Introduction
Over the past few years, the information technology sector has experienced numerous challenges. As organizations continue to rely on information technology, the threats against it have increased. As a result, organizations have a defense against those threats. For instance, Information assurance and cybersecurity are examples of the defense. Cybersecurity is a state in which electronic data are free from unauthorized use (Qian, Tipper, and Prashant 37). On the other hand, Information assurance deals with the creation of the policies, the procedures and the systems that assure people that the information they are using is valid, reliable, available, accessible, confidential and trustworthy (Raghav 48).
Latest events like computer viruses have created a concern about information assurance as well as the upcoming protection of the information technology sector. This is because of the increase in intricacy and interdependency of information systems. Therefore, Information assurance tries to address the issue of reliance and credibility associated with digital technology. Despite excessive expenditure on information security programs, digital technology continues to experience threats. Hence, information assurance is imperative in addressing technology insecurity because its complex nature enables it to deal with numerous problems.
The criticality of information assurance within the national strategy
Cyber attacks interfere with the economic growth of the nation. According to Chertoff, cyber-attacks can cost dollars, assets as well as lives (100). For instance, people will spend time eliminating the attack rather than focusing on other productive activities. Furthermore, the government will channel a lot of money on information protection projects. Therefore, the complex nature of information assurance symbolizes a multitude of considerations that go beyond information technology and exceed the social, political, economical and organizational dimensions. This explicates the complexity of information assurance.
A complex system is the one which people can neither understand nor explain the properties of its components. As a result, Raghav states that numerous people, associations, the government, and systems attempt to protect the critical infrastructure (43). This increases the complexity of information assurance hence forcing the country to develop strategies that address the issue. Qian, Tipper and Prashant argue that the complexity of information assurance arises because of the many components, their connections and the relationship that exist among them (29). Thus, the nation needs to pay close attention to cyber attacks and the development of information assurance approaches.
Moreover, the nation needs to consider numerous imperative issues to develop information assurance as both science and methodology. In recent research, Patterson states that many people do not understand the science of information assurance (205). This lack of understanding leads to the repetition of similar mistakes. In many cases, people react to mistakes rather than prevent occurrences. Therefore, the government should develop approaches that help the nation understand the criticality of information assurance.
Processes established to make information technology sector more resistant
Incident management is an integrated process that assists in protecting the information infrastructure (Chertoff 102). It uses the proactive approach that entails continuous monitoring as well as improvement programs to prevent the occurrence of information technology threats. Furthermore, it eliminates the procedures that are impracticable by ensuring that the responsible parties create, develop and validate policies.
Besides, these parties are involved in continuous monitoring and improvement processes. As a result, Brunner and Suter state that incident management is a holistic program where a change in one component affects another one (418). This means that planning, communication, and evaluation are crucial in incident management. Thus, a program approach that manages threats to information infrastructure was developed.
According to Holdren, the program approach operates under the principle of planning, communication, and evaluation to facilitate information protection (19). To begin with, planning entails strategy development, support management, organization collaboration and incorporation of information assurance approaches into the security programs of the organization. For instance, strategy development may involve the creation of antivirus programs while support management is obtaining financial assistance from the organization (Qian, Tipper, and Prashant 69). On the other hand, organization collaboration ensures that every person is aware of the information protection approaches that are in place.
Secondly, communication facilitates the free movement of information. According to Brunner and Suter, free movement of information that involves internal as well as external organization is vital for enhancing effective and efficient response to information technology threats (401). This is because people need to be ready to communicate when a threat occurs. For instance, through an effective communication system, an organization can easily manage an information infrastructure threat like the computer virus.
Finally, evaluation involves monitoring and assessment of information assurance programs (Gayle 125). This is imperative because it helps in the early detection of errors as well as determining the methods of improving the information assurance approaches. For example, through assessment one can establish what can go wrong as well as make the systems fail, the probability of the error and the consequences. Furthermore, monitoring helps determine the activities that can correct the error. Besides, it evaluates the cost, benefits, and risks of the chosen policies. Lastly, monitoring is important in sensitivity analysis because it determines the impact of the current decision on future options.
