Introduction
Information assurance is not my problem, and it is not your problem. It is an ever-increasing problem for everyone—you, home businesses, small enterprises, large businesses, economies, and governments are all at risk. Think of it this way: Information and data in all forms are assets, and you are obliged to protect your assets. Of course, as you run your enterprise, your security efforts do not show up on the bottom line—unless something goes wrong. All information assurance tools and mechanisms required by the largest enterprises are useful at a different scale by the smallest. This book allows you to select from a broad spectrum of information assurance tools to protect assets, manage risk, and provide competitive advantage. While reading, you will see the “juggling leader” as a callout for concepts that warrant special attention for those wearing many hats. She will point out useful subject matter for people juggling several roles.
Read This Book
If you run a one-person enterprise, you must perform a constant balancing act or become a one-man band and keep your focus on the overall success of the enterprise. At a minimum, you must have a plan for what you would do if something destroyed all your records or if a virus took over your computers or if a competitor took your list of prospects or…well, you get the idea. Information assurance must be part of your enterprise planning. You must make yourself do information assurance if you are to remain viable and competitive!
Read This Book
If you run a small to medium enterprise, you may be able to have some specialization among your employees. This is like having a low-budget jazzband or a classic ensemble where the musicians all wait tables in a restaurant on the side (using the same tux for both jobs). If you are lucky, you might have someone who is in charge of information technology. This individual must devote part of their time to information assurance and may provide some leadership, but they also have to support employees and customers. They have help, but you must provide direction and leadership. For example, your accounting staff, your marketing staff, and your production staff will have a role in information assurance, but they must all be going in the same direction. Remember, they will all plead that information assurance is not their job. You as a leader must set the example and the tone from the top. Information assurance must be part of your enterprise planning. You must provide leadership and encourage an information assurance culture. How?
Read This Book
If you run a large enterprise, you have all the challenges of protecting your information assets through a CIO. While the CIO may have good intentions, understanding information assurance and being able to speak its language is invaluable when explaining problems, opportunities, and risk to technical professionals. Information assurance must be part of your enterprise planning. It must be central to your information technology strategy. You must provide leadership and encourage an information assurance culture. In today’s competitive and global marketplace, even large enterprises that have existed for years without a formal information assurance function can stumble and fail rapidly because of a breach or cyberattack.
Consider information assurance as a professional symphony orchestra: It has all the attributes of an ensemble and a one-man band. Each group can select more or less complex versions of the music just as you can choose lessons from this book. Take what you need, but read through the book from time to time to see what you might be missing. No matter what, have a plan, execute it, mitigate risk, succeed. Half the battle is choosing the right questions to ask at the right time! This book aims to arm the senior leaders of the organization with the strategic tools to help have constructive discussions around information risk, assurance, and strategy. The conductor of an orchestra doesn’t need to understand how to play every instrument. However, she must understand the basic sounds, notes, combinations, and types of music best performed by specific instruments. It is essential that all of this is done in perfect harmony.
This book takes a similar approach with information assurance. Reading it will not make a senior leader a cyberninja with deep technical skills. It will, however, create a leader with a strong information assurance strategic understanding who can call in the right combination of skills, experience, and background to meet today’s toughest risk management challenges. Remember, the Spartans were amazing soldiers and well-trained in a narrow field. They had numerous amazing battles we remember today; ultimately, though, they were defeated by forces that understood not only warfare but how to mix strategic resources to mitigate risk and deliver results! If you are already experienced with the technology portion of the information assurance profession, reading this book will help you understand what your senior management is trying to do through their strategic planning.
Purpose
Enterprises of all sizes are under increasing competitive pressure to leverage data, information, and communication technology infrastructure to achieve their vision. The well-planned implementation of secure information technology will have a large positive impact on the socio-economic development of an organization and its partners. While information technology (IT) clearly revolutionizes businesses and strengthens governments, it introduces risks.
To make the IT investment pay off, senior management must address and manage risks systematically and economically. Assuring the information assets have integrity, are available, and are confidential presents a significant challenge to even seasoned executives; improvement in this area is a continuous effort. The strategic approach and controls explained provide an executive view of information assurance. The controls and strategic approach are also expected to guide an overall strategy for safeguarding vital information assets and critical functions of an organization.
The essentials of information assurance have been identified and mapped for the senior management and executives of an organization. Our approach to information assurance is broad to ensure that the contents are relevant to organizations of various sizes, complexities, and industries. Assuring information and providing security is an ongoing process; an organization’s information assurance policy is an instantiation of a living organizational strategy and helps management establish an organization’s risk management strategy.
We have provided best practices and guidelines to assist in preventing, detecting, containing, correcting, and recovering from inevitable security breaches and other information assurance failures. By providing a broad overview of threats, information assurance concepts, and risk management approaches, organizations may use the information presented to strengthen their information assurance risk posture. An organization’s mission and objectives are always put first if information assurance is pervasive and not invasive in the organizational culture.
The information presented is designed to reach a broad audience; the content does not provide detailed implementation procedures for security controls nor does it prescribe minimum compliance requirements or penalties for noncompliance. Guidance is provided to management to seek an in-depth solution for their particular challenges. Organizations should seek professional opinions from appropriately certified professionals before implementing security controls that are in accordance with their risk profiles and business objectives.
No matter the size of your enterprise, investing in information assurance controls requires a commitment of limited finances, time, and human resources. It may not be feasible for organizations to invest in all areas of information assurance. The information provided is intended to foster discussion around possible approaches and help organizations prioritize areas for improvement.
