Implementing Information Assurance - Beyond Process

Abstract

Information Assurance (IA) has been around for decades and has finally obtained the attention it deserves. Ten years ago, the term "IA" was known only by small groups of security experts often labeled as 'paranoid' or 'rigid'. Today, IA is well-known by most individuals involved with Government contracts ranging from high-level executives to engineers of many disciplines. Many have sought information on IA processes through reading papers and attending briefings, however, many questions still 100m concerning the nuts and bolts of baking IA into systems being developed. This time, let's forget the four-phase DITSCAP and the five-activity DIACAP and talk implementation. This paper goes beyond IA processes and addresses how to actually integrate IA requirements into your system. The paper delves deeper into the IA controls using Department of Defense Instruction (DaDI) 8500.2 as an example. It discusses in detail, the technical, administrative, and physical controls required for many systems, summarizes what they mean, and provides guidance on how to implement them. Additionally, the paper covers product selection and what to do if a desired product is not on an approved products list. The paper also addresses the importance of establishing a secure baseline configuration on the products selected prior to software and application development. Implementing IA in system development is paramount to protecting all information systems from any form of compromise. If left ignored, not only would systems be more vulnerable to attack, they would also not be permitted to operate without obtaining the required Authorization to Operate (ATO). If you are looking for a good read on IA processes, our 2008 I/ITSEC Paper, "DIACAP - Information Assurance Evolved" can be downloaded from the I/ITSEC site; however, if you truly crave knowledge on the nuts and bolts of implementing lA, beyond the process, you want to read this paper.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2009
Accession Number
ADA514917

Entities

People

  • James Newkirk
  • Misty Piatek

Organizations

  • Booz Allen Hamilton

Tags

Communities of Interest

  • Cyber
  • Human Systems
  • Materials and Manufacturing Processes

DTIC Thesaurus Topics

  • Business Administration
  • Commerce
  • Computers
  • Computing Devices
  • Cross Domain
  • Department Of Defense
  • Education
  • Electronic Messaging
  • Governments
  • Information Assurance
  • Information Systems
  • Mobile Devices
  • Mobile Phones
  • Operating Systems
  • Simulations
  • Test And Evaluation
  • Training

Readers

  • Military History of the United States in the 20th Century.
  • Organizational Process Management (OPM).
  • Riverine Ecology