For years, Information Assurance was essential in Government technology applications. Agencies mandated certain levels of hardening, and vendors met those requirements readily. By achieving those requirements, agencies were assured that their networks and devices were secure. This isn’t the case anymore. By focusing solely on Information Assurance, government agencies leave their networks and data vulnerable.
As technology becomes much more dependent on networks, the internet, and the cloud, new measures need to be implemented in addition to Information Assurance to ensure real security. This holistic approach makes up an organization’s overall Cybersecurity Posture, and it’s that posture that will ensure the security of the information beyond just what IA can offer.
What Really is Information Assurance (IA)?
“Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation.”
– National Institute of Standards and Technology (NIST)
These five elements are often called the five pillars of IA and can be described as:
- Integrity: making sure that information systems are not tampered with. This includes software and training personnel to minimize phishing, malware, and computer viruses.
- Availability: making sure that people who need to access the information are allowed to, and that no one who shouldn’t have access can.
- Authentication: Ensuring that those who are accessing the system are who they say they are. This can include strong passwords, biometrics, 2-factor authentication, and other devices such as mobile phones
- Confidentiality: ensuring that only people with authorization can access certain data. This can include user-level or role-based permissions within the software.
- Nonrepudiation: ensuring that someone with access to the information cannot deny having completed a certain action. This is often remedied with an audit or activity log within the software.
The goal of IA is to ensure networks and devices are secure, so that information in transit or at rest remains accurate and is only accessed by those who need it. It addresses the hardware and components of a given system, including how different systems communicate with each other across networks. It also addresses how people interact with those systems to an extent.
However, IA in its traditional sense still leaves systems vulnerable to outside attacks. As we dive into what all cybersecurity entails, this becomes more obvious.
Thinking Outside the IA Bubble
In practice, IA treats the system as if it were in a bubble along with the other people and systems who interact with it. It doesn’t consider the threat of change or outside attacks. Cybersecurity focuses on the environment around the information systems in order to provide a more comprehensive security posturing.
With more advanced information and communications systems, agencies need to constantly:
- Prevent attacks on systems by minimizing threats
- Mitigate attacks by detecting and responding to attacks; this includes assessing the ability to survive attacks
- Recover from attacks and prepare for the next threat
In order to do the above things well, two important sets of processes need to be put into place.
Active Monitoring
An important part of cybersecurity is Active Monitoring. The purpose of Active Monitoring is to make sure that all processes put in place, along with security measures, perform as intended. When there is an issue or something out of the ordinary, the issue can then be quickly identified, corrected, and any corrective actions are implemented. Active monitoring mitigates risk both for things you know and for things you do not yet know but are likely to discover.
As part of monitoring, network infrastructure and network applications should be regularly tested and reviewed for security vulnerabilities and availability. This monitoring should also include analytics that measure key performance indicators, as well as many forms of security monitoring and log management. For example, if a phone system receives 120 calls a day on average, and in an evening their network is seeing a huge influx of traffic, there may be an issue on the network.
Lifecycle Management
A mature cybersecurity posture also addresses the lifecycle by defining when and how information systems get updated and/or replaced. This includes software updates, updated virus definitions, maintenance and security patches, and hardware replacements. Such levels of management keep systems protected against new risks.
The Department of Defense released a guidebook for integrating cybersecurity risk management into the system acquisition lifecycle.
Developing a Mature Security Posture
The exact steps to achieving a mature cybersecurity posture are in-depth and will vary greatly based on government agencies. However, there are basic steps that can be agreed upon:
- Risk identification and assessment
- Vulnerability reduction
- Threat reduction
- Consequence mitigation
- Enable cybersecurity outcomes
For further reading, see these key resources:
- Framework for Improving Critical Infrastructure Cybersecurity, by NIST
- Cybersecurity Strategy, by DHS
- Cybersecurity Framework Profile for Ransomware Risk Management, by NIST
- U.S. Department of Homeland Security Cybersecurity Strategy, by DHS
- Framework for Improving Critical Infrastructure Cybersecurity, by NIST
- Guide for Cybersecurity Event Recovery, by NIST