Introduction
Because of the concerns of security, institutions the world over require to seek protection and safety continuously for their information assets. Regardless of the industry in which the firms operate, the need to protect the information assets is critical. For instance, consumer fraud through the internet is increasing, which causes financial losses as well as distrust in websites of e-commerce. For such reasons, Information Assurance (AI) has been created with the objective of dealing with the trend in information security. Specifically, the importance of information assurance has spilled to the attraction of funding resources, as is the case with Heavy Metal Engineering Company.
Heavy Metal Engineering (HME), a manufacturing organization that creates metal shell casings for very high-end washer and dryer products has suppliers and customers world-wide, as well as world-wide offices. HME is looking to receive some significant third party funding for an international joint venture but was told they would be denied because they do not have any kind of Information Assurance plan to keep all data assets secure. The hired Information Assurance consultant is required to create a comprehensive IA strategy that includes a detailed overview of what Information Assurance entails covering all the basics for an IA strategy (what will be protected and from what) and a plan or strategy for IA implementation including a framework. The plan also includes a complete risk mitigation strategy that completely outlines the plans to mitigate risks associated with operating in the 21st century workplace. Furthermore, the report selects an accrediting body to ensure IA is not only a process but also a part of organizational culture going forward and incident response and disaster recovery plan in the event of intrusion and disaster.
Delegate your assignment to our experts and they will do the rest.
Overview of What the Information Assurance Entails
Definitively, information assurance relates to the steps entailed in the protection of information systems such as computer networks and systems. As a term, information assurance was used first by the US government (Schou & Trimmer, 2004). It should be noted that information assurance is an interdisciplinary area that requires expertise in the field of computer science, criminology, forensic science, information security, risk management, law, and systems engineering (Schou & Trimmer, 2004). The field of information assurance plays a fundamental role in the information infrastructure, which supports national security, health care, telecommunications, banking, and commerce. For such reasons, information assurance is more inclusive compared to the aspect of information security, which entails not only the detection and protection but also the dependability and survivability of the information systems, which has been vulnerable to attack by risks of information systems.
The field of information assurance spans five pillars, integrity, availability, authentication, confidentiality, and nonrepudiation (Kim and Solomon, 2016). The pillar of integrity involves ensuring that individuals do not tamper with systems of information. In this case, information assurance ensures the maintenance of integrity through having in place anti-virus software, which ensures that data in not interfered with. Secondly, availability, as an element of information assurance, makes sure that information is availed to its users in a timely manner, and such users have the ability to have reliable accessibility to the information system. This process may entail the protection against any forms of threats that would hinder the accessibility of the information systems to the users (Kim and Solomon, 2016). Still in elaboration, the pillar of authentication ensures that the users of the information systems are who they suggest to be, which means that the process of authentication is done using tokens, biometrics, passwords, and names, among other appropriate authentication credentials. The pillar of confidentiality of information assurance is concerned with ensuring that information is kept confidential. For instance, confidentiality is critical within the military in which only cleared people are supposed to gain access to classified information. Lastly, on nonrepudiation, information assurance considers that people who send data are provided with proof that they have been delivered to the target recipients so that neither of the sender and the recipient can deny later that they processed such information (Kim and Solomon, 2016).
Having described the pillars of information assurance, it is notable the field entails all individuals as well as technologies that are employed in ensuring that the fundamental pillars described above are satisfied through the entire information systems lifecycle (Sadiku, Alam, & Musa, 2017). It is also noteworthy that the five pillars do not operate independently and that interactions among them could be problematic. For instance, the pillar of availability directly introduces a conflict with at least three other pillars, authentication, integrity, and confidentiality. However, as much as there could be other challenges in the same relationship, information assurance has an objective of ensuring that the five pillars operate smoothly for the goal of attaining information security as described in the definition of the technical term.
