Information Assurance Considerations
To develop a comprehensive set of security policies, start with the goals of information security: confidentiality, integrity, and availability. Information assurance (IA) tenets also include nonrepudiation and authentication.
One of the prime objectives of the information security program is to assure that information is protected. Ensuring confidentiality means limiting access to information to authorized users only. The integrity of the information must also be maintained so that it can be trusted for decision making. A system is considered to have integrity when you can trust that any modifications to the data were intentional changes made by authorized users or business processes. Availability ensures the information is accessible to authorized users when required. Nonrepudiation ensures that an individual cannot deny or dispute being part of a transaction. Finally, authentication is the ability to verify the identity of a user or device.
FYI
The goals of information security—confidentiality, integrity, and availability—are often referred to as the C-I-A triad. However, if you use the abbreviation C-I-A, make sure people understand you’re referring to “confidentiality, integrity, and availability.”
To meet information assurance needs, your framework should include policies for the following:
- Automation of security controls, where possible.
- Implementation of appropriate accounting and other integrity controls.
- Controls that handle potential conditions that appear while a system is operating. This should include error handling that won’t reduce the normal security levels it’s expected to support. Fail-secure rather than fail-safe is better for protecting information systems.
- Development of systems that detect and thwart attempts to perform unauthorized activity.
- Assurance of a level of uptime of all systems.
The following sections address the tenets of IA from a policy framework perspective.
NOTE
The more fine-grained a policy is, the easier it is to automate enforcement. For example, if an email server requires a specific configuration to be considered secure, a monitoring tool or agent on the server can report on the configuration and relay this to compliance personnel.
Confidentiality
Confidentiality broadly means limiting disclosure of information to authorized individuals. This could include protecting the privacy of personal data and proprietary information. To meet confidentiality requirements, your security objectives must be specific, concrete, and well defined. Consider the goal of confidentiality as applied to email as an example. You might have an objective of ensuring that all sensitive information is protected against eavesdropping. You implement this by requiring that users encrypt all emails containing sensitive information and ensuring that only authorized individuals have access to the key to decrypt the messages.
Write objectives so they are clear and achievable. Security objectives should consist of a series of statements that describe meaningful actions about specific resources. These objectives are often based on meeting business functions. In addition, they should state the security actions needed to support the requirements.
Integrity
Integrity refers to guarding against improper modification or destruction of data. One way to meet integrity requirements is to define operational policies that list the rules for operating a system. Access control rules in the form of permissions are often used to achieve this goal. Integrity can be achieved by limiting the type of permission to only certain accounts. For example, you might have a file that is widely accessible to read but that only a few individuals have permission to modify.
Managers must make decisions when developing policies because it is unlikely that all security objectives will be fully met. Consider the degree of granularity needed for operational security policies. Granularity indicates how specific the policy is regarding resources or rules. The more granular the policy, the easier it is to enforce and to detect violations. A more granular policy involves security controls over a specific element of technology. It might describe all the settings needed to configure a device or system securely. Checking it only requires ensuring that the settings are still in place. A less granular policy does not provide many details about a specific control, which allows people to determine how to comply. With less granular policies, it’s more difficult to prove compliance, because each situation differs.
It’s important to find and maintain the right level of granularity in security policies. The advantage of less granular policies is that they can be applied to broad sets of circumstances. Yes, they are subject to more interpretation. But when unknown conditions arise, they can be used broadly to control emerging risks. In contrast, very granular policies most likely will not address emerging risks precisely. They may be less helpful to users trying to figure out how to deal with new threats.
A formal policy is published as a distinct policy document. A less formal policy may be written in a memo. An informal policy might not be written at all. Unwritten policies are extremely difficult to follow or enforce. On the other hand, very granular and formal policies are an administrative burden. In general, best practice suggests a granular formal statement of access privileges for a system because of its complexity and importance.
Availability
Availability is the timely and reliable accessibility of information. To meet requirements for availability, your policy framework may include documents specifying when and how systems must be accessible to internal and external users. This can lead to different solutions for different needs; for example, external users require different forms of access than internal users. An external user might be required to use a virtual private network (VPN), for instance, to access the internal network.