Information Assurance Fundamentals

Information assurance is the protection of the Confidentiality, Integrity, and Availability of data. Confidentiality of client data is necessary to both keeping in compliance with various privacy legislations and building the trust the client has in the business. Business data such as trade secrets must also be kept confidential to prevent their theft.  

Confidentiality controls include both the limitations of who can access the data and the logs of those who do. They also include measures such as encryption to protect against unauthorized access to the data. Confidentiality informs us what types of data need what types of protection, and who should or should not have access.

Data Integrity is a measurement of the accuracy of data. Some of the ways Data Integrity can be compromised are by malicious actors having write access to a database, faults during the collection of the data, or errant manipulation during business processes, either by bad code or human error.  Integrity is protected primarily through backups. An organization can put as many double checkers and change management procedures as they can, but in the end, a corrupted database with terabytes of data can be impossible to repair and ruin a portion or all of a business. Backup scheduling is determined by a set recovery point objective, which is a measurement of how much data a business is willing to lose on any given system failure. System owners set that recovery point by quantifying the business value of that data and what the loss of it would translate to for the business.

Availability is ensured by keeping systems online so that those who should have access to them do at all times.  Availability is mostly interrupted by high system load, which can be caused by malicious actors performing denial of service attacks, poor planning by the IT team and oversight of IT audit, or even unexpected surges in legitimate traffic caused by media attention. In a way, Oprah is one of the greatest social engineering system hackers of all time, she can and has endorsed a product and overload websites in minutes.

Availability is protected by redundancy. Redundancy can be easily achieved by implementing cloud computing, which can allow multiple instances of a system running in separate geographic regions. The decisions of what systems should be placed in a cloud environment, and what kind of cloud (public, private, or hybrid) should be implemented for each system, should be made in consultation with cybersecurity experts.