Information assurance promises the provision of efficient and effective approaches to the protection of information systems. Such a promise could be challenging even with the use of the most advanced technologies and the most proficient Information Technology professionals. In this case, Kim and Solomon argue that the benefits of information assurance include organizational, strategic, tactical, and operational benefits as indicated in figure 1 below. It is also described that a need exists for the production of information technology professionals who are more qualified in the field of information assurance for the objective of meeting the shortages in the workforce resources. Therefore, it is urgently needful that students undertaking the field of computer science, business, and engineering receive substantial training in information assurance. The training is critical for the fact that information assurance is comparatively a new field compared to others in the same the information systems scope (Sadiku, Alam, & Musa, 2017).
Extant literature on the scope of information assurance suggests that the success of any policies in the field relies critically on the levels of compliance of employees (e.g. Sadiku, Alam, & Musa, 2017). In fact, it is posited within the latter cited study that the propensity for information assurance compliance could be variant from person to person depending on their attitude as well as previous experiences with technologies. In this case, workers who have had positive experiences with the technologies is likely to have a positive attitude towards it, which suggests that they are likely to have a strong intention to complying with the adopted information assurance policies (Sadiku, Alam, & Musa, 2017).
Figure 1 : the benefits of Information Assurance. Adapted from Sadiku, Alam, & Musa (2017)
A Plan and Framework for Information Assurance Implementation
According to Otoom & Atoum (2014), the framework of strategic planning has three phases, strategy formulation, strategy implementation, and the evaluation of the strategy. HME therefore, should understand the importance of the three phases as described within this section of the report. First, considering strategy formulation, the company should consider the primary objectives and goals of the process. In this case, the pillars of information assurance described in the preceding section of the paper should form the basis for the formulation of the objectives of the process. In specificity, the following should be the goals of the information assurance process undertaken at HME:
To ensure integrity of the information systems of the company through assuring the users of the system that no person will have the ability to interfere with the information
To ensure the availability of data to desirable users at any time, which should be attained through dealing with any potential blockage to the accessibility of such information
To ensure proper authentication systems for the users of the information contained within the information systems of the company through ensuring that only cleared individuals can access the data
To ensure high level of confidentiality, which will ensure that only cleared individuals have access to critical information of the organization
To ensure proper standards of nonrepudiation, this will be critical in dealing with the accountability of the usage of the information systems infrastructure.
The targets of the information assurance process of the company should be to ensure that the firm benefits maximally from the benefits of using such systems as indicated in figure 1 above. In specificity, the targets of the process should be to attain the organizational, strategic, tactical, and operational benefits as highlighted below:
Organizational Targets
The business should target improved value of shareholders through proper usage of information systems.
The company should realize improved competitive advantage, especially in the obtainment of donor funding and client preference
HEM should gain a license to operate in more markets worldwide because of its reputation in information assurance processes
Strategic Targets
The company should target to attain better and proper governance, which is critical for the attraction of more clients and financiers
The firm should attain cheaper equity during the process of implementation of information assurance
There should be a realization more sales and improved productivity
During the implementation process, the business should realize lower costs of operation.
Tactical Targets
Following a successful implementation of the information assurance process, the organization should realize a better comprehension of the business opportunities within its industry
HEM should also attain profound commitment from business partners and customers
The organization should also attain easier compliance with the set standards of industrial operation
The institution should also realize better control of its operating environment, especially in relation to information systems
Operational Targets
HEM should target to build a resilient business process
The process should also attain better usage of information and information systems
The firm should also realize improved levels of corporate responsiveness concerning the usage of information
After a successful implementation of the information assurance plan, HEM should realize improve customer service delivery
It is notable that the targets of the process of implementation of information assurance are defined from the overall objectives, which have strong foundations in both the pillars and benefits of information assurance. The three-step framework, Formulation-Implementation-Assessment, will be effective in ensuring HEM institutes an effective information assurance plan. The objectives and targets of the process fit in as the strategy formulation part of the framework, especially when the management of the firm adopts a strategic approach to planning. In this case, the management of HEM should identify the need for the adoption of the strategy, which in this case, is described in the targets that are further informed by the objectives afore-described. The process should identify the potential enhancers of and barriers to a smooth adoption of the strategy both from the internal and from the external environments. Therefore, it means that the organization should conduct the relevant analysis such as SWOT analysis and others, which will help determine its position prior to the desired move.
