CSIT341L - INFORMATION ASSURANCE

A N D SECURITY
Few Reminders (House
Rules)
01 02 03 04
Avoid eating Look at the Raise your hand if Wait for the
during class camera. Be an you like to ask or moderator to
active answer. acknowledge
listener, take before you speak.
notes.
Kamustahan tayo…
COURSE DESCRIPTION

• This course provides the foundations of information

assurance and security from a business prospective.
Topics covered include human factors, compliance with
regulations, personnel security, risk assessment and
ethical considerations.
Discussion
of
GRADING
SYSTEM
• The Colegio maintains the same grading system.
• The formula for computing the Final Grade is as
follow:
Final Grade = Major Exam (40%) + Quiz (30%) +
Assessment Task (30%)

Example:
Major Examination will cover the top topics from
week 1 to week 5 and to be administered on the last
session
 No. of Quizzes for MWF: 10 quizzes per period
 No. of Assessment Task: 6 per period
1. Define:
a. Information Assurance
b. Information Security
2.Explain the important role of information systems
in the infrastructure of any businesses.
3.What are the five pillars of information
assurance? 4.Why information assurance is
needed?
Lesson
Outline:
I. Recall on the meaning of
information and data.
II. Definition of Information
Assurance (IA)
III. Four domains of IA
IV. Aspects of IA
Let us take a look at
this…
• Suppose you visit an e-commerce website such as your bank, online
store, or other e-businesses.

• Before you type in sensitive information, you’d like to have some

assurance that your information will be protected. Do you (have such
assurance)? How can you know?

• What security-relevant things do you want to happen, or not happen

when you use such a website?
Which of these do you think fall under
Information Assurance?
• Privacy of your data
• Protection against phishing (attack often used to steal user data, including login credentials
and credit card numbers. )

• Integrity of your data

• Authentication
• Authorization
• Confidentiality
• Availability
• What else?
 System
Quality
According to ISO/IEC Standard 9126-1 (Software Engineering—Product Quality), the following are all
aspects of system quality:
• functionality
• adequacy
• interoperability
• correctness
• security
• reliability
• usability
• efficiency
• maintainability
• Portability
Which of these do you think apply to IA?
 What is
Information?
• This course is about Information Assurance; so let us understand first what is
“information”? How does information differ from data?

• “Information is data endowed with relevance and purpose.

Converting data into information thus requires knowledge.
Knowledge by definition is specialized.” (Blyth and Kovacich)

• And what characteristics should information possess to be useful? It should

be: accurate, timely, complete, verifiable, consistent, available.
What is
Information?
According to Raggad, the following are all distinct conceptual
resources:
• Noise: raw facts with an unknown coding system
• Data: raw facts with a known coding system
• Information: processed data
• Knowledge: accepted facts, principles, or rules of thumb
that are
useful for specific domains. Knowledge can be the result of implications
produced from simple information facts.
 What about “assurance”? What does that
mean? Assurance from what or to do
what?

According to the U.S. Department of

Defense, IA involves:
Information Actions taken that protect and defend information
and information systems by ensuring their
Assurance availability, integrity, authentication, confidentiality
and non-repudiation. This includes providing for
restoration of information systems by incorporating
protection, detection and reaction capabilities.

Non-repudiation is the assurance that someone cannot

deny the validity of something.
Information Information Assurance (IA) is
Assurance the study of how to protect
your information assets from
destruction, degradation,
manipulation and
exploitation. But also, how to
recover should any of those
happen.
According to the DoD definition,
these are some aspects of
information needing protection:

1. Availability: : timely, reliable access to

data and
information services for authorized users;
2. Integrity: protection against unauthorized
modification or destruction of information;
3. Confidentiality: assurance that information is not
disclosed to unauthorized persons;
4. Authentication: security measures to establish
the
validity of a transmission, message, or originator.
5. Non-repudiation: assurance that the sender is
provided with proof of a data delivery and
recipient is provided with proof of the sender’s
identity, so that neither can later deny having
processed the data.
A Different View of
IA
• According to Debra Herrmann (Complete Guide to Security and Privacy Metrics),
IA should be viewed as spanning four security engineering domains:
• physical security
• personnel security
• IT security
• operational security
Into which of these would you put the following?
1. enforcing hard-to-guess passwords
2. encrypting your hard drive
3. locking sensitive documents in a safe place
4. stationing a marine guard outside an embassy
5. assigning security clearances to staffers
6. using SSL for data transfers
7. having off-site backup of documents
Security
Domains
Quotes from Debra Herrmann, Complete Guide to Security and
Privacy Metrics:
• “Physical security refers to the protection of hardware, software, and data
against physical threats to reduce or prevent disruptions to operations and
services and loss of assets.”
• “Personnel security is a variety of ongoing measures taken to reduce the
likelihood and severity of accidental and intentional alteration, destruction,
misappropriation, misuse, misconfiguration, unauthorized distribution, and
unavailability of an organization’s logical and physical assets, as the result
of action or inaction by insiders and known outsiders, such as business
partners.
• “IT security is the inherent technical features and functions that
collectively contribute to an IT infrastructure achieving and sustaining
confidentiality, integrity, availability, accountability, authenticity, and
reliability.”
• “Operational security involves the implementation of standard
operational security procedures that define the nature and frequency
of the interaction between users, systems, and system resources, the
purpose of which is to
• achieve and sustain a known secure system state at all times; and
• prevent accidental or intentional theft, release, destruction, alteration,
misuse, or sabotage of system resources.”
IA
Overview
Thus, IA includes aspects of:
• COMPSEC: computer security;
• COMSEC: communications and network security;
• ITSEC: (which includes both COMPSEC and COMSEC);
• OPSEC: operations security
Assessment Task INSTRUCTIONS:
• Using the different actions in Table 1,
#1 research three (3) circumstances that
would relate to it.
Table 1 • You may get this circumstance (real
scenario) from a news or a blog.
• Cite the source.
• Submission is until Sept. 17 (Fri).
• Filename: Lastname_AT1.pdf
• Example: DelaCruz_AT1.pdf
• Format of the content:
• 12pt, Arial, Justify, 1.5 spacing
Email @ matanacio.2020@gmail.com
END OF
SESSION