LECTURE 3

APPROACHES TO IMPLEMENTING
INFORMATION ASSURANCE
 Key Components of Info Assurance Approaches

• Organizations can use a top-down or bottom-up approach

depending on an organization’s requirements.
• Sometimes a hybrid is the right decision; e.g., a large
multinational organization with branches in different countries.
• Organizations should always consider balancing info assurance
against the cost of implementing it.
• Any approach to info assurance should ensure effective
interaction of 3 key components:
 People
 Process
 Technology

TIA2221 Info Assurance & Security 2

 Key Components of Info Assurance Approaches – People

• People are a challenging and crucial resource that need

management.
• By applying the right processes and technology, people add
value to organizations.
• An organization should have trained the right employees to
maximize the efficient use of the technology.
• Awareness, training, and education (AT&E) are key to making
info assurance work.

TIA2221 Info Assurance & Security 3

 Key Components of Info Assurance Approaches – Process

• Process refers to the use of a formalized sequence of actions to

achieve an aim; e.g., recruiting process.
• As an organization matures, processes or procedures should
become more efficient and discriminating.
• Matters that should be weighed in terms of their impacts to
current processes: legal, regulatory, contractual requirements
and obligations.

TIA2221 Info Assurance & Security 4

Key Components of Info Assurance Approaches – Technology

• The technology component requires examining hardware,

software and physical facilities for better operation and execution.
• To ensure the hardware or software purchased is cost-effective,
meaningful, and useful.
• To determine whether a top-down or bottom-up approach is
more suitable, one should consider the total cost of ownership
(TCO) and associated return on investment (ROI) with regard to
the 3 components.
• A common approach is to focus on technology where the initial
cost of investments is substantial, and require maintenance.

TIA2221 Info Assurance & Security 5

Key Components of Info Assurance Approaches – Technology

• Example 1: high TCO & low ROI due to focus on technology over
people and process
Freshly installed tools become obsolete but no people
trained to operate them.
• Example 2: high TCO & high ROI
Hiring info assurance employees, directing them to write
policies, standards, and procedures, and having them
perform risk assessment; the organization then determine
the best requirements for technology: purchase technology
that meets a specific need and targets a specific risk (e.g.
encryption for the banking); the risk of a breach is reduced.

TIA2221 Info Assurance & Security 6

 Levels of Controls in Managing Security
• An important element of a security program is the collection of
controls.
• Each organization is unique and has its own risk profile
(exposure to unique threats and vulnerabilities), business
drivers, and compliance requirements, thus every security
program is different.

TIA2221 Info Assurance & Security 7

 Levels of Controls in an Info Assurance Program

Even though security programs

are different, they are composed
of the generic elements

TIA2221 Info Assurance & Security 8

 Levels of Controls in Managing Security

• Strategic management includes security processes such as

conducting risk management exercises, security awareness
programs, policy development, and compliance efforts with laws
and regulations.
• Tactical management examines business continuity, data
classification, process management, personnel security, and risk
management.
• Operational management includes areas of communication
security, security of an information system life cycle, and
incident response.

TIA2221 Info Assurance & Security 9

 Levels of Controls in Managing Security

• Input for the strategic plan should not be merely from the CIO,
CISO, or CSO (responsible for an information assurance
program), support should also come from senior management
personnel: the board of directors, CEO, and heads of business or
IT functions.
• Eventually, support should come from all employees.
• This support can be stimulated by an effective security
awareness program tailored to different groups of employees.

TIA2221 Info Assurance & Security 10

 Top-Down Approach

• In a top-down approach, senior management takes security

seriously and actively involved in spreading info assurance
awareness.
• They should mandate observation of the info assurance policy
such that security is not just a matter of technology or an
antivirus or firewall solution.
• Fortunately, that mind-set is changing slowly because of the rise
in incidents such as data theft and hacking.
• By embracing a top-down approach, security is no longer a
purely technical matter.

TIA2221 Info Assurance & Security 11

 Top-Down Approach

• First step of implementation: developing and presenting an

approved, shared, and documented strategic plan, which is a
basic reference for continuous efforts.
• Prior to implementing security controls from the top and going
through all organizational layers, senior executives should know
priority areas for control.
• Once there is a clear understanding of threats and risks to
critical assets, the top-down approach should be developed,
approved, and distributed as an info assurance policy.
• This policy should be endorsed and communicated formally by
senior leadership and the organization’s executives.

