What is involved in Information assurance
Find out what the related areas are that Information assurance connects with, associates with, correlates with or affects, and which require thought, deliberation, analysis, review and discussion. This unique checklist stands out in a sense that it is not per-se designed to give answers, but to engage the reader and lay out a Information assurance thinking-frame.
How far is your company on its Information assurance journey?
Take this short survey to gauge your organization’s progress toward Information assurance leadership. Learn your strongest and weakest areas, and what you can do now to create a strategy that delivers results.
To address the criteria in this checklist for your organization, extensive selected resources are provided for sources of further research and information.
Start the Checklist
Below you will find a quick checklist designed to help you think about which Information assurance related domains to cover and 219 essential critical questions to check off in that domain.
The following domains are covered:
Information assurance, Anti-virus software, Business continuity, Business continuity planning, Computer emergency response team, Computer science, Corporate governance, Data at rest, Data in transit, Disaster recovery, Factor Analysis of Information Risk, Fair information practice, Forensic science, ISO/IEC 27001, ISO/IEC 27002, ISO 17799, ISO 9001, IT risk, Information Assurance Advisory Council, Information Assurance Collaboration Group, Information Assurance Vulnerability Alert, Information security, Management science, McCumber cube, Mission assurance, PCI DSS, Reference Model of Information Assurance and Security, Regulatory compliance, Risk IT, Risk Management Plan, Risk assessment, Risk management, Security controls, Security engineering, Systems engineering:
Information assurance Critical Criteria:
Discuss Information assurance tactics and give examples utilizing a core of simple Information assurance skills.
– How do we go about Comparing Information assurance approaches/solutions?
– Is a Information assurance Team Work effort in place?
– What are our Information assurance Processes?
Anti-virus software Critical Criteria:
Graph Anti-virus software adoptions and arbitrate Anti-virus software techniques that enhance teamwork and productivity.
– Does each mobile computer with direct connectivity to the internet have a personal firewall and anti-virus software installed?
– What are the success criteria that will indicate that Information assurance objectives have been met and the benefits delivered?
– Is anti-virus software installed on all computers/servers that connect to your network?
– Is the anti-virus software package updated regularly?
– What are specific Information assurance Rules to follow?
Business continuity Critical Criteria:
Understand Business continuity projects and research ways can we become the Business continuity company that would put us out of business.
– Who will be responsible for leading the various bcp teams (e.g., crisis/emergency, recovery, technology, communications, facilities, Human Resources, business units and processes, Customer Service)?
– We should have adequate and well-tested disaster recovery and business resumption plans for all major systems and have remote facilities to limit the effect of disruptive events. Do we comply?
– Has specific responsibility been assigned for the execution of business continuity and disaster recovery plans (either within or outside of the information security function)?
– Has the organization established an enterprise-wide business continuity/disaster recovery program that is consistent with requirements, policy, and applicable guidelines?
– Does our business continuity and/or disaster recovery plan (bcp/drp) address the timely recovery of its it functions in the event of a disaster?
– Do our business continuity andor disaster recovery plan (bcp/drp) address the timely recovery of our it functions in the event of a disaster?
– Will Information assurance have an impact on current business continuity, disaster recovery processes and/or infrastructure?
– Which data center management activity involves eliminating single points of failure to ensure business continuity?
– How will management prepare employees for a disaster, reduce the overall risks, and shorten the recovery window?
– Who will be responsible for deciding whether Information assurance goes ahead or not after the initial investigations?
– What is the role of digital document management in business continuity planning management?
– Does increasing our companys footprint add to the challenge of business continuity?
– Is the crisis management team comprised of members from Human Resources?
– Is there a business continuity/disaster recovery plan in place?
– What is business continuity planning and why is it important?
– What are the short and long-term Information assurance goals?
– Do you have a tested IT disaster recovery plan?
– Are there Information assurance Models?
Business continuity planning Critical Criteria:
Administer Business continuity planning engagements and revise understanding of Business continuity planning architectures.
– Who will be responsible for documenting the Information assurance requirements in detail?
– Does our organization need more Information assurance education?
– What are the long-term Information assurance goals?
Computer emergency response team Critical Criteria:
Be clear about Computer emergency response team tasks and improve Computer emergency response team service perception.
