Assurance Program Why/How to Create an Information

¶ … Assurance Program

Why/How to create an Information Assurance

Just as paramount as the availability and access to information is significant in every company or business outfit, certain concerns always come to the fore: the kind of information is to be made. How the information is going to be organized? How will it be possible to ensure that the information released represents the judgment of the management of the company and gives assurance that the very information required is available?

This document contains the solutions to the concerns mentioned above; an Information Assurance Program is necessary in every organization. This project explains why information assurance program is needed in every viable company and also explores ways it can be affected, integrated into the organization and organized. The program encompasses different models which span through finding the reason why such program is needed to analyzing whether the finding is practicable. This takes the next leap by prioritizing the analyzed needs of the case study organization.

There are many models but not all are applicable to the case study of organization as well spelt out in later chapters of this write-up. The models examined in this project are such that works for any organization that is keen at updating and strengthening their information assurance by engaging in the program, suggested in this project.

Table of Contents

Abstract

Table of Contents

Introduction

Principles of Information Assurance

Approaches to Information Assurance

Processes of Information Assurance

Ensuring an Effective Management Change

Software Development -- Compliance with CMMI

Data Management

Developing Information System to Suit the Case Organization

Information System Security Standards

Information System Security Models

Preparing the Information System Operators for better Operations

Cost Analysis of Undertaking Information System Security

Executive Summary

Introduction

To better understand the concept of Information Assurance program in a company setting, an understanding of 'information' and 'assurance' need mentioning. According to Cambridge online dictionary, information is defined as facts about a situation, person or thing while assurance is defined as a promise. In a company setting, a promise that information will be available in an organized manner is made.

Information Assurance refers to a process that starts with what strategy should be employed, an outlay of high-level risk that can be tolerated by the company and the likely rewards that can be gained from such strategy. Security in the workplace is such a complex matter where a lot of matters also vie for attention. A model must be established which will serve as the hallmark for other IT workers to follow. The procedure of Information assurance strives is such that there must responsibility, transferability and storage of data. The stored data must be protected and for that to be enshrined, certain models must be followed. Amongst the models construed by the government, the most notable one is called the 'Triad Model." This is based on the principles: confidentiality, integrity and availability. These principles still form the building blocks of information security. In a case study organization, these principles apply to every information and data management strategy in all departments of the organization. Other Models, of course, are also useful but for the sake of the case study organization, the "Hexad" and "Triad" Models shall be fully considered (SACA, 2006, Thomas, 2001).

Principles of Information Assurance

Confidentiality

This aspect of the triad model spells out the access level anyone has to certain information and the permission level. For information to be accorded any manner of confidentiality, it must be really private and confidential in nature. It is a principle based on company ethics where dissemination of unrestricted information to a third party is disallowed. Certain restrictions are usually placed on permission to access information without authorization. It can also be said to be the cornerstone of information security in today's business corporation (Harwood, 2006).

Integrity

This is another ingredient of security and assurance. It refers to being accurate and consistent in data handling without any problems occurring due to changes in an updated version of the data. It can also mean that the information is not tampered with, meaning that it is whole (Parker, 2000).

Through the use of standard rules and regulations, integrity is forced on the database during its design. It is important to consider that while trying to enforce integrity, unprecedented loopholes are inevitable but could be minimized by the following methods:

Regular data back-up

Designing of the database with ability to detect invalid data input

Control of data flow and access by certain security mechanism, and Using of software that checks for and correct errors.

By installing software that disallows alteration of data without permission

By making sure that only authenticated persons checks the final information for verification

Availability

This is viewed from two dimensions: The Security Model and the Information Assurance Model. According to the former, it is when users or people are allowed access to a computer network in their bid to access information while in the former; availability refers to when a user is allowed access to the power supply of a networked system serving as a server of information.

Authentication

Although not part of 'triad model', this is an extremely important principle of information assurance. There is always a concern 'rightful access' to certain information in an organization. Authenticity refers to the right a person has to send or receive information. This is ensured when authenticity is ensured in an organization.

