| |
 |
|
 |
| |
|
| |
|
What is Information Assurance?
Information Assurance (IA) is defined as the set of measures intended to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
IA emerged and focused on the need to protect information during transit, processing, or storage within complex and/or widely dispersed computers and communication system networks. IA includes a dynamic dimension where the network October 28, 2005 information protection mechanisms that detect attacks and enable a response to those attacks. The mission has evolved through three very distinct stages: Communications Security (COMSEC), Information Technology Security (IT Security) and Information Assurance (IA).
RETURN TO TOP
Why is Information Assurance (IA) important?
With business becoming increasingly information-based and the proliferation of the Internet and e-commerce, organizations face significant challenges in trying to protect their information. Threats such as hacking, employee information theft, and viruses can cause severe damage to a company's operations and reputation. Security is now viewed as a measure of business competence. Taxpayers expect organizations to protect their information assets as vigorously as they protect their investment and public assets. By creating a security program, an organization's management team makes a clear statement to its stakeholders that the protection of electronic data is an enterprise-wide priority. Protecting information assets also reduces an organization's exposure to liability in the event of a security incident, a crucial benefit in today's world of increasing security threats.
RETURN TO TOP
What is Defense-In-Depth?
Defense-In-Depth strategy integrates People, Operations, and Technology capabilities to establish information assurance (IA) protection across multiple layers and dimensions. Successive layers of defense will cause an adversary who penetrates or breaks down one barrier to promptly encounter another Defense-In-Depth barrier, and then another, until the attack ends.
RETURN TO TOP
Why does NASA need IT security policies?
Every Federal government organization - from the Department of Energy, Department of Transportation, Department of Defense, and NASA – is required to have has policies, procedures, standards, advisories, SOPs, or regulations that address a range of security issues, including Information Technology.
RETURN TO TOP
What are electronic assets?
Electronic assets include computers and hardware, networks, telecommunications, propriety information, Web sites, e-business, files and documents, and much more. It is important to remember Information Assurance (IA) addresses not only electronic assets but also all other forms in which information exists.
RETURN TO TOP
The NASA network(s) has a firewall. Isn't this enough to protect my information?
Having a firewall or other security devices, such as intrusion detection systems (IDS) or Internet scanners, is definitely a necessity, however technology is not a silver bullet. Only a rigorous life-cycle approach enables you to thoroughly address security issues.
RETURN TO TOP
What are Information Assurance solutions based on?
Security methods can be organized into three categories, including management controls (created by managers), operational controls (implemented by people), and technical controls (implemented by computer systems and software). Common objectives of most security programs and technologies include authentication (verify users and data origin), confidentiality (protecting data from unauthorized access), integrity (ensuring data is accurate and unaltered), non-repudiation (proving participation in an electronic transaction), and authorization (permission to perform a task or operation).
RETURN TO TOP
What constitutes a Risk Assessment?
A Risk Assessment should consist of, at a minimum, the following activities:
- Identify key information assets: Mission-critical data, computer software, and hardware
- Identify realistic threats: Determine problems likely to occur, rather than those that could occur and assess organization's position as a possible target for attack. For example, banks, government, and military sites are popular targets for hackers.
- Conduct Vulnerability analysis: Identify weak links in the organization's security program that could be exploited.
- Identify losses: Determine the consequences of both tangible (losses that have financial impact) and intangible losses (reputation is harmed, the organization is in an industry where there is great customer sensitivity to security incidents).
- Measure the level of security required: Determine what level of investment the security program warrants, given the value of the information assets, the types of threats, and the probability of the most likely threats.
RETURN TO TOP
How can I justify increased security expenditures to my superiors?
Measuring return on investment (ROI) for security is difficult because it is a cost of doing business, rather than a discrete project. When justifying an investment in IA, management should base its decision on its risk review. By evaluating information assets and determining if threats to those assets are too high to simply ignore, an organization can make a reasoned security investment decision.
RETURN TO TOP
What are the basic elements of a security strategy?
Security strategy revolves around three primary elements: People, Technology and Operations:
People
Achieving Information Assurance begins with a senior-level management commitment based on a clear understanding of the perceived threat. This must be followed through with effective Information Assurance policies and procedures, assignment of roles and responsibilities, commitment of resources, training of critical personnel (e.g. users and system administrators), and personal accountability. This includes the establishment of physical security and personnel security measures to control and monitor access to facilities and critical elements of the Information Technology environment.
Technology
Today, a wide range of technologies is available for providing Information Assurance services and for detecting intrusions. To insure that the right technologies are procured and deployed, NASA has established effective policies and processes for technology acquisition. These include: security policies, Information Assurance principles, system level Information Assurance architectures and standards, criteria for needed Information Assurance products, acquisition of products that have been validated, configuration guidance, and processes for assessing the risk of the integrated systems.
Operations
The operations leg focuses on all the activities required to sustain NASA's security posture on a day-to-day basis. Specifically:
a) Maintaining visible and up to date security policies.
b) Certification and Accreditation of Information Technology systems.
c) Managing the security posture of the Information Assurance technology (e.g. installing security patches and virus updates, maintaining access control lists).
d) Providing key management services and protecting the infrastructure.
e) Performing system security assessments (e.g. vulnerability scanners, penetration testing) to assess the continued "Security Readiness".
f) Monitoring and reacting to current threats.
g) Attack sensing, warning, and response.
h) Recovery and reconstitution.
RETURN TO TOP
How can I confirm the identity and the security status of the web site I am visiting?
Before you proceed into any type of information exchange with a web site you have to check its identity in light of the following:
- A server certificate (digital ID) from a recognized certificate authority.
- A Secure Sockets Layer - SSL, or Secure Electronic Transaction - SEΤ.
- A secure connection to the Internet. Look for the little “lock” in the lower right-hand corner of your browser.
- Before you send information over the Internet make sure that you are operating in a secure environment as portrayed by the symbol https:// on the address bar of your browser.
- If you are sending sensitive information via email, the email and its attachments must be encrypted. The standard email encryption for NASA is Entrust PKI.
RETURN TO TOP |
|
|
|
|
