StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Issues in Information Assurance Policy - Term Paper Example

Cite this document
Summary
This term paper "Issues in Information Assurance Policy" examines the issues in formulating such policy, including an overview of what IA is, the threats it aims to address, and the ethics of developing certain rules that concern rights issues, among other related variables…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER98% of users find it useful
Issues in Information Assurance Policy
Read Text Preview

Extract of sample "Issues in Information Assurance Policy"

ISSUES IN INFORMATION ASSURANCE POLICY While information technology could be a boon to any organization because of its enabling capabilities. It could also pose a problem especially in regards to how it is controlled as well as its diffusion within the organization. A primary concern, for instance, is how to maintain the confidentiality, integrity, and availability of data within a system. (Straub, Goodman and Baskerville 2008, p. 46) In addition, data must be accurate as well as available to the right people at the right time. It is natural and necessary for organizations to act in its best interest and making user that IT does not compromises is organizational objectives is one of them. An Information Assurance (IA) policy is one of the mechanisms that an organization could use in order to achieve this. This paper will examine the issues in formulating such policy, including an overview of what IA is, the threats it aims to address, the ethics of developing certain rules that concerns rights issues, among other related variables. Background The United States Department of Defense defined Information Assurance as “the information operations that protect and defend information and information systems by ensuring the availability, integrity, authentication, confidentiality and nonrepudiation” including the provision for “restoration of information systems by incorporating protection, detection, and reaction capabilities.” (Boyce and Jennings 2002, p. xii)) This comprehensive definition underscores the breadth of the IA’s coverage. But the most important among its functions concern the treats to security which could come from many different areas including – but not limited to – intentional attacks and also from unintended acts that result from technical, organizational and individual mistakes. It is the human beings who use the information system – those who make decisions, who exploit it and use it – usually cause uncertainty and risks. According to a study Bidgoli (2006), attacks and threats to information systems within an organization are almost evenly split between those originating from the outside and those from the inside. (p. 4) This fact underscores how an Information Assurance policy must aim its operations towards both the outsider and insider attacks of all forms. Strategic Development In developing an organizational information assurance, the fundamental rule in Oliva’s mind, is to start within the enterprise architecture. (p. 32) The reason for this is that all organizations are founded in this framework - from the mission of the organization, how it is governed, the objectives, the business processes, and all related variables. From this perspective, a policy-maker or an analyst can determine the information assurance requirements of the organization as well as the required defense in depth. Oliva constructed a model for this principle, arguing that the dimensions of the illustration, portrays information in a much more relevant context (see. Fig. 1). Fig. 1: Enterprise Architecture Perspective (Oliva, p. 32) There are many solutions and models available for organizations in building their own Information Assurance system. For instance, there is the so-called Protect-Detect-React-Deter (PDRD) model, which recently became popular among information security experts. Blyth and Kovacich (2006) explained that PDRD is a true system that is holistic in its approach to the issues confronting Information Assurance. (p. 97) Of particular importance to this model is its ability to detect intrusion, with its comprehensive programmed catalogue of attackers and its capability to prevent them. A paramount consideration in drafting an IA policy or in adopting an IA model is how to address the security threat coming from within. As previously mentioned, almost an equal percentage of threat exist within the organization – from people, employees, using the system. In order to tackle this problem, an IA policy must contain the obligations, the mandated behavior as well as the degree to which an employee can be held responsible for his or her behavior as a system user. Employee Monitoring An important area in information assurance is employee monitoring and privacy. Boyce and Jennings stated that privacy issues fall into two basic forms: “information about ourselves to which we have revealed for public use and personal information about ourselves to which we want to control access.” (p. 27) With these forms, IA must work around the principle that the protection and private information of individual users have to be protected while at the same time ensuring the organization’s information and the system that are in