For businesses that store or exchange sensitive proprietary or personal data using information networks, the individual machines used in their networks are typically not at great risk; the information inside of them is what needs protection. As network security issues became more prevalent, information assurance (IA) has grown to become an essential professional discipline that is critical to the safety of public and private information. Professionals in this field require a flexible skill set that they can adapt to protect an organization against a range of threats, such as cyber espionage and cyber attacks. The following five pillars of information assurance, according to the Department of Defense Cyber Security Model, are oft-referenced guidelines for maintaining an information system’s safety against manmade and natural threats.
Availability means that users can access the data stored in their networks or use services that are featured within those networks. Without easy data access, the system’s users are limited in their ability to access important information or perform critical tasks. Threats to availability are becoming more complex because more of the world’s information is online and vulnerable to hackers. For instance, if a cybercriminal renders an automated car’s operation system inoperable, the car could cause an accident. Businesses have the same risk. If a company’s leaders can’t access important data when making business decisions, the company could lose revenue as a result. IA professionals must know how to avoid threats that could block data availability using tools like firewalls and implement other, more complex security measures.
Upholding an information system’s integrity involves keeping its network intact and uncompromised; thus, the primary goal of this pillar is to set up safeguards that deter threats. For example, viruses and malicious code are the most common threats to a system’s integrity. To prevent viruses from deleting or damaging files, IA professionals use antivirus software and other tools to stop them before they enter the computer system. They also develop policies to keep users in their organizations from mishandling data and run penetration testing to simulate system attacks. These tests ensure that their networks are strong; if the IA professionals detect weaknesses, they work to repair and secure the system and protect the integrity of the data therein. Having the right IA rules and practices in place helps keep organizations’ information and systems secure.
IA professionals use authentication methods to verify a user’s identity before allowing them to access data. Common authentication methods include a username and password combination, and biometric logins, such as fingerprint scanning recognition. When these authentication systems are compromised, data can be stolen, and information services can be impaired. A high-profile example of an authentication attack occurred in 2011, when hackers managed to use a combination of phishing techniques and malware to take control of a computer being operated by an employee of RSA, a large security company. RSA disclosed that the cyber criminals, once in control, managed to steal several account passwords from the employee, and then used them to gain access to the company’s proprietary systems.
With those passwords in hand, the hacker was able to bypass authentication protocols and download sensitive data from the company. The hacker’s entry method was blocked and the vulnerable data secured, but the attack caused RSA lasting damage. While RSA has not disclosed the full extent of the data that was stolen, the company did state that the breach has damaged their reputation and possibly decreased the effectiveness of some of their security products. The RSA attack is an example of a very complex authentication attack, but attackers can also attempt to force their way through authentication systems using simple methods like brute force attacks, which involve using malicious programs to rapidly test thousands or even millions of password combinations until one works. When it comes to combatting attacks like these, it is up to IA professionals to investigate any exploitable flaws that might exist in their authentication systems and take action to eliminate them.
Keeping sensitive data private using safeguards like data encryption is an extremely important function of IA professionals. Confidentiality involves protecting private information from disclosure to any unauthorized users, systems, or other entities. Confidentiality must be considered in terms of the data, not just in terms of access or permissions. Only those who are authorized can access the data, the devices or the processes that contain the data. Prioritizing information confidentiality helps companies defend themselves from having their ideas stolen while protecting their customers from the exploitation of their personal information.
In early 2018, international shipping giant FedEx discovered that hackers had managed to steal scanned images of approximately 119,000 of its customers’ personal documents, including passports and driver's licenses. Surprisingly, these images were being stored on an unsecured third-party server that has since been closed. According to a statement by FedEx officials, an internal investigation concluded that none of the information had been misappropriated. This was a stroke of luck for FedEx, but this is a compelling example of how a simple mistake can put a large amount of private data at risk.
When individuals send information through a network, it is important that the information system be able to provide proof of delivery to confirm that the data was properly transmitted. The same applies to the receiving end—recipients should have confirmation of the sender’s identity. This information, called non-repudiation, is necessary to confirm the individual responsible for processing certain data. Repudiation attacks are not common, but a general example is the manipulation of the access logs on a computer to make it difficult or impossible to identify which user was logged in at a specific time. If a user engages in unauthorized activity during the attack, it would be hard for the organization to determine who was responsible for that activity, limiting their ability to prevent future attacks. Today non-repudiation attacks are rare, but this is due to the work of diligent IA workers who have developed network infrastructure capable of consistently tracking and verifying cross-network data exchanges with minuscule margins of error.
Implementing the Five Pillars of Information Assurance
Information security analysts use their knowledge of computer systems and networks to defend organizations from cyber threats. They monitor the networks to keep track of any possible security breaches, and they investigate any that they find. Additionally, they are responsible for setting up protective measures within information systems. To ensure that those measures will comply with the five pillars of information assurance, they also conduct penetration tests that simulate attacks so they can identify vulnerabilities real attackers could exploit. In recent years, the information technology and security fields have been rapidly growing due to the increased reliance most industries have on information networks, and, as a result, information security specialists are in high demand. In fact, the Bureau of Labor Statistics (BLS) reported information security analysts across the U.S. earned a remunerative median annual salary of $95,520 in 2017 with a forecasted 28 percent increase in available jobs between 2016 and 2026; that’s an additional 28,500 jobs added to the approximate 100,000 that were available in 2016.
While some entry-level positions in cybersecurity require a bachelor’s degree, many IA professionals choose a Master of Science in Cybersecurity degree program because they believe it might give them a competitive edge when competing for jobs, especially executive-level leadership positions in cybersecurity, information assurance or risk management. All of these jobs borrow from the Five Pillars of Information Assurance, which go beyond cyber security and encompass anything that can compromise data, ranging from malicious attacks to power surges. Whatever the issue, information assurance professionals can rely on the Five Pillars to provide a framework for protecting data and users.
