Module 5 - Information Assurance (IA) Policy

Information Assurance Policy

The overall objective of an information assurance program is to protect the confidentiality,
integrity and availability of organizational information and IT-enabled services. Fundamental to
the establishment of an effective information assurance program is the organization's
establishment of appropriate information assurance policies, procedures and standards.
Policies can be defined as a high-level statement communicating an organization's goals,
objectives, and the general means for their accomplishment. The creation of information
assurance policies may be driven by the need to comply with laws and regulations or simply reflect
executive management's analysis of the organization's information assurance requirements.
There can actually be a hierarchy of policies with each lower layer providing increasing degrees of
specificity, but still recognizable as policies by their focus on "know what" content rather than
"know how." Because policies tend to be formulated in general terms, organizations will generally
develop procedures and standards that more specifically elaborate what needs to be done.
Policies might be used to identify information assets meriting special safeguards (e.g., client lists,
product designs, market analysis), delineating information related roles and responsibilities (e.g.,
establishing a Chief Security Officer position) specifying the establishment and performance of
information assurance related tasks or processes (e.g., organizational policy might dictate the
establishment and conduct risk assessment and change management processes described below).
Standards can be thought of as a specific class of policies. Standards are mandatory rules (e.g.,
ensure desk is cleared of working papers before leaving worksite for the day), technical choices
(e.g., all desktop systems connecting to the organizational network will have a particular anti-virus
program loaded), or some combination of the two (e.g., the signature file for the anti-virus
software is to be updated on a daily basis). The delineation of standards and policies can be fuzzy.
A policy might dictate that servers containing confidential information reside behind a network
firewall. A standard might specify the type of firewall to be used and even specify the configuration
of the firewall. But all of that information might reside in a single policy document. Finally, an
organization might specify procedures that spell out the specific activities or steps required to
conform with designated policies and procedures. The procedures constitute the instructions for
performance of policy- or standard-related tasks. The formal definitions matter less than the way
the terms are actually employed with any given organization. The important point to understand
is that the formulation of policies, procedures and standards constitute important elements of an
organization's information assurance program and an organization's ability to avoid system
failures.
There are extensive guidelines governing the development of effective policies, procedures and
standards, and the reader is encouraged to consult such guidance if he or she becomes directly
involved in the process of writing policies and procedures. However, we think it useful to briefly
describe criteria for judging the effectiveness of information assurance policies.
Good policies should:
• Good policies have the support of upper management. One can hardly imagine a factor
more likely to undermine policy compliance within an organization than the realization
that upper levels of management do not care about the policy, are unwilling to provide
resources required to implement the policies or have no intention of conforming to the
policies in their own behavior.
Module 5 - Information Assurance (IA) Policy

• Good policies are clear, concise and well written. Every attempt must be made to reduce
ambiguity by selecting appropriate language, identifying a clear scope to which the policy
applies and ensuring the policies are consistent with other organizational policies and
practices. Organizational members cannot comply with policies if they cannot understand
them and ambiguity may encourage the development of undesirable policy
interpretations.
• Good policies will clearly delineate responsibilities and identify the resources required to
support their implementation. If one commonly hears the phrases, "it's not my job" or "I
don't have the resources" with respect to policy compliance, problems with compliance
likely exist.
• Good policies are living documents. It seems that the only constant in today's world is
change. Policies can quickly become outdated. Out-of-date policies lead to two problems.
First, the policies gradually become inadequate as organizational requirements change
over time and as well as due to changes in the types of risks present in the organization's
environment. Second, as policies become increasingly inaccurate and irrelevant to the
organization's needs, there is a natural tendency for the policies to be ignored.
• Good policies specify enforcement provisions and a process for handling policy exceptions.
If there are no adverse consequences associated with policy non-compliance, then
compliance will likely suffer. As it is difficult if not impossible to anticipate every
contingency in the formulation of policies, long term compliance will be enhanced by
specifically including provisions for requesting policy exceptions.
Finally, it is difficult to overestimate the importance of education and training in establishing
effective policy compliance. The effectiveness of policies, procedures and standards are seriously
undermined if organizational users are able to claim ignorance of their existence. This is
particularly true with respect to compliance with specific standards and procedures. Education
and training requirements will vary depending on the job responsibilities. Employees who deal
with confidential information may require guidance concerning legitimate use of the information.
IT professionals may require specialized training in order properly configure and employ
technology used to increase reliability and security of information services. In short, the
establishment of a comprehensive information assurance training program constitutes a critical a
critical management risk mitigation control.
Information Assurance (IA) is the management of data and the potential risks to that data
throughout the development, use, storage, transmission, and processing of an application.
The primary concern of Information Assurance is to guarantee the availability,
integrity, authentication, confidentiality, and non-repudiation of information and information
systems.
When we think about and discuss Information Assurance, we are almost always referring to data
and information in its digital form. However, Information Assurance can also include data in
physical forms too. Information Assurance is tasked with protecting data in storage and in transit.
Information Assurance is becoming an increasingly important part of mobile app and web
development projects as organizations rely more heavily on digital information systems. The app
development process is one of the most critically important times to manage and assess your
information risk. It is during development that you face the greatest chance of a security
vulnerability being introduced to your app in the form of a software flaw.
Module 5 - Information Assurance (IA) Policy