If a threat occurs to information infrastructure systems, a six-step management program is important. This program involves the integration of six elements that are prepared, detect, contain, eradicate, recover and feedback (Coppola, Bullock, and Haddow 67). According to this program, preparation leads to the detection of the threat followed by its containment. Besides, the containment of the threat facilitates its eradication and recovery. Lastly, feedback communication helps in the preparation of the next process of information protection.
The relationship of information assurance to other sectors
According to research, Brunner and Suter state that information technology relates to many sectors among them being academic, business, military and the public (423). Thus, these sectors benefit from information assurance. For instance, the academic and the business sectors gain from information assurance because they provide hardware, software, education and research for digital technology. All these sectors are interested in the success of information assurance and they share the same objectives that focus on profit, expenditure, risk, trust, survival, and security.
Brunner and Suter argue that these sectors have objectives that conflict with each other yet they have a common focus (411). For example, the business sector aims at profit maximization while the military one aims at the cost and risk minimization. Therefore, the conflicting interest is the core of information assurance. Additionally, the reliance on the military on technology advancement, superiority, and systems make information assurance important. This is because information infrastructure continues to experience diverse changes in technology and tactics. Hence, information assurance tries to address the vital question of the validity and reliability associated with the digital environment.
As sectors continue to rely on information technology, both the threats and the potential harm to the people increases (Boyse 12). Even though the majority of the sectors have information protection approaches, their effectiveness decreases over time. As a result, information assurance remains a better option for these sectors. This is because Blyth states that the success rate of information assurance is ninety-nine percent (115). Therefore, all sectors depend on information assurance as a protective device. Additionally, other sectors interdependent on information technology.
Dependencies and interdependencies
According to Blyth, information infrastructure is the backbone for most critical infrastructure in the world (138). Moreover, many sectors depend on information technology to achieve their visions and missions. This is because information technology provides a basis for the exchange of ideas and thoughts through internet connectivity. Therefore, it is important to realize the value that information technology plays in homeland security. Additionally, because of the criticality of information assurance interdependencies and dependencies of digital technology require an understanding. For instance, the understanding of the interdependence of information technology on the national infrastructure like energy and electricity is very important.
One of the ways of examining the interdependency of information technology is to analyze it from the perspective of the critical infrastructure (Chertoff 36). The National Infrastructure Protection Plan (NIPP) intends to meet the requirement of the critical infrastructure that is the identification, the prioritization and the protection of information technology. Therefore, various initiatives developed by the government focus on information assurance.
This is through the integration of the key resources and critical infrastructure. In this integration, information technology plays a critical role. Additionally, the energy and the water sectors are also of value in information assurance. The water sector involves collaborative management, which includes the processing of clean as well as dirty water. On the other hand, the energy sector entails the production and supply of electricity. The water and the energy sectors depend on information technology.
To begin with, electricity power is the dominant dependent on information technology (Holdren 24). This is because every component of information technology depends on electric power for it to operate. For instance, electricity provides energy for the computer hardware, the operating system and the environment that surround the communicating equipment. Most of the time, the information technology sector consumes electricity but not other forms of energy like oil and gas. Therefore, a direct link subsists between the energy and the information technology sector.
On the contrary, the electric energy industry depends on information technology (Brunner and Suter 450). This is because information technology is a means of communication hence facilitating the management as well as control of operations in the industry. For instance, free movement of information enables the workers to know most of the activities that are taking place in the organization. In case a cyber attack occurs, it is easy for workers to implement the information assurance process.
Lastly, the vital dependency for the information technology sector and other sectors has a relationship to the security of an organization (Coppola, Bullock, and Haddow 64). Most of the information infrastructure is susceptible to cyber threats. This is due to the dependency and interdependency of these sectors to a common network. As a result, the information systems require protection from the cyber threat. According to Boyse, various information assurance programs and procedures are against the cyberattack (17). They include policies and procedures against the threats as well as computer programs against viruses and intrusions.
Information assurance in other countries
The issue of information protection is vital because of the lack of the possibility of maximum security achievement of the critical infrastructure. Besides, a single way of tackling the problem does not exist. As a result, most of the countries have a variety of protection programs for critical infrastructure. Although many countries use a heterogeneous approach, critical infrastructure protection falls into three categories. They include the Critical Information Infrastructure Protection, Critical Information Technology Infrastructure Protection and Special Case (Blyth 120).
