¶ … Assurance Program Why/How to create an Information Assurance

Just as paramount as the availability and access to information is significant in every company or business outfit, certain concerns always come to the fore: the kind of information is to be made. How the information is going to be organized? How will it be possible to ensure that the information released represents the judgment of the management of the company and gives assurance that the very information required is available?

This document contains the solutions to the concerns mentioned above; an Information Assurance Program is necessary in every organization. This project explains why information assurance program is needed in every viable company and also explores ways it can be affected, integrated into the organization and organized. The program encompasses different models which span through finding the reason why such program is needed to analyzing whether the finding is practicable. This takes the next leap by prioritizing the analyzed needs of the case study organization.

There are many models but not all are applicable to the case study of organization as well spelt out in later chapters of this write-up. The models examined in this project are such that works for any organization that is keen at updating and strengthening their information assurance by engaging in the program, suggested in this project.

Table of Contents

Abstract

Table of Contents

Introduction

Principles of Information Assurance

Approaches to Information Assurance

Processes of Information Assurance

Ensuring an Effective Management Change

Software Development -- Compliance with CMMI

Data Management

Developing Information System to Suit the Case Organization

Information System Security Standards

Information System Security Models

Preparing the Information System Operators for better Operations

Cost Analysis of Undertaking Information System Security

Executive Summary

Introduction

To better understand the concept of Information Assurance program in a company setting, an understanding of 'information' and 'assurance' need mentioning. According to Cambridge online dictionary, information is defined as facts about a situation, person or thing while assurance is defined as a promise. In a company setting, a promise that information will be available in an organized manner is made.

Information Assurance refers to a process that starts with what strategy should be employed, an outlay of high-level risk that can be tolerated by the company and the likely rewards that can be gained from such strategy. Security in the workplace is such a complex matter where a lot of matters also vie for attention. A model must be established which will serve as the hallmark for other IT workers to follow. The procedure of Information assurance strives is such that there must responsibility, transferability and storage of data. The stored data must be protected and for that to be enshrined, certain models must be followed. Amongst the models construed by the government, the most notable one is called the 'Triad Model." This is based on the principles: confidentiality, integrity and availability. These principles still form the building blocks of information security. In a case study organization, these principles apply to every information and data management strategy in all departments of the organization. Other Models, of course, are also useful but for the sake of the case study organization, the "Hexad" and "Triad" Models shall be fully considered (SACA, 2006, Thomas, 2001).

Principles of Information Assurance

Confidentiality

This aspect of the triad model spells out the access level anyone has to certain information and the permission level. For information to be accorded any manner of confidentiality, it must be really private and confidential in nature. It is a principle based on company ethics where dissemination of unrestricted information to a third party is disallowed. Certain restrictions are usually placed on permission to access information without authorization. It can also be said to be the cornerstone of information security in today's business corporation (Harwood, 2006).

Integrity

This is another ingredient of security and assurance. It refers to being accurate and consistent in data handling without any problems occurring due to changes in an updated version of the data. It can also mean that the information is not tampered with, meaning that it is whole (Parker, 2000).

Through the use of standard rules and regulations, integrity is forced on the database during its design. It is important to consider that while trying to enforce integrity, unprecedented loopholes are inevitable but could be minimized by the following methods:

Regular data back-up

Designing of the database with ability to detect invalid data input

Control of data flow and access by certain security mechanism, and Using of software that checks for and correct errors.

By installing software that...

According to the former, it is when users or people are allowed access to a computer network in their bid to access information while in the former; availability refers to when a user is allowed access to the power supply of a networked system serving as a server of information.
Authentication

Although not part of 'triad model', this is an extremely important principle of information assurance. There is always a concern 'rightful access' to certain information in an organization. Authenticity refers to the right a person has to send or receive information. This is ensured when authenticity is ensured in an organization.

Authorization

This refers to a set of instruction given to software to only grant access to the person who is permitted to view, alter and work with the information. This ensures that there is no information leakage or loss of information on transit. There are different levels of this authorization; it could be high or low level authorization. High level authorization allows respective personal to access the information without much scrutiny. On the other hand, if a person had a low level access then he will be allowed to only view the information without actually altering anything from it. This serves to disallow abuse of the authorization (Thomas, 2001).

As mentioned earlier, several Models exist for different organizations of which the shotlisted one proves to work on the case study organization. Many models have evolved through decades of use while some are mere updated versions of the old ones. Over the years and from use, some approaches have come into existence which have direct relation with data management and application development of the case study organization. In order to have secure information and minimize or tackle data management breach, these levels of security are needed: physical security, communication security, operation security, system reliability, system safety, information security and operations security. This ensures that these security levels are adhered to only serve to prevent the abuses that may occur from uncontrolled access. It also prevents loss of information that can result from human error or malfunctioning hardware. The case study organization is encouraged to observe these securities.

Approaches to Information Assurance

To ensure protection of information stored on the database of the computer, established security level is necessary as mentioned earlier. This prevents data breach, tampering with information and data loss.

Physical Security

Simply put, this is protecting the computer hardware and its peripherals from damage and theft so as to avoid loss of data or/and to avoid disruption in the operation of such computer.

Communication security

With reference to the principles of information assurance, which among others are: confidentiality, availability and integrity, this involves a collaborative effort among the engineers in the IT department at ensuring that information in the form of data that is transmitted between computer networks remains confidential and protected from prying eyes. Confidentiality is ensured when the information sent is only decipherable to the person it was meant for. The data sent is considered available and credible if received within the required time irrespective of constraints. Integrity as well, is maintained when the transferred data is not altered any way either due to human factor or technical issues (SACA, 2006).

Operation Security

Operation security concerns with the operations performed by housing computers such as the information received from the sender or the receiving computer. It is a well-known fact that information sending is initiated by the operators of the networked system in the case study organization. This group of people could include administrative operators, data operators and personnel operators. This could be applied to more groups than this but this is applicable to the case study organization. Operation security deals with setting up a standardized operational guideline that caters for the information sent between systems in a manner that the computers responsible for these data transmission are secure at all times and are located in environment where likelihood of it being destroyed of stolen is highly minimized.

System Reliability

This refers to the relationship among the components of a computer system and the decision made regarding the choice of specific components to use while assembling the computer systems in such a way that there can be improvements on system reliability, maintenance and availability (Elsayed, 2006) System reliability ensures that both the hardware and software are readily usable as at the time they are to be used.

Information Security

Several international organizations have written lots of white papers on how and why information should be made secured. Several laws have been…