploring ways through which hardware and software systems can be made to allow end users validate the underlying integrity. More precisely, secure and trusted systems are all about developing standards and mechanisms for hardware and software enabled security implementation and trusted computing. Various aspects including virus-safe computing and secure code development initiatives are being employed by organizations to create trusted systems. For example, virus-safe computing may be used to eliminate or limit virus damages while some other kinds of security breaches such as online fraud may be made more difficult (HP, 2009).
The following components may be used as the strategy to incorporate security and trust in systems as described by Proctor (2009):
- Trusted processes to help mitigate against risks by strengthening security in communication networks.
- Trusted systems including storage, computing, and networking platforms using security mechanisms such as cryptography.
- Trusted services including end user services running in networks, cloud or on discrete devices.
Security policies are aimed at providing guidance to organizations’ management, system users, personnel involved in security implementation, and third-party service providers. Security policies are geared towards offering best practices and standards for safe usage of organizational IT resources in collection, processing, sharing, storage, data management, and communication. Additionally, a security policy defines appropriate standards for provide secure communications remotely and support for cloud and tele-workers. Areas covered by security policies include the web, file, documents, storage, email, remote access, databases, PCs, and communication devices (Peltier, 2004).
Governments, directorates, and organizations involved in developing global industry standards have recognized the importance of information protection in safeguarding business and national security. Security policies coupled with associated IT security plans form the foundation of a business’s security program. Security policies are developed in accordance with government or industry directives, for example, the NIST Special Publications 800-53. Agency-level instructions may also be followed to ensure that organizations conform to security best practices and standards. Access to sensitive and private business data can create great security and privacy concerns (Peltier, 2004). Organizations across the world have implemented security policies to safeguard organizational network resources by guiding internal and external stakeholders in practising solid security measures to protect computer systems and information.
However, for security policies to be effective, businesses must ensure that everyone using computer systems adhere to all elements embodied in those polices. Businesses use security policies in maintaining systems and data confidentiality, integrity, availability and accountability. Obtaining personnel trustworthiness in operating and maintaining critical computer systems is a big step towards strengthening the security capability of a business. Therefore, organizations should develop security policies that address security-based screening procedures, personnel identification, industrial systems security programs, and more importantly security awareness and training programs. Organizations wishing to derive the best from security policies must develop solid security awareness and training course, covering general awareness and training, systems specific training, best cause-action procedures to counter security incidents, and core technical training for systems developers and technicians (Peltier, 2001).
Physical security of computer systems should also be implemented to protect hardware devices such as PCs, servers, and networking and communication devices (routers, switches, APs, and others). Physical security tools and techniques may include manual and automated entry control equipment, premise monitoring systems, intrusion detection systems, access control systems and procedures, strong doors, and CCTVs. Other components may include smoke detectors, fire suppressors, and elevated floors especially for the data center to avoid flooding, proper cable management to separate data and electric power cables, and other tools and strategies that can protect organization’s physical infrastructures (Blyth & Kovacich, 2006). The data center and network operation center are two key areas that require a robust physical security policy because they host the most critical business computer systems, including servers, core switch and routers, databases, and core communication systems. Bishop (2003) claims that the data center should be protected with latest security systems and be under 24/7 monitoring to eliminate possibility of an attack because it is the pillar of any organization.
Disaster recovery plan is a key element of security policy. It implements business continuity by ensuring that enterprise’s critical systems, functions, applications, and data are always available (Peltier, 2001). Therefore, organizations should prepare contingency strategies and procedures, disaster recovery plans, incident response procedures, Business Impact Assessment (BIA) for key computer systems, telecommunication networks and data centers, and personnel awareness and training program. These strategies and procedures are focused on ensuring business continuity in terms of uninterrupted operations or acceptable operations at minimum and secure systems and data backup and recovery. Disaster recovery plans should go beyond continuity of business operations after a breach to cover issues related to applications and data recovery. Schou & Shoemaker (2006) argues that restoring operations back to normal after a disaster has hit a business does not imply that some aspects of applications and data integrity, privacy, or confidentiality have not been affected. Therefore, disaster recovery plans must ensure that both business continuity and elements of systems and data integrity, privacy or confidentiality are upheld.