use are utilized for legitimate, authorized and organizationally-sanctioned usage. It is legitimate for organizations to monitor the use by employees of the organization-owned equipments and computing facilities. While this may appear intrusive to the employees’ activities, it is rightly justified because whatever transpires within the work premises are expected to be work-related and not concerning anything about personal affairs. The organization, however, needs to formalize this practice and draft a policy document in order to avoid questions on ethics in the future. This policy needs to outline specific uses of equipment as well the guidelines in their use. According to Kaucher, “a statement that the employee should not expect any privacy in their use of the system is often all that is needed for enforcement of the policy.” (p. 34) For instance, a company can develop an application that would display guidelines and rules in the computer monitor every time a user logs in. Such guideline, which could be in the form of a banner, can state in a clear manner that the system or same internal mechanism in place is monitoring the usage of the equipment as well as the access and transmission of data in any form, including personal email correspondence. With this statement of IA policy in place, the user knows that there is no privacy involved in the use of the equipment. The above example is an extreme scenario that resembles the policy of the US Department of Defense wherein information is a matter of national security. In typical organizations, IA policy could softer and less strict. Certainly, the personal use of computing facilities cannot be avoided. For instance, an employee might want to check CNN online to know if a storm would affect his family at home. Then, he might also want to check weather websites for the same purpose. The issue in regards to what sites are permitted to be accessed is a gray area and if not specifically addressed could actual blur the lines on what is acceptable usage. The key in this dilemma, wrote Kaucher, is common sense. Here, there should be a management decision that applies common sense to what is considered permitted and what is not. (p. 34) Again, it all boils down to the policy statement that would be enforced. Technology and privacy can mutually reinforce each other. This is demonstrated when people or organizations go to greater lengths in order to protect information – much like what IA does for organizations. This is analagous to a situation when an individual is inside his car, feeling all secured with all the active and passive security mechanisms that older models could not provide. It is in this context wherein the importance of security in the context of IT and organizational requirements are underscored. Mahmood (2005) stressed that this is the most important rationale for information assurance as it served as a precondition for feeling secure with interacting with computers not just for organizations but also for individual users as well. (p. 196) In many cases, IA protects individual privacy as much as it makes the organizational information secure and private. Issue of Ethics The ethical dilemma in regards to the development and implementation of an IA policy is the way privacy and security can contradict each other. This contradiction can occur in many areas. Mahmood outlined some of the most important of these: Issue of Trust: Security and its purpose have their limiting power on the exchange of ideas, which, for its part, breeds and thrives on free exchange. When security is increased, the offshoot is that free speech and trust decrease. The ethical question is when organizations trust technology more than they do people and when freedom is clipped and subordinated to economic considerations. Security, Privacy and Power: This area of ethical dilemma in IA policy is demonstrated in the perception of IA, along with other security mechanisms as expression of power of particular groups and individuals. “In this setting, security usually means control over access and use of systems, and, in many cases, this will be in contradiction to the power to protect one’s privacy.” (p. 197) Then, there is also the issue of surveillance as illustrated in the discussion of employee monitoring elsewhere in this paper. The issue is particularly important when the subject touches on the magnitude and degree of monitoring involved. The ethical issues raised here as well as by others are controversial and depending on certain point of views, could be either problematic or surmountable. In the end, there is a need to balance – as previously mentioned – individual and organizational rights. The IA policy statement also tackles this issue because it is a formalized document that outlines what the employees should expect. Also, another forceful argument for the IA mechanisms to be legitimate is for it to be sensible and based on sound principles. A related issue at here is the need for the IA manager/enforcer to know the legal boundaries in order to ensure that he/she does not overstep those bounds. (Boyce and Jennings, p. 109) Assessment Finally, assessment and evaluation is also an integral issue in any attempt to implement an IA policy. Today’s trends and developments could no longer be