Undetected flaws or security vulnerabilities in the application can lead to unauthorized users
accessing, editing, copying, or deleting your valuable information or that of your users. Security
breaches can have a large impact on your brand’s reputation, consumer trust, and your ability to
operate your business.
Information Assurance plays a vital role in modern security plans, and it will only continue to get
more vital as organizations continue to turn to digital handling solutions for their information.
Information Assurance (IA) Vs Information Security
Information Assurance (IA) and information security are closely related, and they both play a major
role in the security of information and information systems. The differences between these two
security fields are more than just semantic. Let’s break it down in more specific details.
We’ve already touched on Information Assurance. Its main focus is ensuring the availability,
integrity, authentication, confidentiality, and non-repudiation of information and information
systems. This includes leveraging testing tools to identify and analyze potential vulnerabilities in
applications, servers, and other resources so that these risks can be addressed to improve the
level of Information Assurance of the resource in question.
On the other hand, information security focuses on the protection of information and information
systems from the unauthorized access, use, modification, destruction, disclosure, and disruption
of information. Information Assurance ensures integrity, availability, and confidentiality,
while information security provides it.
These two fields are so closely related that they can get confused with each other quite easily. In
many respects, you could say in very simple terms that Information Assurance double checks or
makes sure that information security is functioning properly. This topic is more nuanced than that,
but this simplified explanation lends some clarity to a very complex topic.
At the end of the day, modern information security policies and plans need to include assurance
and security protocols. Both Information Assurance and information security rely on one another
to provide robust security coverage for an organization’s information system.
The Importance of Information Assurance (IA)
It is easy for everyone to understand the importance of information security, but you may not yet
see the importance of Information Assurance. The main reason why Information Assurance is so
important is that it focuses on finding more effective ways to safeguard and maintain control over
important information.
The overall quality of the information is an important aspect of Information Assurance, and this
type of work also encourages vigorous risk management planning and strategies. One of the most
important facets of Information Assurance is ongoing risk assessment. Security threats are always
evolving, and bad actors are finding new ways to exploit vulnerabilities.
Information Assurance (IA) risk assessments can give your organization a better understanding of
potential security vulnerabilities in your information system, the individual likelihood of these
vulnerabilities being exploited, and all of the potential financial, brand image, compliance, etc.,
impacts your organization could face in the event a particular vulnerability is exploited.
The key to successful Information Assurance risk assessments is objectivity. If your organization
can depend on the reliability and objectivity of a risk assessment, you can create detailed plans on
the best ways to handle any potential security vulnerabilities.
Module 5 - Information Assurance (IA) Policy

In some cases, you may only need to take steps to mitigate a vulnerability, but in others, you may
need to take a more aggressive approach and completely eliminate the issue. The follow-up steps
that you take will depend on the nature and gravity of your risk assessments.
Without Information Assurance measures in place, it will be difficult for your organization to be
confident in the integrity of your information. Furthermore, in today’s fast-paced business world,
decisions need to be made quickly. Not only do you need information to be available to you at a
moment’s notice, but you also need to be able to rely on its authenticity and accuracy too.

Administrative Security Controls

Administrative security controls refer to policies, procedures, or guidelines that define personnel
or business practices in accordance with the organization’s security goals.

Many organizations today implement some type of onboarding process to introduce you to the
company and provide you with a history of the organization.

During the onboarding process, you may be instructed to review and acknowledge the security
policy of the organization.
By acknowledging that you have read the policies of the organization as a new hire, you are then
accountable to adhere to the corporate policy of the organization.

In order to implement the administrative controls, additional security controls are necessary for
continuous monitoring and enforcement.

The processes that monitor and enforce the administrative controls are:

Management controls: The security controls that focus on the management of risk and the
management of information system security.
Operational controls: The security controls that are primarily implemented and executed by
people (as opposed to systems).

For example, a security policy is a management control, but its security requirements are
implemented by people (operational controls) and systems (technical controls).

An organization may have an acceptable use policy that specifies the conduct of users, including
not visiting malicious websites. The security control to monitor and enforce could be in the form
of a web content filter, which can enforce the policy and log simultaneously.

The remediation of a phishing attack is another example that employs a combination of

management and operation controls.

Security controls to help thwart phishing, besides the management control of the acceptable use
policy itself, include operational controls, such as training users not to fall for phishing scams, and
technical controls that monitor emails and web site usage for signs of phishing activity.
Module 5 - Information Assurance (IA) Policy

Activity 100 pts.

Direction: Create an Infographics that shows the importance of Information Assurance.

Design: 20%
Layout, Color Scheme, Fonts
Content: 30%
Terms, Facts, Quantity of data, Quality of
data.
Clarity: 30%
Claim, Efficiency, Clear impression.
Representation:
Design complements contents, choices of 20%
visuals Data Visualization matches contents &
claims.
100%

Resources:
https://purplesec.us/security-controls/
https://www.koombea.com/blog/information-assurance/
https://www.opentextbooks.org.hk/ditatopic/26353