Authorization

This refers to a set of instruction given to software to only grant access to the person who is permitted to view, alter and work with the information. This ensures that there is no information leakage or loss of information on transit. There are different levels of this authorization; it could be high or low level authorization. High level authorization allows respective personal to access the information without much scrutiny. On the other hand, if a person had a low level access then he will be allowed to only view the information without actually altering anything from it. This serves to disallow abuse of the authorization (Thomas, 2001).

As mentioned earlier, several Models exist for different organizations of which the shotlisted one proves to work on the case study organization. Many models have evolved through decades of use while some are mere updated versions of the old ones. Over the years and from use, some approaches have come into existence which have direct relation with data management and application development of the case study organization. In order to have secure information and minimize or tackle data management breach, these levels of security are needed: physical security, communication security, operation security, system reliability, system safety, information security and operations security. This ensures that these security levels are adhered to only serve to prevent the abuses that may occur from uncontrolled access. It also prevents loss of information that can result from human error or malfunctioning hardware. The case study organization is encouraged to observe these securities.

Approaches to Information Assurance

To ensure protection of information stored on the database of the computer, established security level is necessary as mentioned earlier. This prevents data breach, tampering with information and data loss.

Physical Security

Simply put, this is protecting the computer hardware and its peripherals from damage and theft so as to avoid loss of data or/and to avoid disruption in the operation of such computer.

Communication security

With reference to the principles of information assurance, which among others are: confidentiality, availability and integrity, this involves a collaborative effort among the engineers in the IT department at ensuring that information in the form of data that is transmitted between computer networks remains confidential and protected from prying eyes. Confidentiality is ensured when the information sent is only decipherable to the person it was meant for. The data sent is considered available and credible if received within the required time irrespective of constraints. Integrity as well, is maintained when the transferred data is not altered any way either due to human factor or technical issues (SACA, 2006).

Operation Security

Operation security concerns with the operations performed by housing computers such as the information received from the sender or the receiving computer. It is a well-known fact that information sending is initiated by the operators of the networked system in the case study organization. This group of people could include administrative operators, data operators and personnel operators. This could be applied to more groups than this but this is applicable to the case study organization. Operation security deals with setting up a standardized operational guideline that caters for the information sent between systems in a manner that the computers responsible for these data transmission are secure at all times and are located in environment where likelihood of it being destroyed of stolen is highly minimized.

System Reliability

This refers to the relationship among the components of a computer system and the decision made regarding the choice of specific components to use while assembling the computer systems in such a way that there can be improvements on system reliability, maintenance and availability (Elsayed, 2006) System reliability ensures that both the hardware and software are readily usable as at the time they are to be used.

Information Security

Several international organizations have written lots of white papers on how and why information should be made secured. Several laws have been promulgated by governments and agencies of governments and the countries and agencies involved in this explain how important it is to have information security. Bodies like the COMMISSION OF EUROPEAN COMMUNITIES (ECMA); the Organization for Economic Cooperation and Development (OECD); Canadian System Security Centre. Information security deals a lot with:

Disallowing unauthorized persons access to information not meant for them

Minimizing or eradicating the tendency for information to truncated while on transit

Making undecipherable information not meant for other people

Installing firewalls that disallows leakage of information

Training of IT staff to respect the code of ethics of the IT department (SACA, 2006).

The list is endless but for the case study organization, it is applicable.

System Safety

Systems differ from organizations to organization and from department to department but similar things that stand out in all systems are the hardware and the software. Safety of the system incorporates the components of the system. Each of the components requires different ways of securing them. The essence of this is to prevent or minimize damage to information in the system. For meaningful success to be a possibily in ensuring safety systems, early planning is necessary to allow for incorporation into the computer systems. A plan that spells out the steps to be taken in routine system safety and also complementary plan explaining steps to be taken in case of safety breach. Having in mind the dangers and cost of lost information due to unsafe systems and the vulnerability of the computer systems, the following general guidelines should be ensured:

(1) the system should be kept in a known secure place

(2) cut down on the probability of non-functional parts

(3) prevent sabotage of the computer systems

(4) restrict movement within the computer room or department to authorized persons

(5) install security alarms that notifies the security department in case of breach

After having established the various approaches to information assurance, the necessary steps to be taken are then considered. These steps represent a blueprint for the case study organization. They follow each other in order of priority. The essence of information assurance is relational to the organization and availability of information as at when needed. The protected and assured information is an asset to be guarded with all seriousness. The various steps or processes are: risk assessment, risk management plan, countermeasures, computer emergency response, cost analysis.