true tomorrow. And so the IA policy statement must be continually changed or be designed to be flexible and dynamic in order to be effective. The federal government through its numerous relevant agencies and statutes requires programs, initiatives, infrastructures, systems, among other IT-related security concepts to be continually tested and evaluated. For instance, the Federal Information Security Management Act or FISMA requires information security programs to be periodically tested for effectiveness and that such testing should include the management, operational and technical controls of every system identified in its information systems inventory. (GAO 2005, p. 13) There are numerous assessment and measurement models available for organizations to adopt to suit their organizational IA requirements. For example, there is the so-called “balanced scorecard approach” which provide “meaningful assessment of not only what and how well an organization is doing, but also why it is doing certain things.” (Birchall et al., p. 37) Then, there’s also the widely adopted model in the information assurance industry called Threat-Vulnerability-Asset (TVA) Matrix. This model “enumerates and characterizes assets, discern and evaluate threats against those assets, and identify the active and latent vulnerabilities that are present or likely.” (Mattord and Wiant 2008, p. 69) Experts also call these assessment models as auditing models and identifying two fundamental types: A controls-based audit, which uses the controls stated in the IA policy to build the audit mechanism; and, the standards-based audit, which uses a set of controls approved as an industry standard for assessment. (Rao, Gupta and Upadhyaya 2007, p. 86) Assessment mechanism is underscored by the fact that the a key weakness, as reported by GAO in its study of several auditing models, in information assurance policy development and enforcement is that information assurance managers and information assurance officers reported that they did not understand the requirements for reporting security vulnerabilities, how to document and report plans of action as well as successful milestones and developments in programs and frameworks. (p. 16) Conclusion As with any organizational policies, the Information Assurance policy reflects the position of the organization in protecting and securing its information assets. The degree of rigidity and the manner in which it encroaches individual rights are validated by the need of the organization to preserve itself. Threats coming from attacks to information infrastructure can already be a matter of survival in itself today for organizations. Users within the organizations are also aware of this. But all in all, in order for organizations to successfully enforce its own IA policy and avoid questions of ethics, it must adopt and implement a full-proof and forceful but sensible policy. Central to this purpose is formalizing every aspect of the policy so everyone is aware. Finally, there is also the issue of assessment. IA policy has to be continually evaluated and reformed in order to be effective, especially in light of the continuing and rapid changes that occur in the information technology field. References Bidgoli, Hossein. (2006). Handbook of information security, Volume 3. John Wiley and Sons. Birchall, David, Ezingeard, Jean-Noel, McFadzean, Elspeth, Howlin, Neal and Yoxall, David. (2004). Information assurance: Strategic alignment and competitive advantage. London: Grist, Ltd. Blyth, Andrew and Kovacich, Gerald. (2006). Information assurance: security in the information environment. London: Springer Science & Business. Boyce, Joseph and Jennings, Dan. (2002). Information assurance: managing organizational IT security risks. Butterworth-Heinemann. Mahmood, Mo Adam. (2005). Advanced Topics in End User Computing, Volume 4. Idea Group Inc. (IGI). Mattord, Herbert and Wiant, Terry. (2008). “Information System Risk Assessment and Documentation.” In Straub, Goodman and Baskerville’s Information security: policy, processes, and practices. M.E. Sharpe. Oliva, Lawrence. (2004). Information technology security, advice from experts. Rao, H. Raghav, Gupta, Manish and Upadhyaya, Shambu. (2007). Managing information assurance in financial services. Idea Group Inc. (IGI. Straub, Detmar, Goodman, Seymour and Baskerville, Richard. (2008). Information security: policy, processes, and practices. M.E. Sharpe. US Government Accountability Office (GAO). (2005). Information Security. Washington, D.C.: DIANE Publishing. Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(“Policy and Assurance Term Paper Example | Topics and Well Written Essays - 2500 words”, n.d.)
Policy and Assurance Term Paper Example | Topics and Well Written Essays - 2500 words. Retrieved from https://studentshare.org/miscellaneous/1572711-policy-and-assurance
(Policy and Assurance Term Paper Example | Topics and Well Written Essays - 2500 Words)
Policy and Assurance Term Paper Example | Topics and Well Written Essays - 2500 Words. https://studentshare.org/miscellaneous/1572711-policy-and-assurance.
“Policy and Assurance Term Paper Example | Topics and Well Written Essays - 2500 Words”, n.d. https://studentshare.org/miscellaneous/1572711-policy-and-assurance.
  • Cited: 0 times