During the implementation of the formulated strategy, the company management should use the identified metrics to determine the appropriate implementation strategy. Based on the findings in literature related to the barriers to an effective adoption of an information assurance strategy, the company must first address the issue of employee perception of the strategy (Otoom & Atoum, 2014). In this case, the management should assess the likely effects of the strategy on staff morale before proceeding to implement the plan. It is also known that the field of information assurance is relatively new as indicated earlier, which implies that the company might experience a shortage of qualified staff required for an effective implementation of plan (Kim & Solomon 2016). For this case, in addition to studying the potential effect of the process on staff morale, the firm should undertake appropriate training of its staff to ensure that it meets the described objectives. When the two fundamental procedures are completed, the organization should then undertake to acquire and install the required resources of information systems, which might include, but not limited to security software, appropriate data administrators, and the related infrastructure (Kim & Solomon 2016).
On the assessment of the strategy, the organization should use two major benchmarks, the effect of the adoption on staff morale and the attainment of the set objectives. In this case, the firm should use tools of staff morale assessment of their choice. However, on the achievable targets, the firm should first categorize the objectives into short and long-term goals. In this case, the short-term goals will be used as a means of directing the long-term ones. The attainment of the long and short-term objectives would act as checks for the effectiveness of the strategies adopted.
Risk Mitigation Strategy for the Information Assurance Process
The strategies of risk handling depend largely on the nature of such risks. For such a reason, the organization should conduct an appropriate risk analysis procedure that will identify the nature of the risk in terms of its probability of occurrence as well as the magnitude of the effects that are likely to occur on the event of such an occurrence. Generally, five methods of risk handling for the different categories of risk exist. For instance, the team assigned with the process of risk tracking and management might choose to assume the risk or to accept it. In this case, the team will acknowledge the fact that a given risk exists before making deliberate decisions to accept its existence without underrating special moves to deal with it (Kasser et al., 2013). The team could also choose to avoid the risk, for which case they would be required to adjust the system in such a way that the risk would be reduced or eliminated. Such an adjustment might happen through a transformation in the technical requirements, schedule, or funding. The third approach to risk handling entails controlling the risk, which entails actions that would reduce the effect or the chances of occurrence of the anticipated risk. The fourth way of handling the risk is transferring, and it involve the reassigning of organizational accountability, authority, and responsibility to other individuals within the scope of risk management that would be willing to accept and deal with it (Garvey, 2008). Lastly, watching as an approach to risk handling entails the monitoring of the environment of changes that alter the nature and impact of the risk. Figure 2 below indicates the categories of risks and the strategies of management that the company would wish to use.
Figure 2 : risk mitigation strategies. Adopted from Garvey (2009). Note: the most probable and most affecting risks on the nature of the information systems should be avoided, controlled, or transferred while the least should be watched or assumed.
An Accrediting Team That Controls the Information Assurance Strategy
HEM should cultivate a culture of information assurance within its workplace. Specifically, a need exists for the management to deal with issues of staff development, administrative practices, responsive program delivery, and procedures as well as policies that deal with information assurance. The IT department of the organization should be charged with ensuring the process is implemented according to the needs of the firm. The IT department should then work with the Human Resources department to hire an Information Assurance Compliance Officer who will be charged with the performance of security tests and the evaluations for the validation that the control systems put in place are in line with the specific industry or government standards (Duncan, 1996). The professional should then work with a team of other professionals that will be tasked with first training the existing staff on the importance of information assurance. In this case, the training should span issues such as the need for compliance with the defined information assurance standards, the dangers of breaching the policies, and other issues. The company would also choose to collaborate with the existing institutions that deal with information assurance to train its staff on the same issues.
The administrative practices of HEM should be such that they support the operations of the IT department to ensure an adherence to the defined policies of information assurance as well as the training and development of staff to deal with the specific issues. For such a case, the administrative scope of practice should define the punitive measures instituted against the possibilities of breach of the set policies, improve funding for the project when necessary, and improving staff awareness of the importance of the project. The policies defined within the scope of the department should be those that aim to achieve the set standards, especially, those inclined towards the realization of the set objectives and the specific targets.
