Join Mike Danseglio for an in-depth discussion in this video The information assurance model, part of Learning IT Security.
Yet another model or tool we can use to actually take a look at information security is something that's widely described as the Information Assurance Model. The National Security Agency of the US is a big proponent of the Information Assurance Model. They have slightly different terminology. A lot of the larger companies I've worked with have adopted this, either wholesale or with a very, very small modification. Corporate world has adopted pretty tightly and it's actually really, really useful. It's another one of those quick and dirty back of a napkin in a restaurant or sheet of paper while you're on a plane kind of tools to look at information security.
I think it's an exceptionally useful model and it gets us thinking in a slightly different way. To first start off, what is the Information Security Model all about or Information Assurance Model all about. It's really about thinking about the three key elements of asset protection. These are elements for defending. Not just defending one little thing like defending a USB stick or defending this particular service or defending this particular protocol. It's more about looking at a larger scale.
Looking at a department. Looking at an organization. Looking at a business, a line of business and saying, "How do I ensure that the information is secure here?" Then what is, again, the big picture for all of that. The Information Assurance Model defines these three elements, these three key elements as people, process and technology. That actually is a really good way to start to think about things. When I think about security, when I think about protecting assets, IT assets in general, I oftentimes, and most people do, forget about the people aspect and forget about the process aspect and they focus straight up on the technology.
What's the new router that I can stick in here or what's the new VPN tunneling protocol or what's the coolest new technology I can use for cryptography, for information crypto? That kind of thing without considering the bigger picture of technology plays a part in all information security, in all information assurance, but people do as well. The best technology in the world means nothing if people don't protect it appropriately, if people don't know what to do, what the Information Security Model is about or understand or even believe in it.
People can believe in things and technology can protect things, but if the process fails, if there's no process for processing data, for classifying data, for protecting assets, for connecting things, for deploying things. Without a concrete process, a defined, secure process, none of these works. All of these things play together to give us security. I'm going to go over all three of these difference elements separately and then show you how they tie together.