Professional Documents
Culture Documents
ITEC 85 Module 5 - Information-Assurance-Policy
ITEC 85 Module 5 - Information-Assurance-Policy
• Good policies are clear, concise and well written. Every attempt must be made to reduce
ambiguity by selecting appropriate language, identifying a clear scope to which the policy
applies and ensuring the policies are consistent with other organizational policies and
practices. Organizational members cannot comply with policies if they cannot understand
them and ambiguity may encourage the development of undesirable policy
interpretations.
• Good policies will clearly delineate responsibilities and identify the resources required to
support their implementation. If one commonly hears the phrases, "it's not my job" or "I
don't have the resources" with respect to policy compliance, problems with compliance
likely exist.
• Good policies are living documents. It seems that the only constant in today's world is
change. Policies can quickly become outdated. Out-of-date policies lead to two problems.
First, the policies gradually become inadequate as organizational requirements change
over time and as well as due to changes in the types of risks present in the organization's
environment. Second, as policies become increasingly inaccurate and irrelevant to the
organization's needs, there is a natural tendency for the policies to be ignored.
• Good policies specify enforcement provisions and a process for handling policy exceptions.
If there are no adverse consequences associated with policy non-compliance, then
compliance will likely suffer. As it is difficult if not impossible to anticipate every
contingency in the formulation of policies, long term compliance will be enhanced by
specifically including provisions for requesting policy exceptions.
Finally, it is difficult to overestimate the importance of education and training in establishing
effective policy compliance. The effectiveness of policies, procedures and standards are seriously
undermined if organizational users are able to claim ignorance of their existence. This is
particularly true with respect to compliance with specific standards and procedures. Education
and training requirements will vary depending on the job responsibilities. Employees who deal
with confidential information may require guidance concerning legitimate use of the information.
IT professionals may require specialized training in order properly configure and employ
technology used to increase reliability and security of information services. In short, the
establishment of a comprehensive information assurance training program constitutes a critical a
critical management risk mitigation control.
Information Assurance (IA) is the management of data and the potential risks to that data
throughout the development, use, storage, transmission, and processing of an application.
The primary concern of Information Assurance is to guarantee the availability,
integrity, authentication, confidentiality, and non-repudiation of information and information
systems.
When we think about and discuss Information Assurance, we are almost always referring to data
and information in its digital form. However, Information Assurance can also include data in
physical forms too. Information Assurance is tasked with protecting data in storage and in transit.
Information Assurance is becoming an increasingly important part of mobile app and web
development projects as organizations rely more heavily on digital information systems. The app
development process is one of the most critically important times to manage and assess your
information risk. It is during development that you face the greatest chance of a security
vulnerability being introduced to your app in the form of a software flaw.
Module 5 - Information Assurance (IA) Policy
Undetected flaws or security vulnerabilities in the application can lead to unauthorized users
accessing, editing, copying, or deleting your valuable information or that of your users. Security
breaches can have a large impact on your brand’s reputation, consumer trust, and your ability to
operate your business.
Information Assurance plays a vital role in modern security plans, and it will only continue to get
more vital as organizations continue to turn to digital handling solutions for their information.
Information Assurance (IA) Vs Information Security
Information Assurance (IA) and information security are closely related, and they both play a major
role in the security of information and information systems. The differences between these two
security fields are more than just semantic. Let’s break it down in more specific details.
We’ve already touched on Information Assurance. Its main focus is ensuring the availability,
integrity, authentication, confidentiality, and non-repudiation of information and information
systems. This includes leveraging testing tools to identify and analyze potential vulnerabilities in
applications, servers, and other resources so that these risks can be addressed to improve the
level of Information Assurance of the resource in question.
On the other hand, information security focuses on the protection of information and information
systems from the unauthorized access, use, modification, destruction, disclosure, and disruption
of information. Information Assurance ensures integrity, availability, and confidentiality,
while information security provides it.
These two fields are so closely related that they can get confused with each other quite easily. In
many respects, you could say in very simple terms that Information Assurance double checks or
makes sure that information security is functioning properly. This topic is more nuanced than that,
but this simplified explanation lends some clarity to a very complex topic.
At the end of the day, modern information security policies and plans need to include assurance
and security protocols. Both Information Assurance and information security rely on one another
to provide robust security coverage for an organization’s information system.
The Importance of Information Assurance (IA)
It is easy for everyone to understand the importance of information security, but you may not yet
see the importance of Information Assurance. The main reason why Information Assurance is so
important is that it focuses on finding more effective ways to safeguard and maintain control over
important information.
The overall quality of the information is an important aspect of Information Assurance, and this
type of work also encourages vigorous risk management planning and strategies. One of the most
important facets of Information Assurance is ongoing risk assessment. Security threats are always
evolving, and bad actors are finding new ways to exploit vulnerabilities.
Information Assurance (IA) risk assessments can give your organization a better understanding of
potential security vulnerabilities in your information system, the individual likelihood of these
vulnerabilities being exploited, and all of the potential financial, brand image, compliance, etc.,
impacts your organization could face in the event a particular vulnerability is exploited.
The key to successful Information Assurance risk assessments is objectivity. If your organization
can depend on the reliability and objectivity of a risk assessment, you can create detailed plans on
the best ways to handle any potential security vulnerabilities.
Module 5 - Information Assurance (IA) Policy
In some cases, you may only need to take steps to mitigate a vulnerability, but in others, you may
need to take a more aggressive approach and completely eliminate the issue. The follow-up steps
that you take will depend on the nature and gravity of your risk assessments.
Without Information Assurance measures in place, it will be difficult for your organization to be
confident in the integrity of your information. Furthermore, in today’s fast-paced business world,
decisions need to be made quickly. Not only do you need information to be available to you at a
moment’s notice, but you also need to be able to rely on its authenticity and accuracy too.
Administrative security controls refer to policies, procedures, or guidelines that define personnel
or business practices in accordance with the organization’s security goals.
Many organizations today implement some type of onboarding process to introduce you to the
company and provide you with a history of the organization.
During the onboarding process, you may be instructed to review and acknowledge the security
policy of the organization.
By acknowledging that you have read the policies of the organization as a new hire, you are then
accountable to adhere to the corporate policy of the organization.
In order to implement the administrative controls, additional security controls are necessary for
continuous monitoring and enforcement.
The processes that monitor and enforce the administrative controls are:
Management controls: The security controls that focus on the management of risk and the
management of information system security.
Operational controls: The security controls that are primarily implemented and executed by
people (as opposed to systems).
For example, a security policy is a management control, but its security requirements are
implemented by people (operational controls) and systems (technical controls).
An organization may have an acceptable use policy that specifies the conduct of users, including
not visiting malicious websites. The security control to monitor and enforce could be in the form
of a web content filter, which can enforce the policy and log simultaneously.
Security controls to help thwart phishing, besides the management control of the acceptable use
policy itself, include operational controls, such as training users not to fall for phishing scams, and
technical controls that monitor emails and web site usage for signs of phishing activity.
Module 5 - Information Assurance (IA) Policy
Design: 20%
Layout, Color Scheme, Fonts
Content: 30%
Terms, Facts, Quantity of data, Quality of
data.
Clarity: 30%
Claim, Efficiency, Clear impression.
Representation:
Design complements contents, choices of 20%
visuals Data Visualization matches contents &
claims.
100%
Resources:
https://purplesec.us/security-controls/
https://www.koombea.com/blog/information-assurance/
https://www.opentextbooks.org.hk/ditatopic/26353