According to Dark (2010), “information assurance is the practice of managing risks related to use, processing, storage, and transmission of information or data and the systems and processes used for those purposes”. Information assurance encompasses information in different forms including digital, analog and physical information, even though the subject today tends to focus more on digital information. The field has grown and developed from computer security in the past years to information security, which is today the biggest concern in data management. In an era where information is among the most important assets in a business, many organizations are willing to invest a big percentage of their resources in information security.
The role of information technology has never been more vital than it is today in boosting any company’s performance. The nature of information technology is constantly changing with more abundance and accessibility being established each day. The uses of information technology are equally expanding due to new and better technologies used in collecting and sharing information (Schudel, 2000). As this happens, the need for information security and assurance gets bigger. Data storage is more sophisticated and cheaper today, simplifying the management of information which may be in the form of images, words, and numbers. All these positive changes have combined forces to give businesses, governments and other institutions many unprecedented opportunities to create high performances.
Organizations have been given better opportunities to use information technology to improve business value. In many industries today, the level of information technology is used as a measure of performance, which is dependent on the approach towards an industry, investments businesses put in it place and how well companies master the capabilities of information technology (Seddigh, Peter, & Ashraf, 2006). This paper addresses information assurance, ethics involved in the process, threats, strategies and their strengths and weaknesses. It also analyzes a strategy that will enable an organization maximize their productivity and customer satisfaction.
Information assurance concepts
As Doyle (2009) points out, “confidentiality, integrity, availability, authentication and non-repudiation are the core principals of information assurance”. Other important principals of information assurance include utility and an organization’s ability to own or posses the information.
Integrity involves proper handling and management of all data systems to ensure safety. It involves largely the people handling an organization’s information such as the employees. According to Etzioni (2002), “integrity is the quality of information systems reflecting logical correctness and reliability to the operating systems; the logical completeness of the hardware and software implementing the protection mechanisms of different data structures”. Even though integrity is mostly about people, it encompasses other technical aspects of handling information such as the reliability of security measures put in place. Integrity in information assurance is supposed to ensure that any confidential information is only accessible to authorized people and it is protected from modifications by unauthorized people. Loss of integrity also occurs when unauthorized people can delete information or make it completely disappear from an organization’s system.
In today’s world, specific information is important for proper management of different aspects of an organization. With a realization that not all information is useful, converting information to knowledge is an important aspect in information management. Information assurance requires that an organization be able to access and use specif information at the time when it is most needed. For an organization to fully benefit from information, authorized people must have a timely and reliable access to it. The information itself, the company’s computing systems and its security measures must be protective but at the same time, they should not make it impossible to access information. Denial of access, a common attack among organizations, can mean that an organization’s wealth of information is useless for the period it is inaccessible (Alger, 2001).
According to Ford (2005), authenticity means that the information available for an organization’s use must be genuine, trustworthy and its credibility must be undisputed. An organization’s security measures must be able to validate any information received and establish the validity of its sources. Authenticity is important to ensure that both the sources and users of any information are genuine. In an era where information sharing has become extremely easy, authentication breaches easily occur in organizations, compromising their information assurance standards (Mathisen, 2003). Any information management systems must make it hard for unauthorized personnel to duplicate information or to send it to other destinations and data warehouses.
“Information non-repudiation is the assurance that the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so that neither can later deny having the transaction” (Solove, 2006). It is a very important information assurance concept to ensure organizations don’t get into any legal consequences associated with improper conduct during information management. Technologies available to facilitate this include digital signatures, which can also be used to establish information’s authenticity.
Internet availability and its influence on information assurance strategies and legislation
Internet availability and access posses as a challenge to many organizations’ information security. “The commonly discussed concept of cyber age, which is the high-tech era we are living in today, makes it more easy for outsiders to access information from an organization” (Stair, 2010).The current age is characterized by easy transfer and access of information, increasing the rate at which information is shared. It is also an era characterized by instant access to information which would not otherwise be possible in previous years. The world has taken a complete shift from the traditional industry to an age where economies and business are run and controlled by how easily information can be accessed or manipulated (Computer Associates, 2007).