There are a number of security vulnerabilities in almost all computer systems out there today. With this in mind, it is better if personnel tasked with implementing and maintaining security discovers a weakness rather than a disgruntled present or past employee or a hacker (Suhasini et al., 2012). Security personnel would devise measures to remedy identified vulnerability, but a criminal would exploit the vulnerability to launch an attack. Security or system testing is important to identify and eliminate existing and potential security weaknesses. It helps a business devise defence mechanisms to fight against potential weaknesses to prevent incidents of security breaches. Security weaknesses may arise from factors such as human errors, potential system crashes, programming bugs or malware. An effective security assessment plays a key role in identification and remediation of threats to computer systems in addition to vulnerabilities of those systems to such threats. Peltier (2001) argues that systems testing can be used to detect mitigation procedures, plans, and policies, including required systems modification to eliminate known weaknesses. Consequently, businesses run information systems at acceptable levels of risk.
To determine the strength of an organization’s computer systems and data, it is important to perform security testing in accordance with globally recognized guidelines and procedures such as the National Security Agency (NSA) and NIST SP 800-53 (Peltier, 2001). Personnel involved in systems testing typically specify areas that require emphasis which includes: Router security, firewall security, cyber security, protocol implementations, open ports, authentication and authorization techniques, network intrusion, software bugs, and security patching history (for all antivirus software , operating systems and third party systems) and capability. Security testing may involve determination of the number of devices compromised over a specific time, and identifying potential targets and critical computer systems exposed to risk. According to Bishop (2003), such behind-the-scenes-work is vital for keeping enterprise networks, hosts, applications, and data adequately secure.
Most importantly, security testing is used to determine whether all aspects of IT are running reliably and correctly. Then, it is easier to identify the kind of enforceable and effective policies that can be used to detect, prevent, and sufficiently address problems.
It is evident that the growing introduction and usage of more and more hand held devices with computational capabilities similar to normal PCs together with increasingly powerful cybercriminal tools and techniques have placed business information at high risks of security breaches. Therefore, it is important to protect business data from exposure to unauthorized internal and external people. Information assurance is a component of information security and the components must work together to derive the desired benefits to a business. Information assurance entails protection of authenticity, integrity, availability, non-repudiation, confidentiality, and authenticity of business data and information using physical, administrative, and technical controls to achieve these tasks. This protection applies to both hardcopy and electronic data at storage or in transit. It is worth noting that information assurance is a field that has grown from information security practices.
The importance of IT security has dramatically increased over the past few years. Organizations are increasingly focusing on developing secured systems to boost trustworthiness and ease of management. In today’s technology world, virus protection and patching are not enough measures to provide desirable levels of security, thus the need to incorporate trust, visibility, and resiliency. Security policies have been in wide usage across the corporate world for provision of secure guidelines in the course of application of IT resources for day-to-day business operations. Security or system testing is also a powerful tool for identifying existing and potential security weaknesses in systems in order to devise remediation strategies.
Birchall, D., Ezingeard, N., McFadzean, E., Howlin, N., & Yoxall, D. (2004). Information
assurance: Strategic alignment and competitive advantage. Grist Ltd.
Bishop, M. (2003). Computer Security: Art and Science. Addison-Wesley Professional.
Blyth, A., & Kovacich, G.L. (2006). Information Assurance: Security in the Information
Environment. Springer Science & Business Media
HP. (2009). Platform & infrastructure security. HP. Retrieved from
Mowbray, T.J. (2013). Cybersecurity: Managing Systems, Conducting Testing, and
Investigating Intrusions. John Wiley & Sons.
Peltier, T.R. (2001). Information Security Policies, Procedures, and Standards: Guidelines
for Effective Information Security Management. CRC Press.
Peltier, T.R. (2004). Information Security Policies and Procedures: A Practitioner’s
Reference. CRC Press.
Proctor, D. (2009, November 29). How to build trust into your network. FCW. Retrieved
Schou, C., & Shoemaker, D. (2006). Information Assurance for the Enterprise: A Roadmap
to Information Security. McGraw-Hill Education.
Suhasini, S., Marc, V., Hickey, J., & McBride, A.J. (2012). Intrinsically Secure Next-Generation Networks. Bell Labs Technical Journal. 173): 17-34.