– Do you monitor security alerts and advisories from your system vendors, Computer Emergency Response Team (CERT) and other sources, taking appropriate and responsive actions?
– Marketing budgets are tighter, consumers are more skeptical, and social media has changed forever the way we talk about Information assurance. How do we gain traction?
– What business benefits will Information assurance goals deliver if achieved?
Computer science Critical Criteria:
Recall Computer science tasks and mentor Computer science customer orientation.
– Is Information assurance Realistic, or are you setting yourself up for failure?
Corporate governance Critical Criteria:
Experiment with Corporate governance decisions and get answers.
– Among the Information assurance product and service cost to be estimated, which is considered hardest to estimate?
– Which individuals, teams or departments will be involved in Information assurance?
– Why should we adopt a Information assurance framework?
Data at rest Critical Criteria:
Have a meeting on Data at rest failures and find the essential reading for Data at rest researchers.
– What are the key elements of your Information assurance performance improvement system, including your evaluation, organizational learning, and innovation processes?
– What is the source of the strategies for Information assurance strengthening and reform?
– Meeting the challenge: are missed Information assurance opportunities costing us money?
Data in transit Critical Criteria:
Substantiate Data in transit tactics and figure out ways to motivate other Data in transit users.
– Do those selected for the Information assurance team have a good general understanding of what Information assurance is all about?
– How will we insure seamless interoperability of Information assurance moving forward?
– Can we do Information assurance without complex (expensive) analysis?
Disaster recovery Critical Criteria:
Distinguish Disaster recovery goals and develop and take control of the Disaster recovery initiative.
– You work as a network administrator for mcrobert inc. the company has a tcp/ip-based network. which of the following information should be documented to facilitate disaster recovery?
– What actions start the master disaster recovery plan (drp), business recovery plan (brp), and emergency recovery plan (erp)?
– Can the customer work with you to conduct separate disaster recovery tests in order to test/validate readiness?
– Are there any promotions being done in your local area by government or others that you can take advantage of?
– Can existing lines of credit be accessed (and increased if necessary) to fund the reopening of the business?
– What is the best strategy going forward for data center disaster recovery?
– The actions taken to the restarts are appropriate and minimize down time?
– Where does recovery fit within the other phases of emergency management?
– Disaster recovery site–what happens if contractors server is destroyed?
– How often do you fully test your disaster recovery capabilities?
– Does the building need to be secured against theft/ vandalism?
– Will the post-disaster market change your customers needs?
– Inside the new building what equipment is/goes where?
– What network connectivity services do you offer?
– How do we create backups for disaster recovery?
– Insurance covering equipment replacement needs?
– Was it efficient and effective pre-disaster?
– Is disaster recovery server in scope?
Factor Analysis of Information Risk Critical Criteria:
Co-operate on Factor Analysis of Information Risk planning and remodel and develop an effective Factor Analysis of Information Risk strategy.
– What are our best practices for minimizing Information assurance project risk, while demonstrating incremental value and quick wins throughout the Information assurance project lifecycle?
Fair information practice Critical Criteria:
Do a round table on Fair information practice management and create Fair information practice explanations for all managers.
– Are there any disadvantages to implementing Information assurance? There might be some that are less obvious?
– Do we monitor the Information assurance decisions made and fine tune them as they evolve?
Forensic science Critical Criteria:
Categorize Forensic science visions and transcribe Forensic science as tomorrows backbone for success.
– How do we manage Information assurance Knowledge Management (KM)?
– How can skill-level changes improve Information assurance?
– What is Effective Information assurance?
ISO/IEC 27001 Critical Criteria:
Accelerate ISO/IEC 27001 quality and attract ISO/IEC 27001 skills.
– What are the barriers to increased Information assurance production?
– How can you measure Information assurance in a systematic way?
ISO/IEC 27002 Critical Criteria:
Model after ISO/IEC 27002 failures and be persistent.
– What threat is Information assurance addressing?
– Are we Assessing Information assurance and Risk?
– Why are Information assurance skills important?
ISO 17799 Critical Criteria:
Consider ISO 17799 decisions and create ISO 17799 explanations for all managers.
– Is Information assurance Required?