Processes of Information Assurance

The processes of information assurance are as listed above are the life and blood of ensuring a successful program.

Risk Assessment

Data and information are constantly being exposed to risks which may be as a result of technical challenges or human operator error. It is an evaluation of the likely risks that may occur. It is also a risk management process that identifies the vulnerability to the source of information of a business organization (CISA, 2006). An objective view of the risk and likely uncertainties must be considered. In order to prepare before hand, the Risk Management Team/Department are expected to have taken into account operational errors, system sabotage, information pilfering and many other risks that could occur while either processing or transmitting information.

There are series of methodologies that can be applied in order to tackle risks. Frameworks like ISO/IEC 27005:2008; BS 7799-3:2006 and SP 800-30 among others depending on the security needs of the organization. Of the listed models, the ones most applicable to the case study organization is ISO/IEC 27005:2008 and it has the following frameworks which will ensure that risk is well assesses in the organization: category establishment, assessment of risk, risk treatment, risk acceptance, communication of risk and risk review.

Category Establishment is basically bringing into focus the possible risks that can be exposed to. Some of them will fall into the same group and there are possibilities of different categories of risks.

Assessment of risk comes to play when after categories of risk have been established. This involves taking stock of the risk and the risk level and making necessary planning with cost analysis.

Risk management is the decisive and proactive steps or measures taken by the management at addressing the different risks that have been assessed and the factors implicated. If the risk is consequent upon system or likely system failure, this could be addressed by procuring, in addition to the main system, additional spare parts to replace malfunctioning ones. If however it is due to human error, this could be tackled either by retraining the It workers or reassigning them.

Countermeasures take into account the various steps required in correcting, minimizing and stopping a risk that the organization has been exposed to.

Computer emergency response is one of the countermeasures that the management can use in responding to risks or threat of risk. This method could be automated to ensure continuous operation in the absence of human instigator.

Communication of risk plays an important role in response to risk. In the presence of threat or assessed risks, the level of risk such is must be passed to the knowledge of those concerned or stakeholders in the security unit of the organization. Security alert could be set in such that an alarm can be offset to sound note of warning. This results in preparing for countermeasures and relaying risks. This is very essential in curtailing risk.

Risk review is the final lap in the entire series. This is where the stakeholders a meeting is held and everyone concerned is debriefed and decision taken based on security reports.

Risk management Plan

Risk can be appropriately defined as the possibility of unexpected negative uncertainties happening. Since the likelihood of risk is inevitable, certain steps must be taken to which is referred to as a plan to see the case study organization through in the event of risk. They are (1) identify the risk (2) assess the risk (3) identify the priority level of the risk and (4) control the risk (Thomas, 2001).

There are lots of risks and for a credible risk management plan to be established, the risk mist be identified in order to know the appropriate measures to undertake.

After the risk might have been identified, it is then assessed. It is assessed by way of knowing likely things that might have gone wrong for this kind of risk to occur. This helps the management of the case study organization respond appropriately.

The priority levels of the risks identified is important. This allows the management to know the particular risk to attend to before others are considered. In the event of multiple risks, this laid down plan of attaching priority level to the risk will identified goes a long way.

