Module 1 IAS - IntroductionToInformationAssuranceAndSecurity (20240814113543).pdf

Full Transcript

PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 1

Course Material No. 1

INFORMATION
ASSURANCE AND
SECURITY
MS. KIER PANOLLERA
Course Instructor
 PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 2

The Need for Assurance
and Security 1

LEARNING OUTCOMES

At the end of this course material, the students should be able to:

Demonstrate that information assurance and security is a business necessity for
organization
Recognize risks and threats to IAS
Identify the challenges faced by software developers and admins in handling IAS
activities

RESOURCES NEEDED

For this lesson, you would need the following resources:

Information Assurance and Security Overview PowerPoint Presentation
Links to videos:
https://www.youtube.com/watch?v=KFsR8pCsoTo&list=PLDqK1viQBj
WO7wYk6HvW_M8O5ESqDOcWp&index=2 (Introduction to
Information Security)
Links to websites:
Reference materials, tools, and equipment
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 3

Before you start, try answering the following
questions.
MODULE CONTENTS
1. What is information assurance and security?

___________________________________
___________________________________
Kick-off Pretest
___________________________________
___________________________________ 3
___________________________________
___________________________________
5 Pre-Activity Title

________________________________________
2. What are differences between information
assurance and information security?? 6 Your heading here

_________________________________
___________________________________
___________________________________
9 Your heading here

___________________________________
___________________________________
________________________________________
3. How can admins strike a balance between
11 Your heading here

information availability versus information
access control?
14 Posttest

___________________________________
___________________________________
___________________________________ Key Terms
___________________________________ 15
___________________________________

________________________________________
15 References
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 4

Answer the Riddle

I'm a shield for data, both day and night,
From threats and breaches, I ensure it's alright.
I go beyond just locks and keys,
Managing risks, ensuring trust with ease.

I safeguard not just from hacks and prying eyes,
But also from errors and deceitful lies.
Compliance and accuracy are my game,
In the world of data, I earn my name.

What am I? ________________________________________

I'm bits and bytes, a digital dance,
In computers and servers, I enhance.
I hold your secrets, both big and small,
Numbers, words, I collect them all.

I travel through cables, invisible yet strong,
In databases, I belong.
Analyzing me, insights are found,
In the vast digital playground.

What am I? _______________________________
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 5

Information -.
INTRODUCTION
IAS refers to a broad range of
procedures, tools, and guidelines
It is impossible to overestimate the significance of information assurance and for guaranteeing the privacy,
security in the connected and data-driven world of today. Sensitive accuracy, and accessibility of
digital data.
information must be safeguarded against unauthorized access, manipulation,
and theft as technology develops and businesses, governments, and
Information assurance. Refers to
individuals depend more and more on digital platforms. the systematic and comprehensive
approach to safeguarding sensitive
Information assurance and security (IAS) refers to a broad range of procedures, and critical information from
tools, and guidelines for guaranteeing the privacy, accuracy, and accessibility unauthorized access, alteration,
of digital data. This industry is essential to ensuring privacy, trust, and the disruption, or destruction.
efficient operation of many industries, including finance, healthcare,
communication, and national security. The study and application of efficient
information assurance and security procedures have become crucial for Information security. Is
commonly-defined as the process
enterprises and individuals alike to confidently navigate the digital landscape
of preventing unauthorized
as cyber dangers continue to emerge.
individuals from accessing, using,
disclosing, disrupting, altering, or
destroying digital information and
data.

INFORMATION ASSURANCE Confidentiality is the principle of
keeping information secret from
unauthorized individuals or
Information assurance (IA) refers to the systematic and comprehensive
entities.
approach to safeguarding sensitive and critical information from unauthorized
access, alteration, disruption, or destruction. It encompasses a range of
strategies, practices, policies, and technologies designed to ensure the Unified system. K.
confidentiality, integrity, availability, and authenticity of data.

Put in another perspective, IA may also be defined as the practice of protecting
information and systems from unauthorized access, use, disclosure, disruption,
modification, or destruction. It is a broad field that encompasses a wide range
of security controls, including physical, technical, and administrative measures.