“The distributed nature of the internet, and its basis on routing of packets along multitudinous networks, makes it impossible to have a central control” (Garretson, 2007). This makes it hard to regulate or control the content. The rates at which different organizations’ data warehouses are hacked into continue to spark very heated debates. The fact that use of internet has exponentially grown today means that it is no longer preserved for the intellectually able but for everyone who can access it. As it attracts more users in every part of the globe, so do the threats facing organizations increase.
The bigger challenge in addressing information ethics in organizations is being able to accommodate diverse values and cultures as well as different global systems. Conflicts arising from the arguments are clear from incidents such as that of China being in disagreement over how much access the government should have on people’s and organizations’ interactions and data.
In trying to understand whether there is a place for ethics in information management, there is need for agreement over the fact that information transfer, the context, products and services should be shaped by ethics. For any practical problem relating to information such as copyright, the law should be applied fully. Considering the number of transactions and volumes of information transmitted today, many organizations are susceptible to abuse. The law in many countries calls for organizations to put in place self regulatory measures which ensure that information is only available to authorized personnel (Air-force Research Labs, 2002). The issue of privacy has continued to raise controversial discussions over how much privacy businesses should enjoy and how much access the government should have on organizational information. Different country’s have put in place laws that have increased the law enforcement’s access and ability to monitor organizations’ information transactions. The law enforcement in different countries have a right to record electronic communications and retrieve organizations transactions on the internet (Prasad, 2008).
In an event where any sort of organizational information or its leakage is perceived as a potential threat to national security, the law enforcement agencies have the right to divulge the context the transaction or communication to themselves (Shin, 2003). The law however fails to explain what constitutes a potential threat, causing many concerns over how much access the government should be allowed to have over organizational transactions and information.
Ethics as it applies to information assurance
Information assurance is based on availability, integrity and confidentiality (Blyth & Gerald, 2006). If all the three are put in place, the overall security of information is assured. Software complexity has however made this hard to achieve since many people are not well conversant with how to operate them. The results have been devastating effects where organizations have not been able to protect themselves. The purpose of ethics in any context is to differentiate between right and wrong and promote good habits while discouraging bad ones.
While information policies are supposed to ensure accessibility and speed in transfer of information, ethics must take into consideration its social nature. Ethics should also ensure consideration of everyone’s interests, those of the developers and those of the rest of the society. This is in consideration of the fact that the information management is a business which needs to be profitable by sometimes applying business models which may not be acceptable by everyone in society (McKnight, 2002).
To find a place for ethics in the information world, there has to be acceptance that information assurance does not mean value-free practices (Boyce & Dan, 2002). Values should shape the content of information being collected or distributed. Information assurance also calls for protection of both the person receiving or giving it. It should also be considerate of national and local cultures to ensure that it is not offensive to the giver or the receiver.
It is important to realize that ethics in information assurance do not call for information to be a subject of one set of cultures (Nygard, 2003). A good example is multinational organizations where information collected many times includes a multiplicity of cultures and values. Ethics in information assurance therefore call for the users’ accommodation to different value systems. Finally, ethics in information assurance call for responsiveness to users opinions, which play an important role in ensuring customer satisfaction. This is through a realization that while the information concept started in some regions, it now belongs to the whole world. Different users’ opinions and concerns should therefore be considered when implementing information assurance. Customers and other users are completely entitled to having opinions and suggestions on how information should work for them.
Factors affecting information assurance strategies success
Information assurance strategies can be broadly categorized into two categories; government and commercial. Different governments play an important role in ensuring that information assurance is ensured in a country. Different government rules and regulations dictate organizations’ privacy measures and access. Many information assurance strategies are also drawn from different countries’ departments of defense perspectives (Swanson, 2003). More organizations however invest heavily on commercial information assurance solutions to ensure that their customers’ information is protected from unwarranted exposure. There are many factors to consider when developing or implementing an information assurance strategy. Before implementing any strategy, architects of the process will ensure they fully understand the goals and objectives an organization intends to achieve from the process. Different organizations have varying types of data, levels of data dependency, governing structures and different information threats facing them (Qian, 2008). As a result, the process is slow since all these factors require an in-depth research to allow integrators implement a custom made strategy for each organization.
