Information Assurance Process
The information assurance process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a risk assessment for those assets. Vulnerabilities in the information assets are determined in order to enumerate the threats capable of exploiting the assets. The assessment then considers both the probability and impact of a threat exploiting a vulnerability in an asset, with impact usually measured in terms of cost to the asset's stakeholders. The sum of the products of the threats' impact and the probability of their occurring is the total risk to the information asset.
With the risk assessment complete, the IA practitioner then develops a risk management plan. This plan proposes countermeasures that involve mitigating, eliminating, accepting, or transferring the risks, and considers prevention, detection, and response to threats. A framework published by a standards organization, such as Risk IT, CobiT, PCI DSS, ISO 17799 or ISO/IEC 27002, may guide development. Countermeasures may include technical tools such as firewalls and anti-virus software, policies and procedures requiring such controls as regular backups and configuration hardening, employee training in security awareness, or organizing personnel into dedicated computer emergency response team (CERT) or computer security incident response team (CSIRT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most cost-effective way.
After the risk management plan is implemented, it is tested and evaluated, often by means of formal audits. The IA process is an iterative one, in that the risk assessment and risk management plan are meant to be periodically revised and improved based on data gathered about their completeness and effectiveness.
Read more about this topic: Information Assurance
Famous quotes containing the words information, assurance and/or process:
“Computers are good at swift, accurate computation and at storing great masses of information. The brain, on the other hand, is not as efficient a number cruncher and its memory is often highly fallible; a basic inexactness is built into its design. The brain’s strong point is its flexibility. It is unsurpassed at making shrewd guesses and at grasping the total meaning of information presented to it.”
—Jeremy Campbell (b. 1931)
“Women have a hard time of it in this world. They are oppressed by man-made laws, man-made social customs, masculine egoism, the delusion of masculine superiority. Their one comfort is the assurance that, even though it may be impossible to prevail against man, it is always possible to enslave and torture a man.”
—H.L. (Henry Lewis)
“The moralist and the revolutionary are constantly undermining one another. Marx exploded a hundred tons of dynamite beneath the moralist position, and we are still living in the echo of that tremendous crash. But already, somewhere or other, the sappers are at work and fresh dynamite is being tamped in place to blow Marx at the moon. Then Marx, or somebody like him, will come back with yet more dynamite, and so the process continues, to an end we cannot foresee.”
—George Orwell (1903–1950)