As the nation’s oldest private military college, Norwich University has been a leader in innovative education since 1819. Through its online programs, Norwich delivers relevant and applicable curricula that allow its students to make a positive impact on their workplaces and communities.
At Norwich University, we extend a tradition of values-based education, where structured, disciplined, and rigorous studies create a challenging and rewarding experience. Online programs, such as the Master of Science in Cybersecurity, have made our comprehensive curriculum available to more students than ever before.
Norwich University has been designated as a National Center of Academic Excellence in Cyber Defense by the National Security Agency and Department of Homeland Security. Students enrolled in the online Master of Science in Cybersecurity program can choose from five concentrations that are designed to provide an in-depth examination of policies, procedures, and overall structure of an cybersecurity program.
Understanding Data Loss Prevention Strategies
7 High-Level Tips to Help Businesses in Protecting Data
Pillars of Cyber Security, United States Naval Academy
Information Assurance, United States Naval Academy
Information Security Analysts, Bureau of Labor Statistics
The most infamous data breaches, Techworld
Hacking crisis costs EMC reputation in security, Reuters
The RSA Hack: How They Did It, The New York Times
What are the 5 pillars of NIST? ›
5 Domains of the NIST Security Framework. The five domains in the NIST framework are the pillars support the creation of a holistic and successful cybersecurity plan. They include identify, protect, detect, respond, and recover.What are the core principles of information assurance? ›
- Integrity. Maintaining the consistency and accuracy of information across its lifecycle.
- Availability. ...
- Authenticity. ...
- Confidentiality. ...
When we discuss data and information, we must consider the CIA triad. The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.What are the 5 stages of cybersecurity? ›
Phases of the Cybersecurity Lifecycle. As defined by the National Insitute of Standards and Technology (NIST), the Cybersecurity Framework's five Functions: Identify, Protect, Detect, Respond, and Recover, are built upon the components of the framework model.What are the 5 functions of cyber security? ›
The framework establishes the five core functions of effective cybersecurity as Identify, Protect, Detect, Respond, and Recover.Why are there 4 elements of information assurance? ›
Why these 4 elements (confidentiality, integrity, authenticity & availability) are considered fundamental? Explanation: The four elements of security viz. confidentiality, integrity, authenticity & availability helps in better understanding the pillars of security and its different components.What are information assurance concepts? ›
Information assurance provides for confidentiality, integrity, availability, possession, utility, authenticity, nonrepudiation, authorized use, and privacy of information in all forms and during all exchanges. Confidentiality – ensures the disclosure of information only to those persons with authority to see it.How are the pillars of information assurance useful? ›
These tests ensure that their networks are strong; if the IA professionals detect weaknesses, they work to repair and secure the system and protect the integrity of the data therein. Having the right IA rules and practices in place helps keep organizations' information and systems secure.What are the 5 fundamental security principles? ›
- Layering. Provides the most comprehensive protection. ...
- Limiting. People should only be authorized to the information they need for doing a task. ...
- Diversity. Closely related to layering, if you are using layers of security you must use different types of security for each layer. ...
- Obscurity. ...
- Data Governance.
- Data Classification.
- Data Discovery.
- Data Access.
- Data Handling.
- Data Protection.
What are the 5 components concepts of information system? ›
Now that you know what an information system is, let's look at its components. It has five components – hardware, software, data, and telecommunications.How many primary elements are in information assurance? ›
Information assurance is built between five pillars: availability, integrity, authentication, confidentiality and nonrepudiation.What are examples of information assurance? ›
Examples can include security audits, network architecture, compliance audits, database management, and development, implementation, and enforcement of organizational information management policies.What are the key pillars of information security? ›
- NIST 800-53. The NIST Special Publication 800-53 is a catalog of security and privacy controls specifically designed to apply to US Federal Government agencies. ...
- Identify. ...
- Protect. ...
- Detect. ...
- Respond. ...
The NIST management framework is a culmination of multiple special publications (SP) produced by the National Institute for Standards and Technology (NIST) - as we'll see below, the 6 NIST RMF Steps; Step 1: Categorize/ Identify, Step 2: Select, Step 3: Implement, Step 4: Assess, Step 5: Authorize and Step 6: Monitor, ...What are the pillars of the national cyber strategy? ›
This National Cyber Strategy outlines how we will (1) defend the homeland by protecting networks, systems, functions, and data; (2) promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation; (3) preserve peace and security by strengthening the United States' ...What are the 5 stages of incident life cycle? ›
The NIST incident response lifecycle breaks incident response down into four main phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Event Activity.What are the 5 elements in the 5 component framework? ›
- Operational Effectiveness and Efficiency.
- Financial Reporting Reliability.
- Applicable Laws and Regulations Compliance.
Many organisations use NIST's Computer Security Incident Handling Guide as the basis of their incident response plan. It contains six phases: preparation, identification, containment, eradication, recovery and lessons learned.
What is Step 5 of RMF? ›
8.0 RMF Step 5—Authorize Information System
Determine the extent to which the security controls are implemented correctly, operating as intended, and producing the desired outcome in meeting security requirements.
- Tier 1: Partial.
- Tier 2: Risk Informed.
- Tier 3: Repeatable.
- Tier 4: Adaptive.
NIST CSF and ISO 27001 Differences
NIST was created to help US federal agencies and organizations better manage their risk. At the same time, ISO 27001 is an internationally recognized approach for establishing and maintaining an ISMS. ISO 27001 involves auditors and certifying bodies, while NIST CSF is voluntary.