Control the risk. This final step in risk management plan is the most crucial. After the initial steps have been taken, these control measures can be taken, though other departments can have additional steps added to these:

(i) establishing security awareness programs

(ii) disaster planning

(iii) making risk analysis

(iv) establishing emergency response team

(v) setting up internet policy

(vi) having a modem control

(vii) establishing remote access

(viii) installing virus

(ix) computer crime investigation

Countermeasures

This is the step taken to counter the effect of risks that have been established and accepted as risk. It is not all risks reported that are worth responding to but after defining the risk and prioritizing them, it then that the organization can device countermeasures to cushion the effect of the risk. This could be in the form of:

(i) firewall installations

(ii) installing anti-virus software

(iii) enacting security policies

(iv) staff training and retraining

(v) implementation of security advice by experts

Computer Emergency Response

This is a group of computer experts that handle computer-related issues. What they do is to identify, analyze and recommend measures to be taken or even deal with the risk themselves. This group come under many different names depending on the regions such is located and the expertise of those forming the group. This group can come handy in event of risk.

Cost Analysis

The monetary value of plans must be evaluated to ascertain the relative cost with other similar venture. It is defined as a relational cost comparison between similar services (Bleichrodt, 1999).

In the case study organization, if information assurance is to be successful in the face of identified risk, one of the countermeasures the management may consider is having what is called management change. Certain security flaws are due to the negligence of IT workers in the computer department or the security network is porous. It is necessary for there to be a change in the management setting of the case study organization. There are prescribed steps to be taken to make this as effective as possible and therefore retain the integrity of information conveyed to different computer locations.

Ensuring an Effective Management Change

For every organization serious about information assurance and applying the inherent advantage to ensuring data or information security, effective management change is necessary. Diverse meanings can be ascribed to Management Change but as far as data/information security in Information Technology is concerned, Management Change can also mean software configuration management.

Software Configuration Management can be generally defined as the process of identifying the configuration of a system at certain points in the life cycle of the system with the aim of controlling this change systemically and also to maintain the integrity and traceability of these changes (Bersoff & Henderson, 1980). It can also mean the processes of managing software and the changes that occur to it (Ronald, 1992). There is a consensus among the various definitions and can be broadly defined as the task of ensuring tracking and modifications to software which include configuration management, source control and baselines. Depending on the organization, there are different components that need change but for the case study organization, it is necessary to maintain the laid down standard. Exert of the established standard according to an authority in the information assurance and IT issues, the IEEE are:

Identification: an identification scheme is needed to reflect the structure of the product. This involves identifying the structure and kinds of components, making them unique and accessible in some form by giving each component a name, version identification, and configuration identification.

Control: controlling the release of a product and changes to it throughout the lifecycle by having controls in place that ensure consistent software via the creation of a baseline product.

Status Accounting: recording and reporting the status of components and change requests, and gathering vital statistics about components in the product.

Audit and review: validating the completeness of a product and maintaining consistency among the components by ensuring that components are in an appropriate state throughout the entire project life cycle and that the product is a well-defined collection of components (IEEE standard: 729-1983)

Configuration Management: The security features that need to be kept up-to-date should include hardware, firmware, and software and text documentation. These hardware form the crux of the information system they dictate their functionality and performance. It is essential that configuration management should meet the standard which entails four processes. These are: configuration identification, configuration control, and configuration status accounting and configuration audits.

Configuration Identification: Every configurable information system parts that needs configuration come with documentation that defines every part of the product.

Configuration Control: This involves a series of steps that require and involve approval with the aim of effecting changes on the documentation of the product used configuration.

Configuring Status Accounting: This is basically recording and reporting the changes in the documentation of products used in configuration whenever such changes occur.

Configuration Audits: This aspect is divided into two and they work together. One is physical configuration audit while the second is functional configuration audit. The former ensure that the required installation is done in accordance to documentation.

Source Control: This is basically how the information assurance/IT worker control all changes made to the systems. There are times during the life cycle of the information system that needed change will be made. These changes may span days, week even months. It is therefore necessary to track these changes and control them.

Baseline: This is a process of maintaining any change within a closed system so that the entire process happens within a closed system. The process of baseline management ensures this does not go out of control.

In order to maintain best practices, team productivity and to avoid problems when effecting management change, the following best practices are necessary:

(i) The very thing to do is to identify the item that needs configuration and other items needed for the configuration. All these should be secured in the repository and necessary backups ensured

(ii) After the items are secured in the repository, control and audit changes must be ensured. Every atom of changes made must be recorded and whom the modifier is. This is a way of preventing unauthorized access to the repository.

