Issues in Information Assurance Policy - Term Paper Example

ISSUES IN INFORMATION ASSURANCE POLICY While information technology could be a boon to any organization because of its enabling capabilities. It could also pose a problem especially in regards to how it is controlled as well as its diffusion within the organization. A primary concern, for instance, is how to maintain the confidentiality, integrity, and availability of data within a system. (Straub, Goodman and Baskerville 2008, p. 46) In addition, data must be accurate as well as available to the right people at the right time. It is natural and necessary for organizations to act in its best interest and making user that IT does not compromises is organizational objectives is one of them. An Information Assurance (IA) policy is one of the mechanisms that an organization could use in order to achieve this. This paper will examine the issues in formulating such policy, including an overview of what IA is, the threats it aims to address, the ethics of developing certain rules that concerns rights issues, among other related variables. Background The United States Department of Defense defined Information Assurance as “the information operations that protect and defend information and information systems by ensuring the availability, integrity, authentication, confidentiality and nonrepudiation” including the provision for “restoration of information systems by incorporating protection, detection, and reaction capabilities.” (Boyce and Jennings 2002, p. xii)) This comprehensive definition underscores the breadth of the IA’s coverage. But the most important among its functions concern the treats to security which could come from many different areas including – but not limited to – intentional attacks and also from unintended acts that result from technical, organizational and individual mistakes. It is the human beings who use the information system – those who make decisions, who exploit it and use it – usually cause uncertainty and risks. According to a study Bidgoli (2006), attacks and threats to information systems within an organization are almost evenly split between those originating from the outside and those from the inside. (p. 4) This fact underscores how an Information Assurance policy must aim its operations towards both the outsider and insider attacks of all forms. Strategic Development In developing an organizational information assurance, the fundamental rule in Oliva’s mind, is to start within the enterprise architecture. (p. 32) The reason for this is that all organizations are founded in this framework - from the mission of the organization, how it is governed, the objectives, the business processes, and all related variables. From this perspective, a policy-maker or an analyst can determine the information assurance requirements of the organization as well as the required defense in depth. Oliva constructed a model for this principle, arguing that the dimensions of the illustration, portrays information in a much more relevant context (see. Fig. 1). Fig. 1: Enterprise Architecture Perspective (Oliva, p. 32) There are many solutions and models available for organizations in building their own Information Assurance system. For instance, there is the so-called Protect-Detect-React-Deter (PDRD) model, which recently became popular among information security experts. Blyth and Kovacich (2006) explained that PDRD is a true system that is holistic in its approach to the issues confronting Information Assurance. (p. 97) Of particular importance to this model is its ability to detect intrusion, with its comprehensive programmed catalogue of attackers and its capability to prevent them. A paramount consideration in drafting an IA policy or in adopting an IA model is how to address the security threat coming from within. As previously mentioned, almost an equal percentage of threat exist within the organization – from people, employees, using the system. In order to tackle this problem, an IA policy must contain the obligations, the mandated behavior as well as the degree to which an employee can be held responsible for his or her behavior as a system user. Employee Monitoring An important area in information assurance is employee monitoring and privacy. Boyce and Jennings stated that privacy issues fall into two basic forms: “information about ourselves to which we have revealed for public use and personal information about ourselves to which we want to control access.” (p. 27) With these forms, IA must work around the principle that the protection and private information of individual users have to be protected while at the same time ensuring the organization’s information and the system that are in use are utilized for legitimate, authorized and organizationally-sanctioned usage. It is legitimate for organizations to monitor the use by employees of the organization-owned equipments and computing facilities. While this may appear intrusive to the employees’ activities, it is rightly justified because whatever transpires within the work premises are expected to be work-related and not concerning anything about personal affairs. The organization, however, needs to formalize this practice and draft a policy document in order to avoid questions on ethics in the future. This policy needs to outline specific uses of equipment as well the guidelines in their use. According to Kaucher, “a statement that the employee should not expect any privacy in their use of the system is often all that is needed for enforcement of the policy.” (p. 34) For instance, a company can develop an application that would display guidelines and rules in the computer monitor every time a user logs in. Such guideline, which could be in the form of a banner, can state in a clear manner that the system or same internal mechanism in place is monitoring the usage of the equipment as well as the access and transmission of data in any form, including personal email correspondence. With this statement of IA policy in place, the user knows that there is no privacy involved in the use of the equipment. The above example is an extreme scenario that resembles the policy of the US Department of Defense wherein information is a matter of national security. In typical organizations, IA policy could softer and less strict. Certainly, the personal use of computing facilities cannot be avoided. For instance, an employee might want to check CNN online to know if a storm would affect his family at home. Then, he might also want to check weather websites for the same purpose. The issue in regards to what sites are permitted to be accessed is a gray area and if not specifically addressed could actual blur the lines on what is acceptable usage. The key in this dilemma, wrote Kaucher, is common sense. Here, there should be a management decision that applies common sense to what is considered permitted and what is not. (p. 34) Again, it all boils down to the policy statement that would be enforced. Technology and privacy can mutually reinforce each other. This is demonstrated when people or organizations go to greater lengths in order to protect information – much like what IA does for organizations. This is analagous to a situation when an individual is inside his car, feeling