IA goes beyond traditional cybersecurity measures, incorporating aspects of
risk management, compliance, and continuity planning to establish a robust
framework for protecting digital assets against a variety of threats, including
cyberattacks, insider threats, data breaches, and natural disasters.

The goal of IA is to establish a secure and resilient environment that enables
organizations and individuals to operate and communicate confidently in
today's interconnected digital world.
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 6

The major principles of information assurance:

1. Confidentiality

The information must be kept secret from unauthorized individuals or
entities. The data that are most-commonly subject to confidentiality are
on health records, bank records, personal identification (and
authentication credentials like usernames, passwords, PINs, etc.), data
on personal assets, customer data, individual grades and academic
evaluations.

The Philippines has a number of laws that protect confidentiality,
including:

Data Privacy Act of 2012 (DPA). This law regulates the processing of
personal data by private and public entities. It requires organizations to
obtain consent from individuals before collecting, using, or disclosing
their personal data. It also imposes security measures to protect
personal data from unauthorized access, use, or disclosure.

Bank Secrecy Act of 1975. This law prohibits banks and other financial
institutions from disclosing information about their customers' accounts,
except in certain circumstances, such as when required by law or when
there is a legitimate business reason to do so.

Electronic Commerce Act of 2000. This law regulates electronic
transactions, including the use of electronic signatures and the storage
of electronic data. It requires organizations to take reasonable security
measures to protect electronic data from unauthorized access, use, or
disclosure.

Cybercrime Prevention Act of 2012. This law prohibits a number of
cybercrimes, including unauthorized access to a computer system, data
theft, and cyberstalking. It also imposes penalties for the breach of
confidentiality of personal data.

Civil Code of the Philippines. This law provides for the protection of
privacy and confidentiality. It states that "every person shall respect the
dignity, personality, privacy and peace of mind of his neighbors and
other persons." It also prohibits the disclosure of confidential
information obtained by a person in the course of his or her
employment or profession.

These are just some of the Philippine laws that protect confidentiality.
By understanding these laws, organizations and individuals can help to
protect their confidential information.
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 7

In addition to these laws, there are also a number of professional codes
of ethics that impose obligations on individuals to protect
confidentiality. For example, the Code of Ethics of the Philippine Medical
Association states that "physicians shall respect the confidentiality of all
information obtained in the course of their professional practice."

By following the laws and ethical codes on confidentiality, organizations
and individuals can help to protect their confidential information and
prevent its unauthorized disclosure.

2. Integrity

Integrity means being whole and with no incomplete parts. The
information must be accurate and complete. In other words, data
integrity is the assurance that data is correct, ample, and consistent. It is
important to maintain data integrity because it ensures that the data is
reliable and can be used for decision-making.

Similarly, data and information integrity refer to the accuracy, reliability, and
consistency of data over its entire lifecycle. It ensures that data remains
unaltered, complete, and trustworthy from the point of creation or capture to
the point of consumption or analysis. Maintaining information integrity is
essential to ensure that data is not subject to unauthorized or accidental
modifications, thereby preserving its value and credibility.

Some common threats to data integrity may include:

Human errors. Data entry errors are a common cause of data integrity
problems.
Software bugs/errors. Software bugs can cause data to be corrupted or
lost.
Hardware failures. Hardware failures, such as disk crashes, can also
cause data loss.
Natural disasters. Natural disasters, such as floods and fires, can also
damage data.
Cyberattacks. Cyberattacks can be used to steal or destroy data.

3. Availability

The information must be accessible to authorized individuals or entities
when needed. And inversely, data must be not available when not needed
or when users access data in unauthorized manners.

Data availability is a critical aspect of information management, particularly in
today's data-driven world, where timely access to accurate information is
essential for decision-making, operations, and innovation.
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 8

Data availability is crucial in various sectors, including finance, e-
commerce, healthcare, and public services, where delays or disruptions
in accessing data can have serious consequences. Organizations invest in
robust IT infrastructure, backup solutions, and disaster recovery plans to
ensure that data remains available and usable, even in challenging
circumstances.