(iii) Next is organizing the configured items into various partitions. Groups of similar items are grouped together.

(iv) At certain times in the course of the changes and tracking, baselines should be created.

(v) Finally, there should be track for request to change. These best practice procedures are necessary.

The benefits to be derived from ensuring management change are numerous

It enables easy reporting

Testing efforts are streamlined

Integration problems are minimized

Natural links to project management are created

The processes mentioned above are the basic standard enshrined by established bodies in the information assurance programs. In order to maintain secured systems and protect data and information, these basic guidelines must be adhered to. However, affecting these needed changes can be done in several other ways but for the case study organization, Concurrent Versions System (CVS) is more appropriate.

Concurrent Versions System (CVS)

This is software that is needed to effect all the necessary changes that need to be done on the information system. In situations where several workers are working on a particular file, CVS helps in organizing the work and to track ever changes that occur. This software is already free on websites. It can be downloaded within minutes.

Software Development -- Compliance with CMMI

After having established the various effected management change, constant updates that need to be done can be gotten from third party vendors. There are probable dangers in involving third party software vendors to get this job done. The case study organization can position itself by developing the software in-house. The process involved is not cumbersome if the necessary skills are acquired. Depending on the use for such, the steps follow this model: modeling, design, code generation, project management, testing, deployment, change. A recognized authority in the area of software development has laid down standard that prospective developers are expected to follow. It is Capability Maturity Model Integration (CMMI). There are five levels of CMMI. The levels are as follows (i) initial level (ii) managed level (iii) defined level (iv) quantitatively managed level and (v) optimizing level

CMMI has an appraisal level called Standard CMMI Appraisal Method for Processing Improvement (SCAMP). This is a method that meets all ARC requirements.

Data Management

Having learnt the various ways information systems can be set and configured, data and information are better secured. Possibility of a data protocol breach is minimized. For all these to work perfectly well, data management plan must be ensured. Data management is the development and execution of architectures, organizational policies and procedures so as to manage information system of an organization in an organized manner. Data management is critical to the security of any organization. There are processes involved in actualization the aims of managing data. The very first step is to develop and enable an optimal business process after which the following processes take over from there.

(i) data migration and integration

(ii) data maintenance

(iii) data quality assurance and control

(iv) data archiving

Data migration and integration: This is a stage in data management where data is brought from an external disk and sorted. It is mandatory to clean the data so as not corrupt the residing system and after which the data is allowed to fit into the system architecture and design.

Data maintenance: At this level, master data is integrated with the organization's role for such data. Any changes or alteration made to data must be synchronized here.

Data Control: This is just to ensure that the data is free of errors and alterations that are not necessary. It is also to ensure that data is available as at and when needed. The assurances from the data control are very important for the overall functionality of the process

Data Archiving: The last stage of data management; it entails how data is stored in an organized manner that makes it easy to retrieve data. There are a number of processes through which data archiving can be achieved. For instance, all information can be tagged and placed in a methodological manner.

These steps involving data are very necessary to ensure a safe and secure data management which in turn renders information secure. The absence of any one of the three would lead to errors and possibly loss of data

Developing Information System to Suit the Case Organization

The whole essence of different levels of planning boils down to system development which is the stage where actual implementation is. It involves a series of steps from starts from: initiation stage, followed by analysis, then design stage, implementation, maintenance and disposal are different stages in this particular model. Each stage will now be considered one after the other:

Initiation stage: This is the very start of the entire process. This stage actually sets the tone of the entire remaining stages. At this stage, determination is made of the kind of information the system will be used in processing followed by the likely method of transmission and who the operator will be. This stage is very critical.

Analysis stage: After the initial requirement has been prepared, with regards the need for information system, an analysis is conducted by the information system analyst or expert. This stage determines whether the proposed system fit into the security plans of the computer. Cost analysis is also considered in relations to the purchase or overhaul of the entire information systems.

Design stage: this stage follows the analysis stage, in this phase, a specific design is affected by the case study organization and the systems are subsequently purchased. Installation follows after that as these have to be done to meet the approved design. The information security is then installed and configure to according to the plan of the organization.

