Johnston and Warkentin (2010) define information assurance (IA) as the “practice of ensuring that information within an organization is kept secure, reliable and private” (p.12). Johnston and Warkentin (2010) regard information assurance as a practice that provides organizational managers with the direction and security mechanisms for keeping information assets secure from various threats and aligning them with organizational mission, goals, and objectives.
According to Raval and Fichadia (2007) and Stallingsand Brown (2011), IA is the practice of managing risks when transmitting, storing, and processing data to ensure confidentiality, integrity, and availability (CIA) of information are enforced.
Information assurance policy
To ensure the CIA, the general, system, and issue-specific information assurance policies provide rules and directions for securing information assets to protect them against the risk of internal and external threats. The policy statement reads that all policies and procedures should be read and understood by those responsible for handling information assets (Stallings & Brown, 2011).
The scope of the policy covers confidently, availability, and integrity issues and ensures that risk management practices are implemented (Johnston & Warkentin, 2010). The policy defines the information owner, custodian, user, and emergency access to information (Posthumus & Von Solms, 2004).
How to achieve goals, mission, and objectives
Johnston and Warkentin (2010) emphasize that the goals, objectives, and the mission of an organization can be achieved at operational-tactical, strategic and organizational levels through asset identification, risk assessment, and by implementing a security discipline and ethical conduct within the organization.
The underlying principles which organizations can factor into the IA processes to succeed in securing Information assets include putting in place compliance measures, effective access controls, business continuity, asset management processes, and personnel security (Posthumus & Von Solms, 2004).
Facility management practices for threat protection
Organizations can manage the security of their facilities through the right coordination of space, people, organization, and infrastructure based on a classification of an effective information asset (Stallings & Brown, 2011). A secure environment consisting of people, processes, and technology and is achieved by putting in place security audits of security practices against anticipated and unanticipated threats (Johnston & Warkentin, 2010).
It involves conducting a series of inspections, interviews, and documentary reviews based on existing standards based on a crime prevention policy (Posthumus & Von Solms, 2004). The key elements organizations put in place to prevent information assets against threats include the use of quality locks and restricting access to organizational assets.
Security audits should focus on system management, internal security, perimeter protection, and emergency management. Security cameras, changes to door hardware, improved lighting, and initiating security controls provides organizations with the ability to counter threats (Stallings & Brown, 2011).
Applying Information assurance concepts and Basic security concepts
The Information assurance concepts, which can be applied to ensure that information is kept secure, include confidentiality, integrity, and availability (CIA). Johnston and Warkentin (2010) argue that information integrity can be applied to ensure that information is kept secure by using digital signatures and encrypting data on the transmission or when at rest so that information is not modified by unauthorized persons.
According to Johnston and Warkentin (2010), availability guarantees legitimate users information access when required. Accuracy, non-repudiation, and authentication enable users to verify the accuracy of the information and confirm that the claims made by parties exchanging information are accurate.
Johnston, A. C., & Warkentin, M. (2010). Fear Appeals and Information Security Behaviors: An Empirical Study. MIS quarterly, 34(3). 40-45.
Posthumus, S., & Von Solms, R. (2004). A framework for the governance of information security. Computers & Security, 23(8), 638-646.
Raval, V., & Fichadia, A. (2007). Risks, controls, and security: Concepts and applications. Hoboken, New Jersey: John Wiley & Sons.
Stallings, W., & Brown, L. (2011). Computer security: Principles and practice. Upper Saddle River, New Jersey: Prentice Hall.