4. Authenticity

The trait of being sincere, reliable, and trustworthy is referred to as
authenticity. Authenticity in the context of data and information assures
that the data is accurate in representing its source and origin and has
not been tampered with or altered. Maintaining trust, making educated
judgments, and avoiding fraud or false information all depend on the
authenticity of the data. It is essential that the data be accurate and
unaltered.

Ensuring authenticity is particularly important in fields like finance,
healthcare, legal proceedings, and scientific research, where accurate
and unaltered information is critical. Organizations implement various
technical and procedural measures to maintain data authenticity and
protect against unauthorized alterations or fraudulent activities.

Some ways to determine authenticity:

Verification of Source. Authentic data can be traced back to a reliable
and credible source. Verifying the source helps establish the accuracy
and legitimacy of the data.

Requiring Digital Signatures. Digital signatures use cryptographic
techniques to authenticate the sender of a message and ensure that
the content has not been altered during transmission.

Timestamps. Timestamping data records helps establish when the data
was created, modified, or accessed, enhancing its credibility and
authenticity.

Utilizing Authentication Protocols. Implementing authentication
protocols, such as multi-factor authentication, ensures that users are
who they claim to be, preventing unauthorized access.

Public Key Infrastructure (PKI). PKI involves the use of public and
private keys to encrypt and sign data, ensuring its authenticity and
confidentiality.
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 9

Watermarking and Seals. Watermarks, digital signatures, or seals can
be added to documents or media to indicate their authenticity and
origin.

Declaration of Chain of Custody: In legal and forensic contexts,
maintaining a clear chain of custody ensures the authenticity and
admissibility of evidence.

Having Secure Data Transmission: Using encrypted channels for data
transmission helps prevent data tampering during communication.

Provision of Audit Trails: Keeping detailed records of data access,
modifications, and interactions helps maintain the authenticity of data
and allows for accountability.

5. Non-repudiation

The originator or sender of the information cannot deny having sent it.
Systems must have in them some built-in mechanisms to ensure that
data interchanges and their corresponding metadata are recorded and
are quite accessible to both sender and receiver. This is quite critical to
business processes like payment systems wherein an undeniable proof is
required as an invoice or receipt.

6. Dynamism

IA activities should not be static. The threats and vulnerabilities that
information faces are constantly changing. As a result, the IA controls
that are implemented must also be constantly updated. Some systems
process data in real-time. This enables the provision of the most
UpToDate version of data. For instance, ATMs need to reflect the most
updated version of a client bank account data to ensure that clients have
the best options for ATM transactions.

7. Complexity and feasibility

IA approaches are not always easy to achieve. There is always a trade-off
between security and usability. For example, making information more
secure may make it more difficult to access. The inverse is also
corollary: easier access means greater security risks.

8. Mutual Inclusivity
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 10

IA principles are not always mutually exclusive. For example, it is
possible to have both confidentiality and availability of information. And
it is usually a requirement among information systems to be available at
a highly-secured manner.

These principles are interrelated and must be balanced to achieve an
appropriate level of IA. For example, increasing confidentiality may reduce
availability, and vice versa.

IA is an ongoing process that requires constant monitoring and evaluation.
As threats and vulnerabilities change, IA controls must be consequently
updated to ensure that they remain effective.

INFORMATION SECURITY

Information security is commonly-defined as the process of preventing
unauthorized individuals from accessing, using, disclosing, disrupting,
altering, or destroying digital information and data. It includes a wide range
of strategies, procedures, tools, and procedures aimed at protecting
sensitive data and preserving its confidentiality, accuracy, and accessibility.

Some key aspects of information security include:

1. Confidentiality

Ensuring that data and/or information is only accessible to authorized,
verified, identified or properly-certified individuals or entities. This
involves measures such as access controls, encryption, and data
classification.

2. Integrity

Integrity of data refers to the wholeness of data as when it was
generated. Preventing unauthorized modifications or alterations of data.
Data integrity measures include checksums, digital signatures, and
version controls.

