Information Assurance Risk Management
Information Assurance
Two official definitions for Information Assurance (IA) it would be
“Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non- repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.” CNSSI 4009 (Committee on National Security Systems, 2015).
and
“[…] the processes and mechanisms needed to build a secure and reliable ICT infrastructure” (UK GOV - Cabinet Office, 2010).
Cybersecurity (CS) is the term that started to gradually replace IA, however both terms refer to the same concepts that address the Confidentiality, Integrity, Availability aspects (i.e. the so-called CIA triad) and the Authentication and Non-repudiation couple, essential for the ‘on-line’ communications and services.
CS risks have been placed on top of the list of challenges for businesses for the last 3 years (ECIIA’s Risk in Focus 2019 to 2022) and was also the hot topic of the discussions since 2019, possibly related to the introduction and enforcement of the GDPR legislation in the European Union.
IA or CS should, ideally, implement physical, technical and administrative controls inside an organisation in order to protect its information assets, while managing the risks associated with the ongoing operations. The set of policies, standards and methodologies the IA uses are the next step in an organisation’s top-down approach in ensuring the data and the information found in its responsibility is safe. This follows an Information Governance (IG) adoption that guarantees the existence of a framework where:
• The responsibility and accountability for handling the information are exercised
• The roles and responsibilities are clearly defined within the organisation
• Procedures that establish and enforce compliance with the existing regulations exist
• The gaps between areas of the business left un-integrated/uncovered by the existing security procedures are bridged.
With the support of a functional IG, a functional IA practice can ensure confidentiality, integrity and availability, authenticity and non-repudiation for the data stored, communicated, or processed, allowing the business to continue its operations under the identified and approved levels of risk. Managing the organisation's data and information as a key asset should be fully embedded in the organisation's culture and also subjected to a continuous improvement process.
A Risk based approach
Information Risk Management (IRM) means identifying, assessing and prioritising the cyber risks. A risk-based approach in dealing with the security aspect of information is what organisations across the world have adopted from various sectors: from financial institutions, broadcast media corporations and institutions, to healthcare national systems and defence departments.
Fortunately, dealing with risk in an appropriate way in regard to the set objectives is nothing new. Well established and standardised ways exist and adopting the framework they define can significantly bring the risk at the acceptable level.
This can be achieved through accreditation, or by simply following the recommendations and guidelines they provide.
The widely accepted and the most popular standards and guidelines that address the Information Security and the risk associated with handling Information are the ISO 27000 and the ISO 31000 families, Cyber Essentials (Plus) UK government scheme and the NIST 800 family (US).
You can find more on these standards on the dedicated page, accessible below.