ISO 9001 Critical Criteria:
Administer ISO 9001 adoptions and find the ideas you already have.
– Does a supplier having an ISO 9001 or AS9100 certification automatically satisfy this requirement?
– Is the Information assurance organization completing tasks effectively and efficiently?
– How will you measure your Information assurance effectiveness?
IT risk Critical Criteria:
Read up on IT risk tasks and summarize a clear IT risk focus.
– Do you have a good understanding of emerging technologies and business trends that are vital for the management of IT risks in a fast-changing environment?
– Nearly all managers believe that their risks are the most important in the enterprise (or at least they say so) but whose risks really matter most?
– To what extent is your companys approach to ITRM aligned with the ERM strategies and frameworks?
– Is there disagreement or conflict about a decision/choice or course of action to be taken?
– People risk -Are people with appropriate skills available to help complete the project?
– What best describes your establishment of a common process, risk and control library?
– What information handled by or about the system should not be disclosed and to whom?
– Could a system or security malfunction or unavailability result in injury or death?
– Who performs your companys information and technology risk assessments?
– How will investment in ITRM be distributed in the next 12 months?
– Methodology: How will risk management be performed on projects?
– What is the purpose of the system in relation to the mission?
– Is there a common risk language (taxonomy) that is used?
– To what extent are you involved in ITRM at your company?
– How much system downtime can the organization tolerate?
– Does the board have a manual and operating procedures?
– What drives the timing of your risk assessments?
– What is the Risk Management Process?
– How will we pay for it?
– What could go wrong?
Information Assurance Advisory Council Critical Criteria:
Study Information Assurance Advisory Council planning and point out improvements in Information Assurance Advisory Council.
– What are the disruptive Information assurance technologies that enable our organization to radically change our business processes?
– How do we measure improved Information assurance service perception, and satisfaction?
Information Assurance Collaboration Group Critical Criteria:
Examine Information Assurance Collaboration Group tactics and get out your magnifying glass.
– Is maximizing Information assurance protection the same as minimizing Information assurance loss?
– How can the value of Information assurance be defined?
Information Assurance Vulnerability Alert Critical Criteria:
Weigh in on Information Assurance Vulnerability Alert risks and separate what are the business goals Information Assurance Vulnerability Alert is aiming to achieve.
– What are your key performance measures or indicators and in-process measures for the control and improvement of your Information assurance processes?
– How likely is the current Information assurance plan to come in on schedule or on budget?
Information security Critical Criteria:
Air ideas re Information security leadership and look for lots of ideas.
– Has the organization established an Identity and Access Management program that is consistent with requirements, policy, and applicable guidelines and which identifies users and network devices?
– Does the ISMS policy provide a framework for setting objectives and establishes an overall sense of direction and principles for action with regard to information security?
– Based on our information security Risk Management strategy, do we have official written information security and privacy policies, standards, or procedures?
– Are Human Resources subject to screening, and do they have terms and conditions of employment defining their information security responsibilities?
– If a survey was done with asking organizations; Is there a line between your information technology department and your information security department?
– Do we have an official information security architecture, based on our Risk Management analysis and information security strategy?
– Is the risk assessment approach defined and suited to the ISMS, identified business information security, legal and regulatory requirements?
– Are information security roles and responsibilities coordinated and aligned with internal roles and external partners?
– What information security and privacy standards or regulations apply to the cloud customers domain?
– Have standards for information security across all entities been established or codified into regulations?
– Is information security ensured when using mobile computing and tele-working facilities?
– How do we Identify specific Information assurance investment and emerging trends?
– How to achieve a satisfied level of information security?
Management science Critical Criteria:
Tête-à-tête about Management science planning and check on ways to get started with Management science.
– How do we make it meaningful in connecting Information assurance with what users do day-to-day?
– Who will provide the final approval of Information assurance deliverables?
– What are internal and external Information assurance relations?
McCumber cube Critical Criteria:
Align McCumber cube adoptions and reinforce and communicate particularly sensitive McCumber cube decisions.
– What will be the consequences to the business (financial, reputation etc) if Information assurance does not go ahead or fails to deliver the objectives?
– What role does communication play in the success or failure of a Information assurance project?
– How do we Lead with Information assurance in Mind?
