Welcome!

Cloud Security Authors: Elizabeth White, Pat Romanski, Maria C. Horton, Liz McMillan, Ravi Rajamiyer

Blog Post

Information Assurance Does Not Equal Information Security

The cooperative efforts of your entire security organization will prove the most effective against sophisticated cyber threats

When I was working on a network assessment team for one of my customers, I would routinely hear upset voices when we would present our findings. The most common thing that the executives would say was, “Wait a minute, aren’t we current on our updates? I saw the compliance report, and we were all green right?”

“All green right?”

What that Information Security Officer was referring to was a slide that was presented to him showing the level of compliance that the hosts on his network were currently reporting. To him, this meant secure.  It meant that all of his systems were patched to the current patch levels, all anti-virus was up to date, and all 3rd party systems were also updated.  Being “green” was interpreted as “secure” – not only by this executive, but to those reporting to him.

Little did he know that while he was having his weekly meeting with his IA staff, the network assessors where discussing the number of hosts compromised over the course of the previous week, determining potential future targets, and identifying critical systems at risk.  Thankfully our behind-the-scenes-work kept the network and host systems very secure – “all green”.

So what exactly is Information Assurance, and what does it provide?

In general, Information Assurance is the management of risk when referring to the processing, storage and transmission of information or data. It is also includes the systems and devices that process that data, and includes governance, privacy, regulatory compliance, disaster recovery and business continuity when discussing information systems. Information Assurance provides the risk management framework that defines how risks and threats should be accepted, mitigated, or transferred.

Another role Information Assurance plays is analysis and management of all software that lives on systems within its organization. IA will provide a risk assessment of the software, and based on the level of need or benefit that the software provides to the organization, they will approve or deny it for use within the network. By assessing all software prior to it being installed on an IT system, the IA group has a complete understanding and knowledge of its organization risk when confronted with potential threats, e.g. a new virus affecting a particular browser version.

Why then, would Information Assurance not equal Information Security?

Think of Information Security as an umbrella of components, and Information Assurance is only one of those components. You cannot simply assume that if your IA group is showing a slide where the risk is “all green” that you are fully protected from threats. It simply means that within the confines of IA compliance, they have fully mitigated the risks according to their framework of operations.

Other important components of Information Security are Security Operations (SO) and Security Intelligence (SI). If the IA department is not working cooperatively with the SO or SI groups, then risk mitigation is not as strong as it could be and leaves potential areas of vulnerabilities.

When all Information Security components work together with each role understood against the next, then risk to the organization is significantly reduced.  When Security Operations see alerts, indicating unapproved software on their network, they have a clear and understood reporting channel and a well-established plan for handling that type of incident.  When the Information Assurance group works with the Security Intelligence group, threats can be accurately assessed and risk mitigated.  For example, the feedback provided from the SI group could prompt IA to force an early update to a vulnerable version of software on their network.

Cooperative effort within Information Security combined with Security Intelligence acts as a force multiplier against even sophisticated threats targeting your network and the hosts within. All components must work together to be truly effective against a sophisticated threat, Information Assurance compliance alone does not equal security.

If you would like to learn more about how a the cooperative efforts of your Information Security group can effectively help to identify and mitigate against targeted and sophisticated threats click here and find out more.

More Stories By Cory Marchand

Cory Marchand is a trusted subject matter expert on topics of Cyber Security Threats, Network and Host based Assessment and Computer Forensics. Mr. Marchand has supported several customers over his 10+ years within the field of Computer Security including State, Federal and Military Government as well as the Private sector. Mr. Marchand holds several industry related certificates including CISSP, EnCE, GSEC, GCIA, GCIH, GREM, GSNA and CEH.

IoT & Smart Cities Stories
Moroccanoil®, the global leader in oil-infused beauty, is thrilled to announce the NEW Moroccanoil Color Depositing Masks, a collection of dual-benefit hair masks that deposit pure pigments while providing the treatment benefits of a deep conditioning mask. The collection consists of seven curated shades for commitment-free, beautifully-colored hair that looks and feels healthy.
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
We all love the many benefits of natural plant oils, used as a deap treatment before shampooing, at home or at the beach, but is there an all-in-one solution for everyday intensive nutrition and modern styling?I am passionate about the benefits of natural extracts with tried-and-tested results, which I have used to develop my own brand (lemon for its acid ph, wheat germ for its fortifying action…). I wanted a product which combined caring and styling effects, and which could be used after shampo...
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.