When the process is complete, the success of any strategy is largely measured based on its productivity and its ability to provide customer satisfaction. The strategy must add value to an organization, increase its productivity and protect customers and any information they give to an organization. “It must be in line with an organization’s relationships and synergies and focus on the overall organization’s vision and mission” (Gansler & Hans, 2004). Factors affecting an information assurance strategy can be categorized into four groups:
Nash (2010) defines a threat as “any organization, nation, person or process that causes, through accidental or deliberate action, any scenario resulting in unauthorized disclosure, modification or destruction of organizational information”. Before any information strategy is put in place, specific organizational threats are analyzed. It is important for an organization to sufficiently analyze the relevance of different threats facing an organization. The analysis must be focused on all the aspects of a threat such as the frequency and consequences. Sources of threats must also be established to effectively counter them. Government and foreign threats are common especially in multinational organizations. Competitors also pose as a major threat especially in markets that do not provide avenues for fair competition (Vaugh, 2002).
An organization’s employees and culture have a major role in deciding the efficiency of an information assurance strategy. Organizations that have developed a culture of honesty and one that has loyal employees is bound to benefit more from an information assurance strategy, because employees watch out for the good of the organization. A business that lacks employees’ loyalty faces the challenge of having their information easily exposed to their competitors, putting their employees as part of the threats facing it.
Organizational and government policies determine the success of information assurance strategies implemented by different organizations. Policy factors can affect a strategy in different ways. Poor drafted policies may not be able to address potential threats or deal with the consequences. If an organization’s policies cannot address threats and other significant aspects of information assurance, it becomes more probable that the organization’s level of vulnerability will increase. As Nedja and Ajith (2007) argue, the level of an organization’s vulnerability impacts its information strategy’s success.
Another way by which policies influence an organization’s information assurance strategy is through the quality of review and rates of updates done on them. Policies must be updated frequently enough to allow them accommodate new technological tools and challenges in the market. Policies must be able to address the latest exploitation threats facing an organization and offer appropriate solutions. They are supposed to provide enough countermeasures to provide integrity and safety. They are also supposed to be able to protect an organization’s information assets. If policies are not able to detect potential exploitations, the possibility of a catastrophic loss becomes more probable (Chen, 2002).
According to Rao and Shambhu (2009), people play an important role in executing the collective objectives of any organization. Factors such as the screening and hiring processes will determine how much an organization can trust its people. Candidates hired need to have the sufficient technical capability to handle information sufficiently without exposing information to probable threats. As technological infrastructures get more and more complex, people entrusted with different information responsibilities must be able to provide all the skills needed to meet the requirements mandated by the organization’s policies.
Training and awareness play an important role in ensuring professional management of information. Every organization needs to educate its people on the laws and regulations that govern the way information is handled, as well as the consequences of not adhering to them. The manner through which people incorporate their skills into an organization’s structure contributes to its information assurance strategy’s success (Competitive Intelligence Foundation, 2006).
Any organization’s governing structure plays an important role in determining the outcome of its information assurance strategies. Governance contributes to their success by acknowledging and supporting effective information assurance measures. Governance determines the level of training and support accorded to the organization’s team. Allocation of funds and resources for different measures intended at strengthening information strategies determine their success or failure. It is also the management’s responsibility to receive feedback from all the information users and make the necessary modifications to improve efficiency.
Information assurance strategies
According to the National Research Council of the US (2010), “defense-in-depth strategy is a term borrowed from military tactical doctrine that suggests deploying war-fighting resources in a manner that presents successive lines of defense”. In this type of strategy, an organization increases its resistance to deny the enemy any chance of penetration. An organization will deploy enough preventive measures at the early stages of the organization to make it more difficult for the enemy.
These barriers can be enhanced by creating access control to ensure that access is only allowed to known and authorized users. Measures such as internet protocols can ensure that data in only fed from know sources (Cook, 2002). Defense-in-depth strategy commonly uses tools such as demilitarized zones and other detection methods to help an organization identify and deal with a threat before it causes any damage to an organization’s data warehouse. Users are required by the system to scan their data and information before using it in an organization’s systems. In this strategy, it is common for organizations to install monitoring tools and traffic control measures to ensure that all information is verified before being fed or retrieved from the systems.