Mission assurance Critical Criteria:
Analyze Mission assurance adoptions and budget for Mission assurance challenges.
– In what ways are Information assurance vendors and us interacting to ensure safe and effective use?
PCI DSS Critical Criteria:
Devise PCI DSS planning and display thorough understanding of the PCI DSS process.
Reference Model of Information Assurance and Security Critical Criteria:
Prioritize Reference Model of Information Assurance and Security issues and correct better engagement with Reference Model of Information Assurance and Security results.
– What is the purpose of Information assurance in relation to the mission?
Regulatory compliance Critical Criteria:
Consult on Regulatory compliance tactics and test out new things.
– Does Information assurance include applications and information with regulatory compliance significance (or other contractual conditions that must be formally complied with) in a new or unique manner for which no approved security requirements, templates or design models exist?
– In the case of public clouds, will the hosting service provider meet their regulatory compliance requirements?
– Regulatory compliance: Is the cloud vendor willing to undergo external audits and/or security certifications?
– What are the top 3 things at the forefront of our Information assurance agendas for the next 3 years?
– What sources do you use to gather information for a Information assurance study?
– Do we all define Information assurance in the same way?
– What is Regulatory Compliance ?
Risk IT Critical Criteria:
Nurse Risk IT goals and ask questions.
– Think about the people you identified for your Information assurance project and the project responsibilities you would assign to them. what kind of training do you think they would need to perform these responsibilities effectively?
– What other organizational variables, such as reward systems or communication systems, affect the performance of this Information assurance process?
– Risk Probability and Impact: How will the probabilities and impacts of risk items be assessed?
Risk Management Plan Critical Criteria:
Consider Risk Management Plan risks and create Risk Management Plan explanations for all managers.
– For your Information assurance project, identify and describe the business environment. is there more than one layer to the business environment?
– Have you fully developed a Risk Management plan for any outsourcing agreement from inception to termination – for whatever reason?
– Has identifying and assessing security and privacy risks been incorporated into the overall Risk Management planning?
– Will new equipment/products be required to facilitate Information assurance delivery for example is new software needed?
– Has the risk management plan been significantly changed since last years version?
– Has the Risk Management Plan been significantly changed since last year?
– What can we expect from project Risk Management plans?
Risk assessment Critical Criteria:
Sort Risk assessment governance and gather practices for scaling Risk assessment.
– Do we have a a cyber Risk Management tool for all levels of an organization in assessing risk and show how Cybersecurity factors into risk assessments?
– Are interdependent service providers (for example, fuel suppliers, telecommunications providers, meter data processors) included in risk assessments?
– With Risk Assessments do we measure if Is there an impact to technical performance and to what level?
– How frequently, if at all, do we conduct a business impact analysis (bia) and risk assessment (ra)?
– Does the process include a BIA, risk assessments, Risk Management, and risk monitoring and testing?
– What operating practices represent major roadblocks to success or require careful risk assessment?
– Is the priority of the preventive action determined based on the results of the risk assessment?
– Do you monitor the effectiveness of your Information assurance activities?
– How often are information and technology risk assessments performed?
– Do you use any homegrown IT system for ERM or risk assessments?
– Are regular risk assessments executed across all entities?
– Do you use any homegrown IT system for ERM or risk assessments?
– Are regular risk assessments executed across all entities?
– Who performs your companys IT risk assessments?
– Are risk assessments at planned intervals reviewed?
– What triggers a risk assessment?
Risk management Critical Criteria:
Debate over Risk management quality and question.
– Are we using Information assurance to communicate information about our Cybersecurity Risk Management programs including the effectiveness of those programs to stakeholders, including boards, investors, auditors, and insurers?
– Do regular face-to-face meetings occur with risk champions or other employees from a range of functions and entity units with responsibility for aspects of enterprise Risk Management?
– Is a technical solution for data loss prevention -i.e., systems designed to automatically monitor for data leakage -considered essential to enterprise risk management?
– To what extent is the companys common control library utilized in implementing or re-engineering processes to align risk with control?
– What has been the boards contribution to ensuring robust and effective Risk Management?
– Should supervisors be engaged deeply with risk measurements and Risk Management?
– Which standards or practices have you used for your IT risk program framework?
