L2: DEVELOPING AN INFORMATION

ASSURANCE STRATEGY
BSIT-3A | INFORMATION ASSURANCE AND SECURITY 1

COMPREHENSIVE
- Understanding the organization to be effective and should be
relatable, practical, and address the organization entirely.
- Strategic, Tactic, and Operational

INDEPENDENT
- Development of the organization’s info assurance strategy, it should be
detailed, refined, and independent content meticulously aligned to its
mission and vision and other concerns.

LEGAL AND REGULATORY REQUIREMENT

- Info assurance is an organization must be consistent and must be
complied w/ the existing laws.

LIVING DOCUMENT
- Must be well documented and updated in a regular interval, to comply
w/ changing business requirements as law is being amended.

LIFE LONG SPAN

- Business world is a dynamic environment, change is done amazingly
fast and thus info assurance must cope w/ these changes.

CUSTOMIZABLE AND PRAGMATIC

- Info assurance strategy needs to be flexible.
- Should be able to cater to a broad spectrum of the organization.

RISK-BASED APPROACH
- Organizations must identify their risk profile and prioritize them.
- Strategy must take consideration of the midterm and short-term plan.

ORGANIZATIONALLY SIGNIFICANT
- Part of the organization is significant in all aspects of the
organization's existence and operation.

1
STRATEGIC, TAKTIC, AND OPERATIONAL
- Provides a framework for organization’s top management

CONCISE, WELL-STRUCTURED AND EXTENSIBLE

- Must be constructed and structured.

_______

L3: INFORMATION ASSURANCE CONCEPT

BSIT-3A | INFORMATION ASSURANCE AND SECURITY 1 | 02/09/23

HACKERS
➔ White
➔ Black
➔ Gray

INFORMATION ASSURANCE MODEL

SECURITY
SECURITY SERVICES INFORMATION STATES COUNTERMEASURES

1. Availability 1. Transmission 1. Technology

2. Integrity 2. Storage 2. Policy and Practice
3. Authentication 3. Processing 3. People
4. Confidentiality
5. Non Repudiation

DEFENSE IN DEPTH

CONFIDENTIALITY
- Sensitive info being shared to the intended receiver only.
- Cannot be disclosed to anyone even during transit.
- Only “Authorized User” can modify this info.

INTEGRITY
- State of trueness of the info by insuring that the info is not tampered,
modified unless by APO (Authorized Personnel Only).

2
NON REPUDIATION
- The owner of a signature key pair that could generate an existing signature
corresponding to certain data.

AUTHENTICATION
- Process of identifying or recognizing user’s identity.

AVAILABILITY
- It is a security feature, which ensures the info is available for use in a timely
manner if not always.
- Storage and Hardware maintenance are observed.

COMMON THREATS

THREATS - potential events that may cause the loss of info assets.
- Threat maybe natural, deliberate, or accidental.

Can be recognized into 4 division namely:

1. Majeure
2. Deliberate Act
3. Human Failure
4. Technical Failure

Common Threats against Information Assurance:

1. SOFTWARE ATTACKS
- Malicious application programs like viruses, worms to solicit info
for illegal purposes or activities.
- Can be taken from using EXTERNAL DRIVES, MEMORY STICKS,
VISITING PORNOGRAPHIC SITES, UNTRUSTED WEBSITE.
- A piece of code or software program that is hostile, intrusive,
malicious or at least annoying.
- It penetrates the system resulting in damage to the system.

2. THEFT OF INTELLECTUAL PROPERTY

- Any work or invention that is the result of human intellect or
creativity (g.e: Patents, Copyrights, Trademarks for design,
Manuscript, Formula, Prototype).

3
 - Stolen intellectual property can have a big impact on the
business; it can even result in loss of business.

3. IDENTITY THEFT
- Fraudulent acquisition by pretending someone's identity.
- Using it usually for financial gain or to enforce entry to a
secured/restricted area.

4. THEFT OF EQUIPMENT OR INFORMATION

- Any equipment that may contain or can access information (g.e:
laptop, token, badge cards) stolen in every 53s.
- This can result to data breached, since laptop is commonly used
as workstations.

5. SABOTAGE
- Relationship within an organization can become excessively
competitive resulting in severed relationships with co-workers.
- Managing relationships within and outside the organization is
also an important aspect of information assurance.

6. INFORMATION EXTORTION
- Cyber extortion - it is an online crime in which hackers hold your
data, website, computer system, or other sensitive information
hostage until you meet their demand for payment.

VULNERABILITIES - refers to any weakness.

- Other conditions in an organization that a threat actor such as a Hacker,
Nation-site, Disgruntled employee, or other Attackers, can exploit to
adversely affect data security.

CYBER VULNERABILITIES - Typically include a subnet of those weaknesses and

focus on issues in the IT software, hardware, and system an organization uses.

4
 CONTROL

Control guidelines and must tackle component like:

1. Gaps in business processes
2. Education and Training
3. Physical Security

CONTROL - are protective measures or mechanisms that reduce risks.

Three types of Controls : used to meet the need of an Organization:

1. MANAGEMENT CONTROL
● Security controls that are strategic and suitable for planning and
monitoring purposes.
Example:
○ Information assurance policy
○ information assurance risk management exercises

2. OPERATIONAL CONTROLS
● Controls used in day-to-day operations to ensure the secure
execution of business activities.
Example:
○ Mechanisms or Tools for IT support and operation
○ Physical and Environmental security controls
○ Information security incident-handling process and
○ procedures

3. TECHNICAL CONTROLS
● Possible technical and physical implementation of information
assurance solution and recommendation.
Example:
○ Access Controls
○ Security Audit
○ Monitoring Tool

5
 CRYPTOLOGY

CRYPTOLOGY
- In the earliest type, folks are trying to HIDE INFORMATION that they wished to stay
in their own possessions.
- By work component replacing w/ Symbols, Numbers, and Images.

CODE AND CIPHERS

- Code differs from a cipher in that a code consists of Letters, Whole Words, Phrases
w/ code groups (numbers and/or words) that replace the plain text.
- encoded message needs a codebook to translate the code to plain text.

Two Basic Concept when dealing w/ CRYPTOLOGY:

1. MASKING - usually leading to substitution.
- Substitute a letter w/ number / symbol
2. VEILING - usually leading tp transportation.
- Transportation - is not really a full-fledged method of cipher on
its own, but can form and usually is used in a stage of more
complex cryptosystems.

Caesar’s Substitution:

CAESAR CIPHER - the simplest mono-alphabetic substitution one may use.