Information Technology Reference
In-Depth Information
assurance concepts, and the development of new terms to describe nuances of the
IA
2
practice.
Most people in technology think in terms of the technology they are familiar
with and the operations that technology supports. Although this is not bad, it is not
enough. The architect needs to think in abstract terms of hierarchies, taxonomies,
and principles that emphasize the business perspective and guide the mechanisms
that support operations. A business driver of secure communications between
the Internet and the internal network results in IA services and IA mechanisms
to support that business driver. The size, complexity, type, and notoriety of the
organization drive the breadth and depth of these IA services and mechanisms. A
small Midwest insurance agency is unlikely to be a direct target of international
cyber terrorism; however, it may be an indirect victim of a cyber virus in the wild.
A prudent precaution is for this small Midwest company to install anti-malware
on servers and desktops to protect itself from incidental infection. A government
organization of military and political significance is more likely to be under
direct
attack from not only conventional malware, but also unique malware specifically
targeted at that organization. This government organization requires a significantly
larger investment in defense, monitoring, and response with respect to malware.
The architectural process assists in discerning these differences and providing the
appropriate safeguards to balance operational effectiveness, security, and cost.
1.3.2
Information Assurance: A Working Definition
An abstract organizational mission statement reads: Provide the people we serve
with quality products and services on time, within budget, and within specified
service level agreements (SLAs). The ultimate focus is on stakeholder value. Stake-
holder value may be shareholder value in the private sector or constituent value in
the public sector. Whatever the mission, it requires operational integrity—opera-
tions must continue despite incidents that may interrupt, information must be
accurate despite incidents that may corrupt, and information critical to mission
success must be kept confidential from competitors, enemies, or other opposition
despite incidents that may disclose. Many factors, including buildings, utility ser-
vices (i.e., power and water), personnel, and information technologies, support the
mission.
Information assurance defines and applies a collection of policies, standards,
methodologies, services, and mechanisms to maintain mission integrity with respect to
people, process, technology, information, and supporting infrastructure.
Information assurance addresses information, not just information technology.
A chief information officer (CIO) is responsible for information, not just informa-
tion technology. Information assurance provides for
confidentiality,
,
integrity
,
avail-
ability
,
possession
,
utility
,
authenticity
,
nonrepudiation
,
authorized use
, and
privacy
of
information in all forms and during all exchanges.
