TOPIC 1

INFORMATION ASSURANCE PRINCIPLES

 The MSR Model of Information Assurance

• The Maconachy-Schou-Ragsdale (MSR) model, 2001:

 3 states of information: storage, transmission, and processing
 3 essential countermeasures: technology, policy, and people
 5 basic services: availability, integrity, authentication,
confidentiality, and nonrepudiation
• The model demonstrates the interlocking relationship among
these 45 unique combinations.

TIA2221 Info Assurance & Security 2

The MSR Model of Information Assurance

TIA2221 Info Assurance & Security 3

 The MSR Model of Information Assurance

• The 7 information assurance principles that enable us to

implement the MSR model:
 Be a business enabler
 Protect the interconnecting element of an organization’s
systems
 Be cost effective and cost beneficial
 Establish responsibilities and accountability
 Require a robust method
 Be assessed periodically
 Be restricted by social obligations

TIA2221 Info Assurance & Security 4

 Information Assurance

• The overarching approach for identifying, understanding, and

managing risk through an organization’s use of information and
information systems.
• Include all information an organization may process, store,
transmit, or disseminate regardless of media. Thus, information
on paper, on a hard drive, in the mind of an employee, or in the
cloud is considered in scope.
• Information security, information protection, and cybersecurity
are subsets of information assurance.

TIA2221 Info Assurance & Security 5

 Information Security

• A subdomain of information assurance, focuses on the CIA

triad: confidentiality, integrity, availability
• Include all information an organization may process, store,
transmit, or disseminate regardless of media. Thus, information
on paper, on a hard drive, in the mind of an employee, or in the
cloud is considered in scope.
• Information protection and cybersecurity are subsets of
information security.

TIA2221 Info Assurance & Security 6

 Information Protection

• Protecting the confidentiality and integrity of information

through a variety of means such as policy, standards, physical
controls, technical controls, monitoring, and information
classification or categorization.
• Include all information an organization may process, store,
transmit, or disseminate regardless of media. Thus, information
on paper, on a hard drive, in the mind of an employee, or in the
cloud is considered in scope.
• Some laws, regulations, and rules specifically cite information
protection as a requirement for sensitive information such as
personally identifiable information and personal health
information.

TIA2221 Info Assurance & Security 7

 Cybersecurity
• Concerned with the same objectives of information security
within the scope of electronic information systems’ CIA.
• Cybersecurity often focuses on the vulnerabilities and threats of
an information system at the tactical level. System scanning,
patching, and secure configuration enforcement are common
foci of cybersecurity.
• Intrusion detection and incident response and other functions
commonly run from a security operations center (SOC) are often
identified as cybersecurity functions

TIA2221 Info Assurance & Security 8

Information Assurance and Subdomains

TIA2221 Info Assurance & Security 9

 Information Assurance: Business Enabler
• A business enabler and a competitive advantage rather than an
obstacle.
• Through the implementation and operation of suitable controls,
information assurance assists in achieving the organization’s
vision and mission by protecting its critical assets and resources.
• When information assurance is properly implemented, it ensures
business confidence and competitive advantage.
• E.g. Some financial organizations have banned the use of IEEE
802.11 (Wi-Fi) networks until enhanced security standards for
these networks become available. Thus, information assurance
may act as an essential barrier to prevent the adoption of unsafe
business practices, rather than as an enabler for business.

TIA2221 Info Assurance & Security 10

 Information Assurance: Protects the Fabric of an
Organization’s Systems
• Information systems provide the interconnecting elements of
effective management of organizations. Management cannot
make informed decisions if the system does not demonstrate
the security elements of the MSR model.
• Information assurance is a shared responsibility, should be
incorporated into the current management strategy system and
requires participation from all functional units.
• Information assurance involves constant review, monitoring,
and improvement based on the risk decisions made by
management.