Incident Response and Disaster Recovery Plan In Case of an Intrusion and Disaster
HEM may want to adopt a seven-step incident response strategy that it would use in the event of occurrence of the risks to its information systems. The first step would be to prepare for the occurrence of the risk, which means that the team concerned with the process should consider the manner in which it should handle the risk in the event of its occurrence. In this way, the team should learn how to learn and interpret the warning signs for the risk as well as the establishment of incident notification processes (Whitman, Mattord, & Green, 2013; Kossiakoff et al., 2011). The procedure may also entail the creation of an incident containment policy among others. The next step would be the identification of the real risk that occurred, which entails the fact concerning its rate of occurrence. The step also entails checking the areas that might have been affected by the incident, which include excessive login trials, networking accounting, and others. The incidents should then be categorized into any of the groups as indicated in table 1 below.
Table 1 : a classification of the categories of incidences of risk to information systems. Adapted from Whitman, Mattord, & Green (2013)
Step three of the process is containment, which entails the limitation of the magnitude and scope of the issue. During this process, the team should control the spread of the risk to resources of information system that might not have been affected before. The next step should be to investigate the causes of the occurrence of the incident before the team conducts an eradication process for the same agents (Phoenix TS, 2018; OECD, 2013). The team should then conduct a recovery process that would restore the normal functioning of the system and conduct a follow up activity as the last step in the process.
Conclusion and Recommendation
Because of the concerns of security, institutions the world over require to seek protection and safety continuously for their information assets. Regardless of the industry in which the firms operate, the need to protect the information assets is critical. For instance, consumer fraud through the internet is increasing, which causes financial losses as well as distrust in websites of e-commerce. For such reasons, Information Assurance (AI) has been created with the objective of dealing with the trend in information security. Specifically, the importance of information assurance has spilled to the attraction of funding resources, as is the case with Heavy Metal Engineering Company. This report has recommended that the company adopt an information assurance policy that would be effective in the attainment of the objectives of information assurance. Specifically, the organization should hire the appropriate information assurance and security profession that would be in charge of staff training and development as well as in inclining the operations of the institution to meet the set targets. The firm should also show a commitment to the project through proper funding and improved staff awareness of the policies designed.
References
Duncan, W. R. (1996). A guide to the project management body of knowledge. Cengage Learning.
Garvey, P. R. (2008). Analytical methods for risk management: A systems engineering perspective . Crc Press.
Kasser, J., Hitchins, D., Frank, M., & Zhao, Y. Y. (2013). A framework for benchmarking competency assessment models. Systems engineering , 16 (1), 29-44.
Kim, D., & Solomon, M. G. (2016). Fundamentals of information systems security . Jones & Bartlett Learning.
Kossiakoff, A., Sweet, W. N., Seymour, S. J., & Biemer, S. M. (2011). Systems engineering principles and practice (Vol. 83). John Wiley & Sons.
Organisation for Economic Co-operation and Development (OECD). (2013). Emerging Risks in the 21st Century: An Agenda for Action . Paris: OECD Publishing.
Otoom, A., & Atoum, I. (2014). An Implementation Framework (IF) for the National Information Assurance and Cyber Security Strategy (NIACSS) of Jordan. arXiv preprint arXiv:1412.1141 .
Phoenix TS (2018). The 7 Stages of an Incident Response Plan. Retrieved January 23, 2018 from https://phoenixts.com/blog/7-stages-incident-response-plan/
Sadiku, M. N., Alam, S., & Musa, S. M. (2017). Information Assurance Benefits And Challenges: An Introduction. Information & Security , 36 .
Schou, C. D., & Trimmer, K. J. (2004). Information assurance and security. Journal of Organizational and End User Computing , 16 (3), 1.
Whitman, M. E., Mattord, H. J., & Green, A. (2013). Principles of incident response and disaster recovery . Cengage Learning.