all secured with all the active and passive security mechanisms that older models could not provide. It is in this context wherein the importance of security in the context of IT and organizational requirements are underscored. Mahmood (2005) stressed that this is the most important rationale for information assurance as it served as a precondition for feeling secure with interacting with computers not just for organizations but also for individual users as well. (p. 196) In many cases, IA protects individual privacy as much as it makes the organizational information secure and private. Issue of Ethics The ethical dilemma in regards to the development and implementation of an IA policy is the way privacy and security can contradict each other. This contradiction can occur in many areas. Mahmood outlined some of the most important of these: Issue of Trust: Security and its purpose have their limiting power on the exchange of ideas, which, for its part, breeds and thrives on free exchange. When security is increased, the offshoot is that free speech and trust decrease. The ethical question is when organizations trust technology more than they do people and when freedom is clipped and subordinated to economic considerations. Security, Privacy and Power: This area of ethical dilemma in IA policy is demonstrated in the perception of IA, along with other security mechanisms as expression of power of particular groups and individuals. “In this setting, security usually means control over access and use of systems, and, in many cases, this will be in contradiction to the power to protect one’s privacy.” (p. 197) Then, there is also the issue of surveillance as illustrated in the discussion of employee monitoring elsewhere in this paper. The issue is particularly important when the subject touches on the magnitude and degree of monitoring involved. The ethical issues raised here as well as by others are controversial and depending on certain point of views, could be either problematic or surmountable. In the end, there is a need to balance – as previously mentioned – individual and organizational rights. The IA policy statement also tackles this issue because it is a formalized document that outlines what the employees should expect. Also, another forceful argument for the IA mechanisms to be legitimate is for it to be sensible and based on sound principles. A related issue at here is the need for the IA manager/enforcer to know the legal boundaries in order to ensure that he/she does not overstep those bounds. (Boyce and Jennings, p. 109) Assessment Finally, assessment and evaluation is also an integral issue in any attempt to implement an IA policy. Today’s trends and developments could no longer be true tomorrow. And so the IA policy statement must be continually changed or be designed to be flexible and dynamic in order to be effective. The federal government through its numerous relevant agencies and statutes requires programs, initiatives, infrastructures, systems, among other IT-related security concepts to be continually tested and evaluated. For instance, the Federal Information Security Management Act or FISMA requires information security programs to be periodically tested for effectiveness and that such testing should include the management, operational and technical controls of every system identified in its information systems inventory. (GAO 2005, p. 13) There are numerous assessment and measurement models available for organizations to adopt to suit their organizational IA requirements. For example, there is the so-called “balanced scorecard approach” which provide “meaningful assessment of not only what and how well an organization is doing, but also why it is doing certain things.” (Birchall et al., p. 37) Then, there’s also the widely adopted model in the information assurance industry called Threat-Vulnerability-Asset (TVA) Matrix. This model “enumerates and characterizes assets, discern and evaluate threats against those assets, and identify the active and latent vulnerabilities that are present or likely.” (Mattord and Wiant 2008, p. 69) Experts also call these assessment models as auditing models and identifying two fundamental types: A controls-based audit, which uses the controls stated in the IA policy to build the audit mechanism; and, the standards-based audit, which uses a set of controls approved as an industry standard for assessment. (Rao, Gupta and Upadhyaya 2007, p. 86) Assessment mechanism is underscored by the fact that the a key weakness, as reported by GAO in its study of several auditing models, in information assurance policy development and enforcement is that information assurance managers and information assurance officers reported that they did not understand the requirements for reporting security vulnerabilities, how to document and report plans of action as well as successful milestones and developments in programs and frameworks. (p. 16) Conclusion As with any organizational policies, the Information Assurance policy reflects the position of the organization in protecting and securing its information assets. The degree of rigidity and the manner in which it encroaches individual rights are validated by the need of the organization to preserve itself. Threats coming from attacks to information infrastructure can already be a matter of survival in itself today for organizations. Users within the organizations are also aware of this. But all in all, in order for organizations to successfully enforce its own IA policy and avoid questions of ethics, it must adopt and implement a full-proof and forceful but sensible policy. Central to this purpose is formalizing every aspect of the policy so everyone is aware. Finally, there is also the issue of assessment. IA policy has to be continually evaluated and reformed in order to be effective, especially in light of the continuing and rapid changes that occur in the information technology field. References Bidgoli, Hossein. (2006). Handbook of information security, Volume 3. John Wiley and Sons. Birchall, David, Ezingeard, Jean-Noel, McFadzean, Elspeth, Howlin, Neal and Yoxall, David. (2004). Information assurance: Strategic alignment and competitive advantage. London: Grist, Ltd. Blyth, Andrew and Kovacich, Gerald. (2006). Information assurance: security in the information environment. London: Springer Science & Business. Boyce, Joseph and Jennings, Dan. (2002). Information assurance: managing organizational IT security risks. Butterworth-Heinemann. Mahmood, Mo Adam. (2005). Advanced Topics in End User Computing, Volume 4. Idea Group Inc. (IGI). Mattord, Herbert and Wiant, Terry. (2008). “Information System Risk Assessment and Documentation.” In Straub, Goodman and Baskerville’s Information security: policy, processes, and practices. M.E. Sharpe. Oliva, Lawrence. (2004). Information technology security, advice from experts. Rao, H. Raghav, Gupta, Manish and Upadhyaya, Shambu. (2007). Managing information assurance in financial services. Idea Group Inc. (IGI. Straub, Detmar, Goodman, Seymour and Baskerville, Richard. (2008). Information security: policy, processes, and practices. M.E. Sharpe. US Government Accountability Office (GAO). (2005). Information Security. Washington, D.C.: DIANE Publishing. Read More