Defense-in-depth strengths include a fast deployment speed and its ability to adapt to dynamic threats (Cronin, 2009). The strategy offers high levels of flexibility and speed since more people can feed, access and use information at the same time. Its weaknesses in include increased expenses arising from the required equipment and security tools such as access-control devices and firewalls. The strategy calls for more labor and regular maintenance and monitoring, all which increase costs and complexity. Major processes in the strategy such as configuring, implementing and monitoring information and the systems are complex and involving, creating more loopholes for mistakes.
“A system-high approach strictly controls access to vital systems and forces all users to comply with a meticulous clearance process that notionally eliminates the need for security barriers” (Rao & Manish, 2007). One way through which an organization can do this is ensure that information is only accessible through one specific terminal, hence eliminating all other external connectivity.
This strategy’s strengths include the fact that data protection is done at a lower cost since it does not require all the security technologies used in defense-in-depth strategy. The level of protection is high since information can only be accessed through one controlled terminal making it easier to monitor. The approach also reduces the number of equipments needed, making it less technical and more cheaper. Its weaknesses include rigidity and its inability to respond to other dynamic threats that may arise. The strategy makes deployment more slow since access is controlled.
Productivity and customer satisfaction
“Data on its own is nothing more than a set of random numbers or a collection of information stored on some medium which is meaningless in and of itself” (Willet, 2008). Data only gains real value and meaning when an organization knows how it is organized and when it knows how to convert it into information. Connectivity to context, other sets of information and people converts it to an asset of the highest value to a business. When information is connected, it is now referred to as knowledge which then makes things happen and it impacts a business. The biggest task of information technology is to ensure that information is connected and is part of the knowledge that drives different operations in an organization.
The biggest task of information assurance is converting information to knowledge by ensuring connectivity to people, context and other forms of information. Connectivity ensures that information is constantly available and accessible to all users at all times. It also increases customer satisfaction. In such a highly dynamic environment, this is not an easy task but levels of sophistication in the industry have made this possible. Information today is generated at explosive rates which would be virtually impossible to manage if it were not for information technology. Its resources help align the information with the needs it is supporting.
Information assurance has different distinguished values in any business environment. “The intrinsic value is much harder to establish and the scale for measuring it is more problematic” (McCumber, 2001). It is however a bit straightforward to perform a quantitative measure since it simply involves considering what it might cost to have or lose the information. The other equally important value in information assurance is the urgency value which is very dependent on how fast and easy accessibility is. This value can be measured by calculating the cost of delayed accessibility.
For information assurance to add value to a business, there needs to be more than traditional data management. The process calls for a high-performance IT plan, which involves all the resource systems available to make it possible (Dutka, 2004). Today, organizations collect information from observation made possible by new technologies such as sensors, GPS, web cameras and tags just to mention a few. Due to advanced wireless technology, tapping and sharing information has become more real now than it has been in the past. This means that information is coming in each day and the quantities experienced each day were unimaginable some days back.
Information assurance therefore plays an important role in adding value to a business. Making decisions based on facts is the most important value to any business today. A business’ potential today is dependent on how much information it has on its market, its competitors, suppliers, customers, costs and every other factor affects a business’ competitiveness. The information based industry particularly benefits from information technology by having an opportunity to capture any major improvements in productivity available in the market. The business opportunities that these industry can unlock by use of information assurance is huge and it increases workers productivity through a more efficient use and sharing of information (National Security Agency, 2000).
Information assurance adds value to an organization by achieving efficiency which helps reduce operating costs and improving productivity. It helps foster greater flexibility and helps an organization achieve a higher responsiveness to the now highly dynamic business environments (Fleisher, 2003). It also helps extend a business’ geographical reach and customer access by adapting to market practices. New advances in technology today concern the business’ and customers’ ability to directly access information through the available networks. Integrating various business processes through information assurance helps organizations have more control of their expenses, develop dynamic pricing strategies and create efficiency through collaboration and cooperation.
In a world where information is an increasing important commodity, information assurance allows organizations to easily transact knowledge from suppliers, to customers and all other stake holders (Hasanali, 2004). This is helpful especially to their customers in assisting them make better choices in the market. This is a good avenue for organizations to develop a customer relationship management program which improves their ability to cater to the needs of their customers. By integrating a business’ system to that of its partners and suppliers, it is then possible for it to design internal business processes that align well with that of partners to improve service delivery to and from the partners (McMillan, 2000).