To begin with, Critical Information Infrastructure Protection focuses on information technology found in sectors that are individual (Boyse 26). On the other hand, hardware protection is under a different organizational framework. Therefore, the functions, as well as the competencies that relate to the critical infrastructure protection, are in different organizations. Additionally, this approach tries to incorporate private sectors at every level of critical infrastructure protection.
Secondly, Critical Information Technology Infrastructure Protection encompasses physical protection. According to Brunner and Suter, physical protection is part of the defense system of the nation (400). Besides, it focuses on proficiency in information technology security, the civil defense as well as disaster control. Hence, a clear distinction between individual components does not exist and thus the term “All Hazards” approach. In this approach, there is the integration of states and private sectors in the organization level of the nation. On the contrary, there is no collaboration between the public and private sectors at the national planning level.
Lastly, a special case is the Chinese model. In this approach, a collaboration between the public and the private sector does not exist (Coppola, Bullock, and Haddow 76). This system protects the government systems rather than the critical infrastructure. This is because approximately ninety percent of the critical infrastructures are in private sectors. Besides, the private sector companies can easily assess their systems to determine the required information protection.
Disasters in the past
Cyber attacks symbolize threats that lead to damages like loss of vital information. According to Brunner and Suter, the attack can come from any place in the universe, through phone calls, over the internet or any other network (432). Besides, it can come as a single attack or a combination, hence, tracing of intruders become difficult. Moreover, the intruders who attack information assurance, as well as the technology, possess advantages against the policies and procedures that are in place. For instance, Gayle explains that Computer Emergency Response Team that is found in the United States has a well-developed information assurance system yet in the year 1998 it experienced a cyber attack increase of sixty-four percent (134). Furthermore, the security vulnerability of computer systems has increased to one per month.
In research done in 1980, the exposures to cyber-attacks have increased because of interconnectedness as well as interdependency of the information infrastructure (Holdren 36). For instance, in 1989, one of the employees in the New Jersey Engineering Company created a logic bomb that obliterated the computer system that controlled production. The bomb altered the computer backup files and permanently disabled the operations of the company. The reconstitution of the company files was inevitable leading to its closure. Consequently, the cyberattack does not only come from computer hardware and software but also people and the organization.
According to Chertoff, it is easier for a person to attack an information infrastructure due to the availability of opportunities for an information assurance incident (148). Incidents that are related to information assurance include viruses, intrusions as well as system failures. For example, the United Nations has a complex computer system yet incidents like system failure and viruses are common headings in the news.
Despite the advancement in technology, information assurance is still at risk of cyberattacks. Patterson states that viruses like Melissa and Chernobyl decrease an organization’s profit due to an increase in the cost for the lost products, network downtime as well as the eradication of the virus (300). For example, the eradication of a virus-like Melissa can cost approximately eleven billion dollars.
Another form of cyber attack is the Denial of Service (DOS) that disrupts the availability of services to the customers (Qian, Tipper, and Prashant 37). According to research done by the Federal Bureau of Investigations, approximately twenty-seven percent of the surveyed organizations had a DOS attack. Finally, in another survey, ninety percent of the security practitioner reported a DOS attack. In the year 2000, these attacks paralyzed the yahoo as well as the eBay websites thus interfering with online businesses.
Finally, according to a survey done, Brunner and Suter state that hackers attacked Rome Laboratory that was an air force command as well as a research facility (412). They confiscated the support system that controlled the laboratory, created links to strange internet websites and stole research data. The incident consumed more than six hundred thousand dollars to evaluate the damage, making sure that the systems are trustworthy, eliminate the vulnerabilities and identify the attackers. Furthermore, the estimation of the missing data was difficult although some lost files represented three years of research, which was similar to approximately five million dollars.
In another incident, British hackers attacked the Rome Laboratory and made one hundred intrusions on the internet (Raghav 7). As a result, the air force developed information assurance approaches for commanding, controlling and communicating with computers. They included the sensors, the surveillance machines, the computer engineering programs and artificially intelligent. During the implementation of information assurance approaches, the facility discovered a program called sniffer that the attacker used to access the computer network. Therefore, the facility instituted information protective measures that bounced their internet connections from other stations.