3. Availability

Ensuring that data and systems are accessible and usable when needed.
And inversely, same data set must be kept inaccessible when not
needed. This involves practices like redundancy checks, disaster
recovery planning, and network resilience.
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 11

4. Authentication

Verifying the identity of users, devices, or systems to prevent
unauthorized access. Authentication mechanisms include passwords,
usernames, CAPTCHA, certificates, badges, biometrics, and multi-factor
authentication.

5. Authorization

Granting appropriate permissions and privileges to authorized users,
limiting their access to only the data and resources they need.
Authorization may come in several forms like in permissions, privileges,
roles, responsibilities, access control/revocation, audit and
accountability.

6. Data Protection

Implementing security measures to protect data at rest, in transit, and
during processing. This includes encryption, data masking, and secure
data disposal. Data protection may come in several forms such as in
encryption, masking, back-ups, anonymization, secure data
transmission, data loss prevention, data classification, data retention
policies and data regulations.

7. Network Security

Protecting networks from unauthorized access, cyberattacks, and
malicious activities using firewalls, intrusion detection systems, and
intrusion prevention systems. Network security may also come in other
forms such as in network segmentation, VPNs, network access controls,
network monitoring and logging, network hardening, network patch
management, etc.

8. Endpoint Security

Securing individual devices like computers, smartphones, and IoT
devices to prevent malware infections, data breaches, and unauthorized
access. Endpoint security also involves other measures such as
blacklisting/whitelisting, security updates, device controls, etc.

9. Security Awareness Training

Educating employees and users about security best practices, phishing
awareness, and the importance of data protection.

10.Incident Response
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 12

When something untoward happens in the information systems, admins
should already have in place certain ways to respond to or deal with
them. Since information systems are subject to attacks, it should no
longer be a surprise for admins when such incidents occur. Developing
plans and procedures to effectively respond to and mitigate security
incidents, such as data breaches or cyberattacks.

11.Vulnerability Management

Identifying and patching vulnerabilities in software and systems to
prevent exploitation by malicious actors. Penetration testing (pen test) is
the most common means of identifying and dealing with vulnerabilities.

12.Security Policies and Compliance

Establishing security policies, standards, and guidelines to ensure that
security measures align with industry regulations and best practices.
Procedures are put in place to guide admins, staff, technicians and users
as to the proper utilization of the systems.

13.Threat Detection and Prevention

Using tools like intrusion detection systems, antivirus software, and
behavior analytics to identify and prevent security threats.

14.Security Audits and Assessments

Conducting regular audits and assessments to evaluate the effectiveness
of security measures and identify areas for improvement.

INFORMATION SECURITY
INFORMATION ASSURANCE VS. INFORMATION SECURITY
Although they have some similarities, information assurance and
information security have different certain differences, especially in terms
of scope, purpose, approaches, goals and objectives when it comes to
safeguarding digital data.

The following are some differences between the two terms:

1. Scope and Purpose

Information security primarily focuses on protecting the confidentiality,
integrity, and availability of information from unauthorized access,
breaches, and attacks while information assurance encompasses a
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 13

broader perspective that not only includes security but also emphasizes
managing risks, ensuring compliance, maintaining data accuracy, and
promoting overall trust in the information.

2. Approaches

Information security focuses on implementing technical measures such
as firewalls, encryption, intrusion detection systems, and access controls
to prevent unauthorized access and protect against cyber threats.
Information assurance takes a holistic approach that combines technical,
managerial, and operational measures to not only secure information
but also ensure its accuracy, reliability, and proper utilization.

3. Goals

Information security primarily concerned with preventing unauthorized
access, mitigating vulnerabilities, and responding to security incidents.
Information assurance aims to ensure the reliability, trustworthiness,
and proper use of information through measures that go beyond
security, including risk assessment, compliance with regulations, and
disaster recovery.

4. Risk Management

Information security emphasizes mitigating risks related to security
breaches and cyberattacks while information assurance extends risk
management to cover broader aspects, including data accuracy,
regulatory compliance, operational continuity, and strategic planning.