Information assurance also allows businesses to partner with many other businesses and therefore market their products and services, a healthy channel for increased customer satisfaction (Cunningham & Fried, 2002). Since many of these partnerships are either free or involve very minimal costs, a business can reduce costs of enlarging their clientele. A good example is travel and tour companies, which are greatly benefiting by partnering with search engines such as yahoo, sites which attract thousands of visitors each day for travel information and more convenient transactions.
A Multi-layered security strategy such as the defense-in-depth strategy is one way through which a business can increase its productivity and customer satisfaction. To enact and implement an effective information assurance, it is important to address all the sub-components involved in the process (Vaughn, 2008). Network security, authentication of users, computer security and other aspects of information assurance need to be in place. A muli-layered security system does the following;
- Ensures that only authorized users can access information
- Creates observation and monitoring measures
- Assures limited access to an organization’s core network
- Provides a protocol that conducts scans for all information being fed in the system
- Hides and protects valuable information from regular users
- Ensures early detection of threats through scans.
A multi-layered security approach focuses on preventing, detecting and controlling threats rather than dealing with the consequences of probable threats when they have already materialized (Kahaner, 2009). Since it addresses all aspects of information assurance such as collection, storage, processing and transfer, productivity is increased. Increased productivity translates to maximized customer satisfaction through a more safe and reliable way for them to convey and receive information.
The role of information technology has never been more vital than it is today in boosting any company’s performance. The nature of information technology is constantly changing with more abundance and accessibility being established each day (Murphy, 2005). The uses of information technology are equally expanding due to new and better technologies of collecting and sharing information. As this happens, the need for information security and assurance gets bigger. Data storage is more sophisticated and cheaper today simplifying the management of information which may be in the form of images, words, and numbers. All these positive changes have combined forces to give businesses, governments and other institutions many unprecedented opportunities to create high performances.
Information assurance concepts include availability, integrity, authenticity, non-repudiation and confidentiality. Where these concepts lack, information may not be valuable to an organization or it may expose a business to major risks. The world today has gone digital and undergone a revolution which makes information easily accessible. The world today is also very electronic and the global networks are a state-of-art (Rouach, 2008). Following the efficiency of the internet and its applicability in US department of defense, its use has since then proliferated to every part of the world. The kind if connectivity brought about by the internet has however been a cause of worry and a source of conflict over issues concerning privacy. Therefore, there is an increased need for more efficient information assurance strategies.
Commonly used strategies include defense-in-depth and system-high. They both offer high levels of protection but bring with them different advantages and disadvantages. Their major differences lie in the cost of implementation and methods through which they offer protection. For an organization to ensure maximized productivity and customer satisfaction, they must invest in a strategy that offers protection, flexibility and does so in a cost effective manner. That is why this paper proposes a multi-layered security strategy, which offers these advantages and allows early detection of threats to allow a business deal with them before they proliferate. A multi-layered information assurance strategy will enable the business create observation and monitoring measures, ensure only authorized access to an organization’s date warehouse, provide sufficient scans for all information being fed in the system and protect an organization’s valuable information from regular users.
Air-force Research Labs.(2002). Information assurance in the Navy. Web.
Alger, J. (2001). On assurance, measures and metrics: Definitions and approaches. Virginia: WISSR.
Blyth, A., & Gerald, K. (2006). Information assurance: Security in the Information Environment. London: Springer.
Boyce, J., & Dan, W. (2002). Information assurance: Managing organizational IT security risks. Amsterdam: Butterworth-Heinemann.
Chen, M. (2002). CI spider: A tool for competitive intelligence on the web. Decision Support Systems, 34(1), 1-17.
Competitive Intelligence Foundation. (2006). Competitive intelligence ethics: Navigating the gray zone. Alexandria, VA: Competitive Intelligence Foundation.
Computer Associates. (2007). Cost of losing information: A framework for information management planning. Web.
Computer Crime and Intellectual Property Section. (2010). Cyber Security Enhancement Act. Web.
Cook, C. (2002). Competitive intelligence: Create an intelligent organization and compete to win. Dover, N.H.: Kogan Page.