The information assurance strategic approach and associated controls provide fundamental information and guidelines for senior management and executives of organizations. The approach outlined provides guidance for protecting information system–based assets (including information, software, and hardware) by describing the interrelationships and provides a comparison analysis of information assurance elements. Executives and senior management who need quick and broad overviews on information assurance–related matters will find this resource useful.
Scope
The material presented is useful to organizations independent of the following:
• Nature of business (telecommunication, education, utility, health, defense)
• Size (small, medium, large)
• Type (commercial, government agencies, nonprofit)
Guidelines are provided for managing information assurance, and we demonstrate a comprehensive approach to identifying, applying, and controlling information assurance initiatives. Common threats and vulnerabilities are discussed as you are guided through a comprehensive list of applicable controls for an organization as a function of its risk profiles.
The approach offered does not go in-depth into implementation procedures. Organizations should view the strategy and controls offered as advisory and use the contents as a starting point to manage its assurance exposures. The strategy and controls are vendor-independent and are not specific to any technology. Every section includes critical thinking questions. These questions are intended to guide you in applying the material discussed to their organization or mission.
Intended Audience
The strategy presented provides a foundation for a broad audience—experienced and inexperienced, technical and nontechnical—who invest in, monitor, administer, support, manage, audit, assess, design, and implement information assurance within their enterprise. These personnel include the following:
• Anyone within an enterprise who wants to know more about information assurance and who is responsible for planning, managing, implementing, operating, and improving the information assurance management system
• Anyone who wants to be able to identify and manage risk
• Business owners and mission owners who rely on information systems but may not have a good understanding of IT risk and how to manage it
• Chief information officer (CIO), who ensures the implementation of information assurance for an organization’s information systems
• Chief risk officer (CRO), who needs to be able to identify and manage enterprise risk
• Contract officers, program managers, and acquisition professionals who are responsible for the IT procurement process
• Enterprise owners ranging from single proprietors to small and medium businesses who want to protect their assets and manage risk
• Information assurance program manager or chief security officer (CSO) and the chief information security officer (CISO), who implement the security program
• IT auditors who audit the systems and ensure compliance with the relevant policies and regulations
• New employees who want to understand why their organization has so many rules, policies, and guidelines
• Senior management, executives, or business owners, who plan and approve budget and set business strategy and objectives
• System and information owners, who are entrusted to protect information and information systems in accordance with the protection requirements stipulated
• Technical support personnel (such as application, system, network, and database administrators), who manage and administer security for the information systems
• Anyone who must balance information assurance and their primary job responsibilities
Throughout the book, there are opportunities for you to challenge yourself with critical thinking exercises. The answers to these questions are not right or wrong; they are intended to stimulate your thinking about information assurance. Responses for each question are included in the appendix section of the book.
William Shakespeare told us that “one man in his time plays many parts” and so it is in information assurance. The list of roles appears daunting; however, no matter the size of the organization, someone has to perform the roles.
Overview
We have organized the contents into six parts. Each of these parts is divided into several chapters focused on essentials. Since each chapter is designed to be self-standing, each chapter has a set of critical thinking exercises for self-assessment and a selection of further readings. In general, this structure models an organizational strategy for information assurance (see Figure 1).
Figure 1 Organization of information
Part I: Information Assurance Basics
Part I introduces the essential-to-know matters in information assurance including the need for information assurance, popular concepts, and approaches. Relationships among fundamentals such as assets, threats, vulnerabilities, risks, and controls are discussed. Since there are several interpretations of the terms information assurance, information security, and cybersecurity, we have developed a model showing the relationship among them. Different types of security professionals and professional organizations will also be discussed. It is important to understand the information assurance management system (IAMS) and how information assurance is a continuous process. This part ends with a discussion of current practices and regulations in the existing competitive market and information technology landscape.
Part II: Information Assurance Planning Process
Part II focuses on important areas for information assurance planning. It describes approaches for implementing information assurance and highlights the importance of an organization’s information assurance policy. Once an organization starts to embrace information assurance, it must consider the best framework to implement. This part also explains the importance of asset management, risk management, and human resource security. It concludes with a discussion on why organizations should consider certification and accreditation as part of their information assurance program.
Part III: Risk Mitigation Process
Part III focuses on the prevention process and helps organizations identify processes to be implemented. Following this, the order of execution is explained. Prevention is critical since it avoids information security breaches from the start. The chapters in this part discuss security issues in system development, physical and environmental security, information security awareness, training, and education. This part also discusses preventive tools, techniques, and access controls applicable to those security processes.
Part IV: Information Assurance Detection and Recovery Processes
Part IV focuses on the detection process and explains common tools and methods used to perform detection effectively. It elaborates on security audit, penetration test, and monitoring. Since it is difficult to manage things that are not measured, we highlight the importance of measurement and metrics used by organizations to check and review their information assurance posture. Additional information regarding cloud computing and outsourcing is included in this chapter.
This section also provides information on the steps used to recover from information security incidents. If preventive measures fail, organizations must continue their business and restore. Chapters in this part discuss information security incident handling, computer forensics, business continuity management, backups, and restorations. Additionally, cloud and outsourcing contingency planning will be discussed.
Part V: Application of Information Assurance to Select Industries
Part V applies at a high level the approaches explained to select industries such as healthcare, retail, and industrial control environments. By demonstrating how the information and approaches described are applied, you may adopt and apply the information more quickly to your organization.
Part VI: Appendixes
Part VI includes lists of common threats and vulnerabilities, sample security policy, sample risk analysis table, references used in developing this work, a glossary, and an index.