– Does the addition of a new service add a professional liability exposure?
– Does the company have an information classification and handling policy?
– Can I explain our corporate Cybersecurity strategy to others?
– Is the information shared consistent with the response plan?
– Are our Cybersecurity capabilities efficient and effective?
– What risks will the organization take on new initiatives?
– Which of our information is connected to the internet?
– When should risk be managed?
Security controls Critical Criteria:
Explore Security controls risks and point out improvements in Security controls.
– Are there multiple physical security controls (such as badges, escorts, or mantraps) in place that would prevent unauthorized individuals from gaining access to the facility?
– Does the cloud service agreement make its responsibilities clear and require specific security controls to be applied to the application?
– Are regular reviews of the effectiveness of the ISMS (including meeting of ISMS policy and objectives and review of security controls) undertaken?
– Do the security controls encompass not only the cloud services themselves, but also the management interfaces offered to customers?
– Can the cloud service provider demonstrate appropriate security controls applied to their physical infrastructure and facilities?
– Do we have policies and methodologies in place to ensure the appropriate security controls for each application?
– Does Information assurance systematically track and analyze outcomes for accountability and quality improvement?
– Is the measuring of the effectiveness of the selected security controls or group of controls defined?
– Does the cloud service provider have necessary security controls on their human resources?
– Do we have sufficient processes in place to enforce security controls and standards?
– Is Information assurance dependent on the successful delivery of a current project?
– Have vendors documented and independently verified their Cybersecurity controls?
– Do we have sufficient processes in place to enforce security controls and standards?
– How much does Information assurance help?
– What are the known security controls?
Security engineering Critical Criteria:
Accumulate Security engineering adoptions and inform on and uncover unspoken needs and breakthrough Security engineering results.
– How do you incorporate cycle time, productivity, cost control, and other efficiency and effectiveness factors into these Information assurance processes?
– Which customers cant participate in our Information assurance domain because they lack skills, wealth, or convenient access to existing solutions?
– How does the organization define, manage, and improve its Information assurance processes?
Systems engineering Critical Criteria:
Discuss Systems engineering results and adopt an insight outlook.
– The complexity of our design task is significantly affected by the nature of the objectives for the systems to be designed. is the task intricate, or difficult?
– How do we achieve sufficient predictability in developing the system so as to enable meaningful costed and time-bounded, resourced plans to be formed?
– What happens if new needs (or more likely new requirements) are identified after the final needs or requirements have been developed?
– Is the project using any technologies that have not been widely deployed or that the project team is unfamiliar with?
– How are you going to know that the system is performing correctly once it is operational?
– Do we have confidence in the reliability and robustness of the systems we design?
– Once the project is underway, how can you track progress against the plan?
– Is the funding for the project secure, or is only part of it in place?
– What kind of support for requirements management will be needed?
– How will the system be developed, operated, and maintained?
– Does the requirement have a verification method assigned?
– What is the geographic and physical extent of the system?
– What solution options may be appropriate?
– Where would we like to be in the future?
– How do we compare with the competition?
– What parts are connected to each other?
– Why model-based architectures?
– What are our objectives?
– Right implementation?
– What is a system?
This quick readiness checklist is a selected resource to help you move forward. Learn more about how to achieve comprehensive insights with the Information assurance Self Assessment:
Author: Gerard Blokdijk
CEO at The Art of Service | theartofservice.com
Gerard is the CEO at The Art of Service. He has been providing information technology insights, talks, tools and products to organizations in a wide range of industries for over 25 years. Gerard is a widely recognized and respected information expert. Gerard founded The Art of Service consulting business in 2000. Gerard has authored numerous published books to date.