CHECK THESE SAMPLES OF Issues in Information Assurance Policy

Law of Insurance Issues

The study "Law of Insurance Issues" focuses on the critical, and multifaceted analysis of the major issues in the law of insurance.... Andy and Bhavinda seem to have run into a few issues regarding their insurance policy with UDO Insurance Company Limited.... The types of insurance, as well as the details of the policy, are of utmost importance in determining how each issue may be resolved.... Macura had taken out an insurance policy in his own name on timber which legally belonged to the company, although the company was owned and operated by him; after the timber had been destroyed by a fire and Mr....
10 Pages (2500 words) Case Study

Trust as a Crucial Part of the Economics of the Insurance Industry

In the context of monetary policy, where the Central Bank may possess come uncertain preferences, the innovative characteristic could be the allowance of the public to react in two different ways.... From the point of view of the private sector, monetary policy can be applied where, for example, the Central Bank has tentative preferences.... In the progression of framing anticipations or expectations, the assumption of rational expectations enables all the agents involved in sharing the information from the same set....
6 Pages (1500 words) Term Paper

Why Information Assurance (IA) is Important to our Organization

information assurance is technical and managerial measures and designed to ensure the confidentiality, possession or control,.... information assurance as a necessary tool aims at shielding the privacy and reliability of company's network systems as well as ensuring the availability of the information assurance provides the basis that a network system should meet the stipulated security expectations.... information assurance is closely related to information security and the terms are sometimes used interchangeably....
5 Pages (1250 words) Essay

Updated Liberty Identity Assurance Framework

The LIAF will also establish Credential Assessment Profiles (CAPs) for each level of assurance that will be published and updated as needed to account for technological advances and preferred practice and policy updates.... The essay "Updated Liberty Identity assurance Framework" discusses the implementation of a new set of products and services, Liberty Identity assurance Framework (LIAF).... anaging risk in electronic transactions requires authentication and identity information management processes that provide an appropriate level of assurance of identity....
5 Pages (1250 words) Essay

Audit and Assurance

This essay discusses the "Audit and assurance".... It outlines the main purposes of an audit, types of assurance engagements, discusses the independence of the auditor and assurance services for an external audit, ethical threats developed by the International Federation of Accountants (IFAC).... Reasonable assurance is of the high level while a limited assurance is a moderate level assurance....
6 Pages (1500 words) Essay

Issues of Fire Insurance Policy

The paper "Issues of Fire Insurance policy" describes that the insurer is always aware of the risks involved in not honoring claims and may decide if the police are unable to proof arson to pay the claim in a depreciating amount due to lack of non-disclosure of full facts as agreed.... Description of risk is key in claims, should be confirmed that all information during the application of an insurance policy is accurate and remains the same at the time of the loss....
8 Pages (2000 words) Case Study

UK Life Assurance in Relation to Personal Finance

Through the life assurance policy, an insurance company gets into a contract with a client who pays a specified premium so as to have his life or that of his loved ones assured.... The paper 'UK Life assurance in Relation to Personal Finance' is a meaningful example of a finance & accounting term paper.... Life assurance businesses are thriving sectors in the UK economy.... The paper 'UK Life assurance in Relation to Personal Finance' is a meaningful example of a finance & accounting term paper....
9 Pages (2250 words) Term Paper

Quality Assurance in an Organizational Context

This case study "Quality assurance in an Organizational Context" presents quality assurance as a mandatory requirement for all companies all over the world.... It is important for a company to look at the products rather than targeting huge incomes without proper plans for quality assurance.... This company has over a long time been able to maintain the quality of its products and services thus winning consumer confidence; this is the reason why this report is aiming at evaluating various strategies put in place by Sony for quality assurance for its services and products....
11 Pages (2750 words) Case Study
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us