TIA2221 Info Assurance & Security 11

 Information Assurance: Cost Effective and Cost
Beneficial

• Information has varying value based on its criticality and

sensitivity. Therefore, the protection requirements should be
proportional to the value of the information/assets protected
and the associated risk.
• Security investments should take into consideration the cost of
designing, implementing, and maintaining the controls; the
values of information assets; the degree of dependency on the
information systems; and the potential risk and impact the
organization is likely to face.
• Investing in information assurance is both a horizontal and
vertical effort; a crosscutting program.

TIA2221 Info Assurance & Security 12

 Information Assurance: Cost Effective and Cost
Beneficial

• There is also a fixed-cost aspect to information assurance, which

is often the “vertical” aspect of information assurance.
Organizations need to have an information assurance program
firmly established.
• Investments made based on the choice of controls after a risk
assessment exercise reduce the impact of information
assurance–related losses. E.g., by implementing an effective
incident-handling process, an organization can avoid losses in
terms of unnecessary resources devoted to recovering from a
major disruptive incident.

TIA2221 Info Assurance & Security 13

Information Assurance as a Program and Service
Provider

TIA2221 Info Assurance & Security 14

 Information Assurance: Shared Responsibilities

• System owners should share information about planned and

implemented security controls so that users can be aware of
current efforts and know that the relevant systems are
sufficiently secure.
• As an information assurance corollary, information can be
secured adequately only when all who have access follow
established procedures.
• The assignment of responsibilities may be to internal or external
parties. Clearly defined security responsibilities (both individual
and functional level) encourage best practices by users.

TIA2221 Info Assurance & Security 15

 Information Assurance: Robust Approach

• Information assurance requires a complete and integrated

approach that considers a wide range of processes. This
comprehensive approach extends throughout the entire
information life cycle.
• Security controls operate more effectively in concert with the
proper functioning of other business process controls.
• Interdependencies within an information system exist by
definition; therefore, a thorough study should be performed
before a determination of compatibility and feasibility of
controls is made.

TIA2221 Info Assurance & Security 16

 Information Assurance: Reassessed Periodically

• Security requirements change rapidly in parallel with emerging

technologies, threats, and vulnerabilities. Therefore, there are
always new risks.
• To assure controls remain relevant, an audit or review should be
performed to determine the level of compliance to
implemented controls.
• Increases in complexity or rate of change will necessitate more
mature change and configuration management (CM)
approaches.
• Organizations should continuously monitor the performance of
controls by conducting regular assessments of their information
systems.

TIA2221 Info Assurance & Security 17

 Information Assurance: Restricted by Social
Obligations
• Organizations must consider social obligations in the
implementation of security controls.
• Organizations should balance the rights and desires of the
organization versus the rights of organizational employees and
customers. This involves understanding the security needs of
information owners and users.
• Organizations need to balance between security risks they are
willing to accept versus human rights or social factors.
• This can lead to solving issues such as security and the
workplace privacy conflict.
• Employee monitoring and a bring-your-own-device (BYOD)
policy are areas where social obligations and information
assurance often require extensive analysis.
TIA2221 Info Assurance & Security 18
 Implications from Lack of Information Assurance

• In general, you must apply both due care and due diligence to
ensure a system is operating within acceptable social and legal
norms.
• Due care is the development and implementation of policies and
procedures to aid in performing the ongoing maintenance
necessary to keep an information assurance process operating
properly to protect assets and people from threats. Due care
prevents negligence.
• Due diligence is the reasonable investigation, research, and
understanding of the risks an organization faces before
committing to a particular course of action. The organization
should do its homework and ensure ongoing monitoring.

TIA2221 Info Assurance & Security 19

 Implications from Lack of Information Assurance

• Penalties from a Legal/Regulatory Authorities

• Loss of Information Assets
• Operational Losses and Operational Risk Management
• Customer Losses
• Loss of Image and Reputation

TIA2221 Info Assurance & Security 20

 Summary

• Have considered
 The MSR Model of Information Assurance
 Basic Definitions
 The 7 Information Assurance Principles
 Implications from Lack of Information Assurance

TIA2221 Info Assurance & Security 21