To address the criteria in this checklist, these selected resources are provided for sources of further research and information:
Information assurance External links:
Title Information Assurance Jobs, Employment | Indeed.com
Information Assurance Training Center
[PDF]Information Assurance Specialist – GC Associates USA
Business continuity External links:
Login – Business Continuity Office
Computer emergency response team External links:
Pakistan Computer Emergency Response Team – Home | Facebook
CERT-GH – Ghana Computer Emergency Response Team
CERT.to – Computer Emergency Response Team for Tonga
Computer science External links:
Computer Science | School of Engineering
Electrical Engineering and Computer Science | South …
Corporate governance External links:
Briefing: Governance | Davis Polk | Corporate Governance
Morgan Stanley Corporate Governance
Proxy Insight | Voting & Corporate Governance Information
Data in transit External links:
Physical Security for Data in Transit – tcdi.com
Disaster recovery External links:
Cloud Migration and Disaster Recovery
Recovers – Community-Powered Disaster Recovery
South Carolina Disaster Recovery Office
Factor Analysis of Information Risk External links:
FAIR means Factor Analysis of Information Risk – All …
Factor Analysis of Information Risk FAIR Platform
ITSecurity Office: FAIR (Factor Analysis of Information Risk)
Fair information practice External links:
[PDF]FIPPs Fair Information Practice Principles – Office of …
Fair Information Practices are a set of principles and practices that describe how an information-based society may approach information handling, storage, management, and flows with a view toward maintaining fairness, privacy, and security in a rapidly evolving global technology environment.
Forensic science External links:
Forensic Science Program – George Mason University
Forensic Science Online Programs | University of Florida
What is Forensic Science (Staffordshire University)
ISO/IEC 27001 External links:
ISO/IEC 27001 Information Security | BSI America
ISO/IEC 27001:2013 is an information security standard that was published on the 25th September 2013. It supersedes ISO/IEC 27001:2005, and is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.
BSI Training – ISO/IEC 27001 Lead Implementer
ISO/IEC 27002 External links:
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information technology – Security techniques – Code of practice for information security management.
Iso/iec 27002 : 2013. (Book, 2013) [WorldCat.org]
ISO 17799 External links:
HIPAA, Sarbanes-Oxley, ISO 17799 – Gap Analysis – netlogx
ISO 9001 External links:
ISO 9001 : 2015 Certification – Chicago
Connersville, IN – ISO 9001:2008 – H&E Machine
Eagles Stainless | ISO 9001:2008 / ASME Coded
IT risk External links:
Magic Quadrant for IT Risk Management Solutions
Global Information Security and IT Risk Management Firm
Security and IT Risk Intelligence with Behavioral Analytics
Information Assurance Vulnerability Alert External links:
Information security External links:
Managed Security Services | Information Security Solutions
Title & Settlement Information Security
[PDF]TITLE: INFORMATION SECURITY MANAGEMENT …
Management science External links:
Management Science on JSTOR
Management science (Book, 1993) [WorldCat.org]
Management Science and Engineering
McCumber cube External links:
McCumber Cube Flashcards | Quizlet
Information Security Awareness: “The McCumber Cube” – YouTube
Mission assurance External links:
[PDF]Mission Assurance – IMSolutions, LLC – About Us
Mission Assurance Guide | The Aerospace Corporation
[PDF]Department of Defense Mission Assurance Strategy
PCI DSS External links:
PCI DSS Requirements | ControlScan PCI Compliance …
Reference Model of Information Assurance and Security External links:
A reference model of information assurance and security
Regulatory compliance External links:
Brandywine Drumlabels – GHS Regulatory Compliance …
Chemical Regulatory Compliance – ChemADVISOR, Inc.
Regulatory Compliance testing and certification
Risk IT External links:
Risk It! – Insight
WOULD YOU RISK IT?! | Handless Millionaire – YouTube
Extended Car Warranty Plans | Protect My Car Don’t Risk It
Risk Management Plan External links:
[PDF]ERA Risk Management Plan – National Archives and …
School Risk Management Plan – North Carolina
Risk Management Plan (RMP) Rule | US EPA
Risk assessment External links:
Healthy Life HRA | Health Risk Assessment
Hazard Identification and Risk Assessment | FEMA.gov
Ground Risk Assessment Tool – United States Army …
Risk management External links:
“Billions” Risk Management (TV Episode 2017) – IMDb
Risk Management Job Titles | Enlighten Jobs
Security controls External links:
SANS Institute – CIS Critical Security Controls
[PDF]Recommended Security Controls for Federal …
Security engineering External links:
Security Engineering Capability
Systems engineering External links:
Systems Engineering | IT Services Company | …
Department of Biological Systems Engineering | …
Systems Engineering and Operations Research