World Library  
Flag as Inappropriate
Email this Article

Information assurance

Article Id: WHEBN0006444716
Reproduction Date:

Title: Information assurance  
Author: World Heritage Encyclopedia
Language: English
Subject: Government Communications Headquarters, CESG Listed Adviser Scheme, Security Target, Chief information security officer, Cryptographic Modernization Program
Collection: Computer Security, It Risk Management
Publisher: World Heritage Encyclopedia

Information assurance

Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. It uses physical, technical and administrative controls to accomplish these tasks. While focused predominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form. These protections apply to data in transit, both physical and electronic forms as well as data at rest in various types of physical and electronic storage facilities. Information assurance as a field has grown from the practice of information security.


  • Overview 1
  • Process 2
  • Standards organizations and standards 3
  • See also 4
  • References 5
  • External links 6
    • Documentation 6.1
      • EMSEC 6.1.1


Information assurance is the process of adding business benefit through the use of Information Risk Management which increases the utility of information to authorized users, and reduces the utility of information to those unauthorized. It is strongly related to the field of information security, and also with business continuity. IA relates more to the business level and strategic risk management of information and related systems, rather than the creation and application of security controls. Therefore, in addition to defending against malicious hackers and code (e.g., viruses), IA practitioners consider corporate governance issues such as privacy, regulatory and standards compliance, auditing, business continuity, and disaster recovery as they relate to information systems. Further, while information security draws primarily from computer science, IA is an interdisciplinary field requiring expertise in business, accounting, user experience, fraud examination, forensic science, management science, systems engineering, security engineering, and criminology, in addition to computer science. Therefore, IA is best thought of as a superset of information security (i.e. umbrella term), and as the business outcome of Information Risk Management.

Information Assurance is also the term used by governments, including the government of the United Kingdom, for the provision of holistic security to information systems. In this use of the term, the interdisciplinary approach set out above is somewhat lessened in that, while security/ systems engineering, business continuity/ enterprise resilience, forensic investigation and threat analysis is considered, management science, accounting and criminology is not considered in developing mitigation to the risks developed in the risk assessments conducted. HMG Information Assurance Standard 1&2, which has replaced HMG Information Security Standard 2, sets out the principles and requirements of risk management in accordance with the above principles and is one of the Information Assurance Standards currently used within the UK public sector.


The information assurance process typically begins with the enumeration and classification of the information assets to be protected. Next, the IA practitioner will perform a risk assessment for those assets. Vulnerabilities in the information assets are determined in order to enumerate the threats capable of exploiting the assets. The assessment then considers both the probability and impact of a threat exploiting a vulnerability in an asset, with impact usually measured in terms of cost to the asset's stakeholders. The sum of the products of the threats' impact and the probability of their occurring is the total risk to the information asset.

With the risk assessment complete, the IA practitioner then develops a computer emergency response team (CERT) or computer security incident response team (CSIRT). The cost and benefit of each countermeasure is carefully considered. Thus, the IA practitioner does not seek to eliminate all risks, were that possible, but to manage them in the most cost-effective way.

After the risk management plan is implemented, it is tested and evaluated, often by means of formal audits. The IA process is an iterative one, in that the risk assessment and risk management plan are meant to be periodically revised and improved based on data gathered about their completeness and effectiveness.

Standards organizations and standards

There are a number of international and national bodies that issue standards on information assurance practices, policies, and procedures.

See also


  • Data Encryption; Scientists at Chang Gung University Target Data Encryption. (2011, May). Information Technology Newsweekly,149. Retrieved October 30, 2011, from ProQuest Computing. (Document ID: 2350804731).
  • Stephenson, P.. (2010, January). Authentication: A pillar of information assurance. SC Magazine, 21(1), 55. Retrieved October 30, 2011, from ProQuest Computing. (Document ID: 1939310891).
  • Roger Cummings. 2002. The Evolution of Information Assurance. Computer 35, 12 (December 2002), 65-72. DOI=10.1109/MC.2002.1106181 Available in full at: Concurrent Systems Architecture Group

External links


  • UK Government
    • HMG INFOSEC STANDARD NO. 2 Risk management and accreditation of information systems (2005)
  • IA References
  • Information Assurance XML Schema Markup Language
  • DoD Directive 8500.01 Information Assurance
  • DoD IA Policy Chart DoD IA Policy Chart
  • Archive of Information Assurance Archive of Information Assurance


  • AFI 33-203 Vol 1, Emission Security (Soon to be AFSSI 7700)
  • AFI 33-203 Vol 3, EMSEC Countermeasures Reviews (Soon to be AFSSI 7702)
  • AFI 33-201 Vol 8, Protected Distributed Systems (Soon to be AFSSI 7703)
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.