Cronin, O. (2009). Information assurance: A survey of current practice. International Journal of Information Management, 14(3), 204-222.
Cunningham, R., & Fried, D. (2002). Adaptable Real-Time Information Assurance. Aerospace, 6 (4), 2678-2682.
Dark, M. (2010). Information assurance and security ethics in complex systems: Interdisciplinary perspectives. Hershey, PA: Information Science Reference.
Doyle, C. (2009). The USA Patriot Act: A legal analysis. Washington. D.C.: Congressional Research Services.
Dutka, F. (2004). Information assurance: Competitive intelligence for competitive edge. Lincoln-wood: NTC Business Books, 2004.
Etzioni, A. (2002). The limits of privacy. New York: Basic Books.
Fleisher, D. (2003). Controversies in competitive intelligence: The enduring industry. Westport, Conn.: Praeger.
Ford, M. (2005). Computers and ethics in the cyber age. Upper Saddle River, NJ: Prentice Hall.
Gansler, J., & Hans, B. (2004) Information assurance: Trends in vulnerabilities, threats, and technologies. Washington, D.C.: National Defense University.
Garretson, R. (2007). Is it Still Strategic: CIO Insight. Web.
Hasanali, E. (2004). Information assurance in Indian organizations. India: McGraw-Hill Education Pvt Ltd.
Kahaner, M. (2009). Information intelligence: How to gather, analyze and use information to move your business to the top. New-York: Spring-Verlag Berlin Heidelberge.
Mathisen, J. (2003). Measuring the effect of an information security awareness drive. Norway: Gjovik University College.
McCumber, J. (2001). Information assurance systems security: A comprehensive model. Washington D.C.: National Institute of Standards and Technology.
McKnight, W. (2002). What is information assurance. The Journal of Defense Software Engineering, 13 (6), 257-554.
McMillan, S. (2000). Proven strategies in competitive intelligence: Lessons from the trenches. New York: J. Wiley & Sons Publishers.
Murphy, C. (2005). Competitive intelligence: Gathering, analyzing and putting it to work. Aldershot [u.a]: Gower.
Nash, T. (2010). Information assurance: Protecting your business in the information age. London: Director of Publications for the Institute of Directors and Symantec.
National Research Council of the US. (2010). Information assurance for Network-Centric naval forces. Washington D.C.: National Academies Press.
National Security Agency. Organizational information security: Awareness, training and education to maintain systems integrity. International Computer Security, 17(3), 456-489.
Nedja, N., Ajith, A. (2007). Computational intelligence in information assurance and security. Berlin: Springer.
Nygard, A. (2003). Metrics for software resistance against trojan horse attacks. Information Security, 23(4), 278-456.
Prasad, A. (2008). Information technology and business value in developing economies.
Qian, Y. (2008). Information assurance: Dependability and security in networked systems. Amsterdam: Elsevier.
Rao, H., & Manish, G. (2007). Managing information assurance in financial services. Hershey, PA: IGI Publications.
Rao, H. & Shambhu, U. (2009). Information assurance, security and privacy services. Bingley, UK: Emerald.
Rouach, S. D. (2008). Competitive intelligence adds value: Five intelligence attributes. European Management Journal,19(5), 552-559.
Schudel, G. (2000).Adversary work factor as a metric for information assurance. SRI International, 3(22), 260-312.
Seddigh, N., Peter, P., & Ashraf, M. (2006). Current trends and advances in information assurance metrics. Web.
Shin, N. (2003). Creating business value with information technology: Challenges and solutions.
Solove, M. R. (2006). Privacy, information and technology. New York: Aspen Publishers.
Stair, M.(2010). Fundamentals of information systems. Boston: Boston Course Technology.
Swanson, N. (2003). Security metrics guide for information technology systems. National Institute of Standards and Technology Systems, 12(7), 1457-1680.
Vaugh, R. (2002). Information assurance system rating and ranking. The Journal of Defense Software Engineering, 7(4), 30-32.
Vaughn, S. (2008). Information assurance measures and metrics: State of practice and proposed taxonomy. System Sciences, 15(3), 874-2000.
Willet, K. (2008). Information assurance architecture. Boca Raton: CRC Press.