The lesson learned from the past disaster is that the information infrastructure requires protection. This is because Raghav argues that many computers in the world connect via networks thus facilitating easy movement of attacks like viruses (51). As a result, an information assurance system is of great benefit. For example, the incident management approach is a good program because it helps in the prevention of the occurrence of a threat through preventive measures. Therefore, the public, the organizations and the nation should adopt this approach.
Additionally, information threats are real and expensive to eliminate. Moreover, they consume human resources as well as time. This is because when an attack occurs, the presence of information technology specialists is important. After all, they know how to tackle the issue. Besides, people spend time eradicating the threat rather than doing other productive works. For example, the Rome Laboratory incident led to a loss of billions of money. Therefore, people need to adopt protective measures. An example of such a measure is the information assurance activities like policies and procedures that deny unauthorized people to access computer networks of an organization.
Measures to protect information technology infrastructure
Information assurance is the best way of protecting digital technology because it does not only focus on computer software and hardware but also on the people. According to Patterson, protective measures include the development of policies and procedures, network design, network vulnerability assessment, training on information assurance, accreditation and certification of systems as well as Authentication, Authorization and Accounting Strategies (280). These information assurance measures produce effective and efficient results through assessment, training, collaboration, and implementation.
To begin with, the development of policies and procedures can be at international, national, state and local levels. This is because of the uniqueness of every organization and their ability to manage information assurance approaches. The policies and procedures are towards the security of the information infrastructure. According to Blyth, security specialists like Cyber core Technologies usually develop policies and procedures that protect the information system from the risk of shared network computing as well as accounting for usability (107).
These security specialists usually collaborate with the people working in an organization to ensure that there is the implementation of information assurance policies. Boyse states that the information technology specialists usually review the process, stored as well as accessed data in line with the governing policies and regulations (15). After the collection of relevant information, people are educated on policies and procedures concerning information assurance. This training is imperative because it empowers people with knowledge about cybersecurity thus making them proactive in matters dealing with information assurance.
Moreover, people must work together in the development of policies and procedures that help in the achievement of information security. The involvement of every person in the policies and procedures development facilitates the effective and efficient implementation of information assurance approaches.
Network design is a protective measure that entails the amalgamation of the people, the products and the processes to implement the information assurance approaches (Coppola, Bullock, and Haddock 70). An effective and efficient information assurance approach usually uses the available and accessible products to develop information security. The process begins with the assessment of the ability of the existing network to protect the available information.
This is followed by the development of information assurance programs that eliminate vulnerabilities, detect threats and limit the potential performance. According to Gayle, several information assurance programs include the network architecture, integration, and engineering of systems, firewalls, detection of intrusions and Virtual Private Networks (131). These programs involve the modernization of technologies to facilitate information assurance. As a result, there is physical safeguard and protection of the network and information resources hence optimization of investment.
The principle of information assurance states that the center of a safe environment is the continued devotion to the components of valid and reliable security processes (Holdren 20). Therefore, security auditing is a component of a continuous information assurance procedure. For instance, the achievement of information protection can be through the decentralization of network control and centralization of the organization that has the responsibility of establishing as well as maintaining security.
This ensures that only a few people can access the security programs thus enhancement of information assurance. Chertoff states that network vulnerability assessment involves scanning of the information infrastructure (127). The process involves the identification and isolation of network vulnerabilities like viruses and intrusions. Besides, the process is collaborative and it involves the information technology specialists and the workers working together to detect and eliminate the vulnerabilities. This collaboration is imperative because it helps the workers acquire relevant knowledge for information assurance auditing.
According to Patterson, it is difficult to maintain digital security without making sure that every person who uses and manages information technology understands their responsibilities that relate to the mission of the organization, recognizes the security policies and the procedures of information technology and has knowledge about digital security (208). Therefore, training helps people to know their responsibility concerning information security as well as the proper use and protection of the digital technology assigned to them. Thus, organizations should ensure that people receive training in information assurance processes.
Additionally, Patterson states that accreditation of systems helps in the protection of information technology infrastructure (217). It entails risks mitigation after identification of security vulnerabilities and threats followed by the determination of suitable defensive measures. For example, the information technology specialist can develop a security verification program after the analysis, verification, and validation of the existing system.