5. Compliance and Governance

Information security involves adhering to security standards and best
practices to safeguard data from breaches and unauthorized access.
Information assurance incorporates regulatory compliance, legal
requirements, and adherence to industry standards as part of a
comprehensive strategy to ensure the proper use and handling of
information.

6. Business Objectives Integration

Information security is often viewed as a technical function aimed at
protecting information from threats. Information assurance aligns with
business goals by ensuring that information supports decision-making, is
accurate, and contributes to the organization's overall success.
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 14

In summary, while both information security and information assurance are
concerned with protecting digital assets, information assurance takes a
broader view that encompasses security as well as aspects like data
accuracy, compliance, and risk management to foster a comprehensive and
trustworthy information environment.

SUMMARY

Information assurance and security encompass the strategies, practices, and technologies
designed to protect sensitive information from unauthorized access, disclosure, alteration,
or destruction. These disciplines ensure the confidentiality, integrity, and availability of
data, guarding against cyber threats, data breaches, and malicious activities. Information
assurance involves managing risks, implementing controls, and adhering to compliance
frameworks to safeguard digital assets. Security measures span various aspects, including
network security, endpoint security, data protection, and user authentication. By
maintaining information assurance and security, organizations ensure trust, mitigate risks,
and foster a secure digital environment in an increasingly interconnected world.

Information assurance (IA) and information security (IS) are complementary disciplines that
work together to protect information and information systems. IA focuses on ensuring the
confidentiality, integrity, and availability of information, while IS focuses on preventing
unauthorized access, use, disclosure, disruption, modification, or destruction of
information.

IA and IS are essential for organizations of all sizes, in all industries. In today's digital world,
information is a valuable asset that can be used for competitive advantage. By protecting
their information, organizations can reduce the risk of financial loss, reputational damage,
and other negative consequences.
 PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 15

KEY TERMS

information security network security information assurance
authentication information system information assurance and security

POSTTEST
Directions: Encircle the letter corresponding to your answer.

1. What does information assurance primarily focus on?
a) Protecting hardware devices
b) Ensuring data availability
c) Preventing physical security breaches
d) Enhancing user experience

2. Which term refers to the accuracy and consistency of data over its lifecycle?
a) Data integrity
b) Data availability
c) Data confidentiality
d) Data authenticity

3. Which principle dictates that users should be granted the minimum level of access necessary
to perform their tasks?
a) Access control
b) Least privilege
c) Data masking
d) Authentication

4. Encryption is used primarily for:
a) Preventing physical theft
b) Protecting data during transmission and storage
c) Enhancing user experience
d) Managing network traffic

5. What does a firewall primarily do?
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 16

a) Encrypt data at rest
b) Manage access controls for devices
c) Block unauthorized network traffic based on rules
d) Monitor employee activities

6. What does a VPN provide?
a) Physical security for devices
b) Secure remote access to a network
c) Protection against phishing attacks
d) Intrusion detection capabilities

7. What is the main purpose of an Intrusion Detection System (IDS)?
a) Encrypt data transmission
b) Prevent unauthorized access to devices
c) Block malware from entering the network
d) Detect and alert about potential security breaches

8. Which term refers to the practice of securing individual devices connected to a network?
a) Network security
b) Data protection
c) Endpoint security
d) Access control

9. What is the primary goal of data loss prevention (DLP) solutions?
a) Preventing unauthorized access to networks
b) Blocking malicious emails
c) Monitoring and controlling data transfers to prevent leakage
d) Encrypting data at rest

10. What principle involves incorporating privacy and security considerations into the design of
systems and applications?
a) Principle of least privilege
b) Privacy by design
c) Role-based access control
d) Intrusion detection
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 17

REFERENCES
Andrews, J., Shelton, J., & West, J. (2019). CompTIA A+ Guide to IT
Technical Support. Cengage Learning.

Ciampa, M. (2021). CompTIA security+ guide to network security
fundamentals. Cengage Learning.

West, J. (2021). CompTIA Network+ guide to networks. Cengage
Learning.

Whitman, M. E., & Mattord, H. J. (2020). Management of
information security. Cengage Learning.

Whitman, M. E., & Mattord, H. J. (2021). Principles of information
security. Cengage learning.