So What is an Information Assurance Requirement?

In attempting to assure their information, government organizations have struggled with having all those involved with this effort on the same page in understanding the real requirement. The first component that we need to understand is our requirements for information assurance.

Five items, confidentiality, integrity, availability, non- repudiation , and authentication, have become the somewhat traditional list of requirements. They are listed and defined in both DOD and other federal government documents, such as the National Information Assurance Glossary, published by the Committee on National Security Systems (CNSS) as Instruction Number 4009 (NSTISSC, 2004). But they may not be all-inclusive of assurance requirements for all contexts in every organization.

The ISO security architecture reference model (ISO 7498-2) (ISO, 2004), for example, lists seven layers , reflecting a high level view of the different requirements within network security, adding access control and notarization/signature to the traditional elements.

In a research note for the Gartner Group, Roberta Witty describes and defines several requirements in addition to the traditional five, including authorization, privacy, and noninterference (Witty, 2002).

Gurpreet Dhillon and James Backhouse also affirm some of the traditional requirements, while suggesting three additional principles contained in what they call RITE, which include responsibility, integrity, trust, and ethicality (Dhillon, 2000).

An even more expansive listing of potential requirements may include what Holmes Miller describes as the 10 dimensions of information quality , which include relevance, accuracy, timeliness, completeness, coherence , format, accessibility, compatibility, security, and validity (Holmes, 1996).

And finally, in addition to several of the potential requirements already listed, IBM researchers Anbazhagen Mani and Arun Nagarajan add to their list of major requirements for supporting Quality of Service services the regulatory requirement (Mani, 2003).

Which list do you follow? Some may argue that some terms are inherently contained within the definition of others non-repudiation and authentication as parts of confidentiality, for example. Others argue for rolling the set of requirements back to circa 1991, when John McCumber described confidentiality, integrity and availability as the information characteristics of his INFOSEC model (McCumber, 1991). But such arguments miss the point.

The rationale for defining requirements for information assurance with as much specificity as possible is to permit later the application of the most effective means of meeting those requirements. Generalization of requirements through an overly restrictive set of options may lead to unintended consequences. Generalization may increase the chance that incorrect or ineffective countermeasures or means of attaining assurance are applied, and that the specific intended assurance outcome is not attained. Generalization may also cause an organization to be ignorant of new and emerging requirements.

For example, take an assurance requirement for privacy. The new Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to protect the privacy of patients health and medical information. According to the U.S. Department of Health and Human Services, The regulations protect medical records and other individually identifiable health information, whether it is on paper, in computers or communicated orally . HIPAA, in fact, includes a privacy rule that describes specific instances in which confidentiality, integrity, and availability should be considered . There are also many instances in which health information may be disclosed (U.S. Dept. of Health and Human Services, 2003). In this case the requirement, privacy, is not narrower than just confidentiality, for example, but includes other elements of the traditional list as well. Simply viewing privacy as synonymous with confidentiality would be incorrect, and applying only countermeasures to protect against threats to confidentiality would be inadequate to meet the requirement for privacy.

If understanding the true information assurance requirement is the first step to providing effective information assurance, then an open mind to consideration of the nature of the specific requirement is necessary. Standard definitions may be useful for an academic understanding of requirements, but they should not be used to drive operational situations where real, specific assurance requirements must be met. Each organization that has a need for effective information assurance must first decide what their real requirement is, and must then ensure that the requirement is well understood throughout the organization.