Information Assurance

Integrity
Availability
Authentication
Confidentiality
Nonrepudiation

Information assurance means ensuring all these properties for an

Information system

Confidentiality
Not all data owned by the company should be made available to
public
Failing to protect confidentiality might be a disaster for a company
Protected Health Information (PHI)
Protected Financial Information (PFI)
Business-critical information to business rivals

Confidentiality
Only authorized users should gain access
Information must be protected when it is used, shared, transmitted,
and stored
Information must be protected from unauthorized users both
internally and externally
Information must be protected whether it is in digital or paper
format.

Confidentiality
The threats to confidentiality include:
Hackers and hacktivists
Shoulder surfing
Lack of shredding of paper documents
Malicious code (Trojan)
Improper access control
Unauthorized employee activity

Integrity
Data integrity involves making sure that an information system remains
unscathed and that no one has tampered with it (intentionally or
accidentally).

A business that cannot trust the integrity of its data cant operate and
often it means the end of a business.

Data Integrity
Threat to data integrity include
Human error
Hackers
Unauthorized user activity
Improper access control
Malicious code
Interception and alteration of data during transmission

Data Integrity
Controls that can be deployed to protect data integrity:
Access controls
Process controls
Monitoring controls
Behavioral controls

Public Key Encryption

Digital Signature

Encryption and Signature

When encrypting, you use public key to write message and they
use their private key to read it.
When signing, you use your private key to write message's signature,
and they use public key to check if it's really yours.

Availability
It is important to ensure that the information concerned is readily
accessible to the authorized viewers at all the time.
Some types of attack might attempt to deny access to the
appropriate user, one popular example is DDOS (Distributed Denial of
Service) attack.
The requirements for availability might be different than those for
confidentiality.

Nonrepudiation
This means that someone cannot deny having completed an action
because there will be proof that they did it.
All actions should be traceable to the person who committed them
Logs should be kept, archived, and secured
Intrusion detection system should be deployed
Computer forensic techniques can be used retroactively
Accountability should be focused both on internal and external
actions

Authentication
Authentication involves ensuring that users are who they say they
are.
Methods used for authentication are user names, passwords,
biometrics, tokens and other devices.
Authentication is also used in other ways -- not just for identifying
users, but also for identifying devices and data messages.