Lastly, Authentication, Authorization and Accounting Strategies (AAA) assist in securing data (Qian, Tipper, and Prashant 57). The strategies include programs that support two-factor authentication and the public key infrastructure. These programs help in the identification of the users thus controlling access to information. For example, the program identifies the employees, the vendors and the customers who are in the system. The objective of identification is to increase productivity and security while decreasing the cost of managing the damage caused by prohibited users.
The business resiliency concepts of information technology
According to Raghav, cost-effective information assurance programs focus on efficient use of resources through concentrating on actions that have the greatest risk mitigation for any expenditure (46). Therefore, during the assessment of the cost-effectiveness of an information assurance program, one needs to consider a variety of factors. This consideration is important because it helps one select an information assurance program that is easy to establish and maintain.
To begin with, operating information is a critical factor (Blyth 149). An initiative that operates with full information is of value because it allows access to data about threats and protective measures. These initiatives include the sharing of information and the use of a valid communication network. Besides, they facilitate the maintenance of information assurance programs and procedures. This is because people have access to information about cybersecurity hence they know what to do in case of a threat.
Secondly, addressing the issue of long-term tradeoff is imperative in establishing cost-effective information assurance programs (Chertoff 56). This is possible through the development of policies and procedures that allow the government to collaborate with the private sectors. This is because the collaboration will facilitate the use of long-term approaches to the Critical Infrastructure and Key Resources protection.
Finally, Patterson states that matching of the economic incentives of all partners of the Critical Infrastructure and Key Resources facilitates effective and efficient implementation of the information assurance activities (221). This is through permitting the government and the private sectors to implement procedures that are within their interest while supplementing resources in appropriate sections only. Moreover, this approach enhances the existing efforts that are effective and consistent with excellent business practices. This is because people have the freedom of choosing an information assurance activity that suits their needs.
Conclusion
In conclusion, information assurance is imperative in addressing technology insecurity because its complex nature enables it to deal with numerous problems. To begin with, information assurance is critical within the national strategy because a cyber attack is a great hindrance to the growth of a nation. As a result, the nation should have appropriate information assurance programs that eliminate the threats. For instance, the establishment of processes that makes the information technology sector more resistant is imperative. This is because information assurance relates to other sectors due to the existence of dependencies and interdependencies. Therefore, many countries have information assurance approaches defined in the protection programs.
Additionally, many countries have had the experience of cyberattacks in the past. This prompted them to institute measures to protect information technology infrastructure. Besides, due to the economic difficulties that exist in various places, many people have adopted the business resiliency concepts of information technology because it is cost-effective. Finally, information assurance is imperative in the current world where many people depend on digital technology. As a result, people should strive to adopt effective and efficient information assurance initiatives.
Works Cited
Blyth, Andrew. Information assurance: Security in the Information Environment. New York: Springer, 2010. Print
Boyse, George. Information Assurance: Managing Organisation IT Security Risks. United States of America: Butterworth Heinemann, 2010. Print.
Brunner, Elgin, and Manuel Suter. “International CIIP Handbook: An Inventory of 25 National and Seven International Critical Information Infrastructure Policies.” Center for Security Study ETH Zurich 2.33 (2008): 400-451. Print.
Chertoff, Michael. “National Infrastructure Protection Plan: Partnering to Enhance Protection and Resiliency.” US Department of Homeland Security 1.1 (2009): 20-102. Print.
Coppola, Damon, Jane Bullock, and George Haddow. Introduction to Homeland Security: Principles of All-hazards response. United States of America: Butterworth Heineman, 2008. Print.
Gayle, Lewis. Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation. New Jersey: John Wiley and Sons Publisher, 2009. Print.
Holdren, John. Networking and Information Technology Research and Development. New York: Diane Publishing Company, 2008. Print.
Patterson, Cynthia. Critical Information Infrastructure Protection and the Law: An Overview of Key Issues. Washington DC: National Academic Press, 2010.Print.
Qian, Yi, David Tipper and Krishna Prashant. Information Assurance:Dependability and Security in Net Worked Systems. Oxford: Oxford Publisher, 2010. Print.
Raghav, Rao. Information Assurance, Security and Privacy Services. United Kingdom: Emerald Group Publishing, 2009. Print.