What You Need To Know About Information Assurance These Days

Information assurance procedures strive to ensure the responsible use, handling, transference and storage of data. The principles of information assurance cover both analog and digital data, but for all practical purposes, the procedures focus almost wholly on digital information and technology. At one time, only government agencies, medical facilities, and financial institutions stored sensitive personal information. As the reach of computer technology expanded, many commercial enterprises began collecting and storing personal information on their customers. Businesses evolved that specialized in gathering this information and reselling it as a marketing tool. Some of these businesses lacked the information safeguards used by the government and financial institutions, and sensitive personal information on customers was at risk for theft and illicit use. In an attempt to ensure the safety of personal customer information, businesses adopted information security procedures instituted by the government. These procedures were based on three basic principles: confidentiality, integrity, and availability. These principles are still the foundation of information security and are called the “CIA Triad” model. Information assurance builds upon the CIA Triad by emphasizing ethical controls over the use of private data and stressing the importance of disaster data recovery and business continuity. The most common information assurance model is called the “5 Pillars of Information Assurance” and adds authentication and non-repudiation measures to the CIA Triad. Confidentiality is an attribute of both information assurance and security. The security model restricts access to information to only authorized individuals. Physical security measures, software password protection, and user access profiles are all basic tenets of confidentiality in the security model. Information assurance adds ethical controls to these security measures. Access to information is not only limited to authorized personnel but is further restricted to use only for authorized purposes by authorized personnel. This ethical constraint prohibits companies with access to credit scores from running a credit check on a person without explicit consent to do so. HIPAA guidelines are a prime example of confidentiality in information assurance. Integrity is also an attribute of both security and assurance. While the security model views integrity only as protection against unauthorized changes to or destruction of information, the information assurance model adds additional measures to ensure data in all parts of a computer system match. This is critical in databases that use things like social security numbers or drivers' license numbers as key records. Availability is the attribute dealing with timely, reliable access to stored information, security controls and computer hardware. In the security model, availability is compromised when a malicious “denial of service” attack prevents customers or users from accessing a website or computer network. In the information assurance model, availability issues are mainly limited to considerations of power supplies and physical equipment failures. Authentication is an attribute of information assurance that is not part of the CIA Triad model of information security. The goal of an authentication measure is to ensure that an information request or transmission is legitimate, or that requesting or receiving personnel have the authority to request, send, view or use the information. The final pillar of the 5 Pillars of Information Assurance is non-repudiation. Non-repudiation attributes provide information senders with proof of data delivery and information recipients with proof of the sender’s identity. This attribute is extremely important for digital financial transactions. Some components of an information assurance program fit into more than one category. For example, data encryption and user passwords are non-repudiation attributes, authentication attributes, and confidentiality attributes.