Implementation: This stage sees the information security features being implemented as planed. This is necessary to ensure a smooth running system devoid of operational hiccups.

Maintenance Stage: Just like all others electronic equipment, routine maintenance must be carried out. Constant checks are put on the operation of the software and the hardware. Moreover, if any malfunctioning is noticed, updating the software or replacing the malfunctioning of certain hardware becomes necessary.

Disposal Stage: This forms the last stage in the life cycle of the system development. At a point in time, there may be a need to dispose some parts of the system that are no longer useful. These parts can be disposed off in many ways but something of interest may occur while this is being varied out. That is releasing of information to the wrong person (Harwood, 2006).

After the case study organization must have developed the information system computers as described above, there is need to maintain recognized standard level so as to operate at a an acceptable security standard.

Information System Security Standards

All professions have standards serving as their hallmarks. Information system which is the brain child of information technology has standards of operation called security standard. There are three recognized standards, namely: (i) Best Practice Standards (ii) Technical Standards and (iii) Market Place Standards

(i) Best Practice Standards: Over time, there have being different modifications to this very one depending on the technology know how of the generation concerned. One of the acceptable modifications of this standard is the ISO 17799. It sets the foundation for the required standard in operating and running of the information system and it cuts across every nooks and cranny of information system. These can be broken down into:

Access control

Compliance with related laws

Operational management

Communication management

Organizational security

Security policy, among others too numerous to mention

Best Practice Standards can be used to ascertain an organization security standard. Using the standard as a hallmark, the case study organization can set the organization's information system to conform to the standards of Best Practices. This even helps the organization at reducing huge loss that may unwittingly occur if the standard is not maintained.

(ii) Best Practice Standards: This actually contains a list of security standards that are technical in nature. All the case study organization needs are checked and a list is prepared that reflects on the organization with most positivity. There are certain standards and guidelines on the use of these practices, which makes the job quite easier.

(iii) Market Place Standards: This third standard incorporates affiliate companies that have been recognized over the years as emblems in the industry. What these companies do is that any information system that operates according to the set standard is accorded recognition in form of certification which is duly contested for by many information systems outfits.

Information System Security Models

Security is ensured on the computer system so as to protect the data and information contained in them. To adequately secure the data and information contained in these computer systems, a security model must be adopted. Several security models abound but these fit into the case study organization: Bell and Lapadula model, Bubab model, Clark Wilson model, Goguen-Meseguer. All the above-mentioned security models discuss on how to get information systems secure (Thomas, 2001).

After having discussed the above models, the human staff that operates the system is necessary to be updated as a better equipped operator produces better result.

Preparing the Information System Operators for better Operations

In order for information systems security to achieve the desired goal, the human factors in the system must be trained and retained to better equip themselves for the task that lay ahead. The importance of this training is spelt out by one of the Federal agencies The Federal Information Security Management Act (FISMA). In compliance with his regulation and in accordance with the policy of the case stuffy organization, it is mandatory for the organization to enlist the IT staff members into this training program as it will better the lots of the company. This said program has only four stages: (i) awareness (ii) training (iii) education (iv) getting certified

Awareness: This can really assume many forms. When awareness is created, both the company and the worker stand to be better informed of services and new trends that benefit the company. When aware, the company or organization stands miles ahead of the crowd and stay security alert.

Training: This ingredient is a very important one in the stages of design and programming. Workers are trained so they may acquire new skills or to update on the old ones they know. It prepares the workforce for being highly skilled and taking up specific jobs or assignments. Furthermore, this will benefit the organization by limiting errors and reducing their exposure to risk.

Education: A lot of schools have been established for this purpose. Skills and competence are married together to have a new breed of skilled personnel that is better equipped to take up challenges and reduce the impact of risks involved in data and information transfer (Elsayed, 1996).

Certification: After the worker must have been duly trained, certification is given out based on the level of competence. It should be noted that the certification provided can still be built upon by subsequent training (Bleichrodt and Quiggin, 1999).