TIA2221 Info Assurance & Security 12

 Top-Down Approach
• Audits and info assurance policies are closely related. Audits and
policy reviews should be performed regularly to check whether
established information assurance policies are effective.
• Standards/guidelines/procedures related to auditing info
assurance: NIST, COBIT, ISO/IEC 27001.
• The top-down approach includes the overall strategy and phases
of implementation.
• It encourages integration, and easier to combine different
elements in an info assurance program when it receives
demonstrated support from the highest management level.

TIA2221 Info Assurance & Security 13

 Top-Down Approach

• Problem: take a longer time for approval, thus create slower

decision-making.
• Consequence: technology advances rapidly, the slowness may
lead to poor technical decisions, and organization ends up using
an out-of-date solution.
• How to avoid? Via a rapid enforceable decision-making process
such as change management boards.
• This approach is becoming predominant because senior
management has become aware that serious personal
consequences (such as large fines or even jail time) may result
from lack of attention to regulatory compliance relating to info
assurance.

TIA2221 Info Assurance & Security 14

 Bottom-Up Approach

• A bottom-up approach refers to a situation in which a functional

department or unit adopts strategic, operational, or tactical
management to develop a security program without senior
management support and direction.
• It is good for areas that need immediate security attention
because of high risk or available budget.
• Since this approach focuses fully on technology or operational
controls, it is more effective by addressing daily operational
requirements.

TIA2221 Info Assurance & Security 15

 Bottom-Up Approach
• This approach is better when there is clear indication that
implementers’ resistance to change stems from insecurity such
as anxiety about losing jobs because of a potential merger.
• Linking the elements in a bottom-up approach creates a larger
process, part, or system, which is effective for faster integration.
• Challenges: to gain the support of senior managers; managers’
fears of losing respect and authority.
• Even though this approach may be desirable under certain
circumstances, management should be informed about progress
and decisions made.
• ISO 27001 embraces the use of a top-down approach where
management’s involvement and oversight are required
throughout the security improvement life cycle.

TIA2221 Info Assurance & Security 16

 Outsourcing and the Cloud

• When outsourcing or using cloud services, a top-down approach

is mandatory.
• Senior leadership must set the tone surrounding security
expectations of any business partner, outsource solution, or
cloud provider, and responsible for the performance of security
functions of their cloud or outsourcing partners.
• Use frameworks by ISACA, the Cloud Security Alliance (CSA), and
the U.S. NIST. These frameworks help ask the important security
questions.
• Information will be subject to laws and regulations of their
headquarters, the outsourcing partner and cloud provider.

TIA2221 Info Assurance & Security 17

 Balancing Info Assurance and Associated Costs

• The fact that it is not straightforward to calculate a return on

security investment (ROSI) makes keeping management support
more difficult.
• Prior to applying a top-down or bottom-up approach, an
organization needs to analyze the associated factors and costs
of protecting information.
• Factors such as performance, availability, and coverage are part
of the analysis. There is a potential for trade-off analysis; e.g.,
an organization with a higher level of reliance on availability of
information and wider control coverage would require a larger
investment.

TIA2221 Info Assurance & Security 18

 Balancing Info Assurance and Associated Costs

• Ideally, the requirements definition process should start from

the top, aligning with the business objectives.
• This type of investment is good since it examines the overall info
assurance posture and the immediate controls required.
• Bottom-up investment does not emphasize the prioritized
investments for security control; the opposite of top-down
investment.
• Making clear decisions based on a bottom-up investment
strategy leads to questions about the thoroughness of the
review of the organization’s needs.

TIA2221 Info Assurance & Security 19

 Balancing Info Assurance and Associated Costs

• Senior management needs to consider the impact to the

organization if they do not adequately mitigate risks.
• Organizations must be proactive, avoid giving attention and
resources to info assurance deficiencies only after breach has
occurred.
• From a customer viewpoint, organizations should take full
advantage of productivity and opportunity by deploying proper
controls to ensure continuity and to increase customer trust and
usage.

TIA2221 Info Assurance & Security 20

 Balancing Info Assurance and Associated Costs
• Finally, organizations should protect not only their own and
customers assets but also associated brands, networks, and web
sites.
• End-to-end security is necessary to preserve customer
confidence and encourage online usage, and to avoid regulatory
penalties, financial liabilities, and consequential losses.
• End-to-end security refers to a situation where information from
the sender is being encrypted and secured from the moment it
is created, stored, and transmitted, until it is received at the
destination.

TIA2221 Info Assurance & Security 21

 Summary

• Have considered
 Key Components of Info Assurance Approaches
 Level of Controls in Managing Security
 Top-Down Approach
 Bottom-Up Approach
 Outsourcing and the Cloud
 Balancing Info Assurance and Associated Costs

TIA2221 Info Assurance & Security 22