Information Technology Reference
In-Depth Information
word forgotten, the information on the hard drive is unusable. This same principle
applies to individual documents, databases, backups, archives, etc.
Although
privacy
is traditionally absorbed under confidentiality, it deserves
its own consideration due to the sensitivity of the issue (e.g., identity theft). Per-
sonal privacy concerns will continue to increase as technology becomes even more
pervasive in our daily lives and awareness of privacy issues increases. There is little
difficulty in gathering the personal information of name, address, SSN, financial
records, educational and professional backgrounds, and purchase histories. There
are many valid uses for this information; however, there are many opportunities
to use this information in an exploitive manner. One example is to manipulate
unwanted advertising toward an individual's purchasing patterns. Moreover, there
is need to protect personal information the disclosure of which may cause person
harm. For example, medical tests that may disclose genetic predisposition to heart
attack or cancer may affect the ability to get insurance coverage or pass a job inter-
view. Privacy management is indeed a critical IA element. Appendix J contains an
outline for a privacy management program. A privacy management program is
supplemental to a security management program (appendix E).
Authorized use
is the antithesis to theft of service (e.g., toll fraud). Toll fraud
costs businesses worldwide billions of dollars per year. Adding Transmission Con-
trol Protocol/Internet Protocol (TCP/IP) connectivity to phone systems (e.g., IP
telephony or Voice-over-IP [VoIP]) creates potential new mediums to perpetrate
toll fraud: the LAN, wide area network (WAN), and the Internet. A core principle
of IA is to safeguard access to services that incur cost to the organization.
The IA core principles include
nonrepudiation
due to the increasing use of
online transactions and legal agreements. Nonrepudiation provides means that
the initiator of a transaction may not later deny having initiated that transac-
tion. Including details that support nonrepudiation in logs is an essential part of
trust in online transactions. Transactions may be of a commercial nature (e.g.,
buy/sell), or a transaction may be one of requesting a service in a service-oriented
architecture (SOA) environment. The nonrepudiation safeguard ensures that a
service requestor may not later deny having requested that service. The integrity
of audit logs, establishing a chronology of activities, ensuring the validity of those
activities, and of the identity of the people or entities involved in those activities
depends in part on nonrepudiation.
2.7 iA
2
principles
An
objective
is a goal. A
principle
is a fundamental edict or underlying faculty that
describes a characteristic of the objective or the accomplishment of the objective.
The IA Core Principles define the fundamental objectives of information assur-
ance. The design of the IA
2
framework itself, as well as the application of the IA
2
