The role that information security plays has changed over the years and today, with information security professionals being brought in at the executive level of organizations, they have become critical members that contribute to the overall success of business operations. When information security first became a discipline, its focus was all about securing IT configurations and putting security tools in place. As time has progressed, it became apparent that you cannot properly secure an IT environment without first understanding the needs of an organization's business leaders. Now, information security leaders work to ensure that the business maintains its ability to serve its customers by tying cybersecurity to the business' functions.
IT security engineering is the application of security principles to information technology. In our modern world, this really can mean just about anything, from a server to a refrigerator, once you start to consider the Internet of Things (IoT). There are so many new devices being built daily that are IP addressable, essentially making them mini-servers, which introduces potential vulnerabilities. Additionally, it is important to consider the security needs for devices that are non-networked or may be air gapped. Nonnetworked, or air-gapped, environments still have the capability to communicate through out-of-band means, such as a USB thumb drive, allowing an attacker to communicate with them. A mature organization should have staff specifically targeted at looking at information technology security concerns, working with business and information technology leadership to secure IT systems and protect the environment from attackers.
Information assurance is the act of working with business and IT leadership to ensure that the confidentiality, integrity, and availability requirements for a given asset are fully understood. Those requirements should be fully tested in a test environment prior to being integrated into the production environment, in order to ensure that they are secure and do not cause interoperability issues.
The activities associated with information assurance inform the activities associated with IT security regarding the specific technical controls needed to properly protect a given asset. Requirements are driven by the business/mission owner.
For example, a medical device might be deemed by a business/mission owner to be confidentiality-high, integrity-high, and availability-moderate (because they can revert to old school medical techniques):
Relationship between Information Assurance and IT Security
The CIA triad is a key tenet at the core of information security. This tool is used to help the information security professional think about how to best protect organizational data:
- Confidentiality: It has to do with whether or not information is kept secret or private. Mechanisms should be employed, such as encryption, which will render the data useless if it was accessed in an unauthorized manner.
- Integrity: It has to do with whether the information is kept accurate. Information should not be modified in an unauthorized manner and safeguards should be put in place that allows for detectable and timely unauthorized changes.
- Availability: It has to do with ensuring that information is available when it is needed. This control can be accomplished by implementing tools ranging from battery backup at the data center, to a content distribution network in the cloud:
