Information assurance

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data.[1] It uses physical, technical, and administrative controls to accomplish these tasks. While focused predominantly on information in digital form, the full range of IA encompasses not only digital, but also analog or physical form. These protections apply to data in transit, both physical and electronic forms, as well as data at rest in various types of physical and electronic storage facilities. IA is best thought of as a superset of information security (i.e. umbrella term), and as the business outcome of information risk management.


Information assurance (IA) is the process of getting the right information to the right people at the right time. IA benefits business through the use of information risk management, trust management, resilience, appropriate architecture, system safety, and security, which increases the utility of information to authorized users and reduces the utility of information to those unauthorized.[2] It is strongly related to the field of information security, and also with business continuity. IA relates more to the business level and strategic risk management of information and related systems, rather than the creation and application of security controls. Therefore, in addition to defending against malicious hackers and code (e.g., viruses), IA practitioners consider corporate governance issues such as privacy, regulatory and standards compliance, auditing, business continuity, and disaster recovery as they relate to information systems. Further, while information security draws primarily from computer science, IA is an interdisciplinary field requiring expertise in business, accounting, user experience, fraud examination, forensic science, management science, systems engineering, security engineering, and criminology, in addition to computer science.


The information assurance process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a risk assessment for those assets. Vulnerabilities in the information assets are determined in order to enumerate the threats capable of exploiting the assets. The assessment then considers both the probability and impact of a threat exploiting a vulnerability in an asset, with impact usually measured in terms of cost to the asset's stakeholders. The sum of the products of the threats' impact and the probability of their occurring is the total risk to the information asset.

With the risk assessment complete, the IA practitioner then develops a risk management plan. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response to threats. A framework published by a standards organization, such as NIST RMF,[3] Risk IT, CobiT, PCI DSS or ISO/IEC 27002, may guide development. Countermeasures may include technical tools such as firewalls and anti-virus software, policies and procedures requiring such controls as regular backups and configuration hardening, employee training in security awareness, or organizing personnel into dedicated computer emergency response team (CERT) or computer security incident response team (CSIRT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most cost-effective way.

After the risk management plan is implemented, it is tested and evaluated, often by means of formal audits. The IA process is an iterative one, in that the risk assessment and risk management plan are meant to be periodically revised and improved based on data gathered about their completeness and effectiveness.

Standards organizations and standards[edit]

There are a number of international and national bodies that issue standards on information assurance practices, policies, and procedures. In the UK, these include the Information Assurance Advisory Council and the Information Assurance Collaboration Group.

See also[edit]


  1. ^ Sosin, Artur (2018). "HOW TO INCREASE THE INFORMATION ASSURANCE IN THE INFORMATION AGE" (PDF). Journal of Defense Resources Management. 9: 45–57.
  2. ^ Richardson, Christopher. "Bridging the air gap: an information assurance perspective" (PDF). ePrints Soton. University of Southampton. Retrieved 3 November 2015.
  3. ^ NIST RMF Retrieved 2019-02-18. Missing or empty |title= (help)
  • Data Encryption; Scientists at Chang Gung University Target Data Encryption. (2011, May). Information Technology Newsweekly,149. Retrieved October 30, 2011, from ProQuest Computing. (Document ID: 2350804731).
  • Stephenson (2010). "Authentication: A pillar of information assurance". SC Magazine. 21 (1): 55.
  • Cummings, Roger (2002). "The Evolution of Information Assurance" (PDF). Computer. 35 (12): 65–72. doi:10.1109/MC.2002.1106181.[permanent dead link]

External links[edit]


Information assurance has also evolved due to social media