The Concept of Information Security(IS) Â has undergone changes from the days of BS 7799 to current days. Initially Information Security was defined asÂ as “Protecting the “Confidentiality”, “Integrity” and “Availability” of Information”. Subsequently as BS7799 evolved into ISO 27001 and new frameworks such as COBIT 5 have extended the “Information Security” concept to “Information Assurance” and added Authenticity and Non Repudiation as two other factors in defining Information Assurance. (IA).
Though this IA model used the term “Non Repudiation” as an essential goal of securing information, it was not however clear if “Non Repudiation” was strictly a “Technical” aspect or a “Legal Aspect”. Hence even the term IA appears to be not fully reflective of what the undersigned (Naavi) has been advocating as “Three Dimensional Approach to Information Security” which is inclusive of Technical, Legal and Behavioural Science aspects.
Naavi’s approach has been to redefine the end objective of Information Security by stating the goal as “Protecting the InformationÂ Owner” which is inclusive of but beyond “Protecting the Information”. This approach recognizes that the Information owner by virtue of possessing the information is exposed to certain risks of “liability” and “Security” should mean “Protecting the information owner” from such liability. The liability arises because the information was not secured properly and hence “protecting the information owner from liability” includes “Protecting the information”.
Since “Liabilities” arise because of laws applicable to information handling, this approach was recognized as “Techno Legal Information Security”. After pursuing this “Techno Legal Approach to Information Security” for several years, in order to provide clear guidance to IS practitioners, Naavi postulated that IS Motivation needs to be addressed over five different elements namely “Awareness”, Acceptance”, “Availability”, “Mandate” and “Inspiration”. These five elements were placed as walls of a Pentagon that was required to be completed for a good IS implementation program.
The “Theory of IS Motivation” (TISM) and the “Pentagon Model” gave a new direction to the IS approach. The model went beyond employee training (Awareness) into obtaining employee commitment (acceptance) and creating an environment where employees would feel inspired. Similarly the “Mandate” included both external legal mandate as well as internal HR mandate.Â The three dimensional approach of Naavi to IS therefore presented a different approach to the existing approaches which included “people” as a factor of IS implementation policy.
In all the above approaches the offer from the IS community to an organization was that “Here is an IS/IA framework. If you comply, you are compliant. If not, you are non compliant”.This either 1 or 0 approach meant that before an organization embarked on an IS audit, they should be reasonably sure of their readiness. Otherwise there was a definite risk of an audit Â ending in a negative report which the management would find a waste of resource. Many managements were therefore hesitant of undertaking an “Audit”.
There was therefore a need to find a method by which one could break up the ideal information security implementation into smaller implementation milestones. In other words like in the CMMI approach there had to be “Levels” in IS implementation. Â However purists in IS found this concept of “Levels” in information security unacceptable since we accept the old adage “Security is as weak as its weakest link”.
Rather than suggesting Â that companies Â should adopt the entire IS framework in one single step or remain non compliant it is felt that we need to find Â a way to sub divide the IS implementation by creating levels based on the IS objective.The Total Information Assurance Framework (TIAF) developed by Naavi addresses this need as Â depicted in the form of Â “Naavi Pyramid” as follows:
The Naavi Pyramid divides the Total Information Assurance based on the three dimensional pentagon model of IS motivation into five progressively implementable levels based on the well known five principles of Information Security accepted by the current IS and IA practitioners.The five principles of Information Assurance have been placed in this model as five hierarchial levels starting from “Availability” through “Integrity”,”Confidentiality”, Authentication” and “Non Repudiation”. The hierarchy of levels move from the easiest to the more difficult aspects of IS/IA implementation. The five elements of the TISM pentagon run through all the five levels but with different objectives.
At each of the five levels the five TISM elements (Awareness, Acceptance, Availability, Mandate and Inspiration) will also undergo changes since the objectives change. At the end of the Level V, the organization would have achieved a level of security which will also pass the test of a HIPAA-HITECH audit or ITA 2008 audit or ISO 27001 audit or the COBIT Audit.
It may be necessary to consider a further sub division of each level into perhaps A/B/C stages indicating “Adoption”, “Implementation” and “Achievement” as the stages of achievement within each level. The fine distinction between these sub divisions may be left to the auditor to judge from the “Commitment” shown by the management, the “Ability” of the work force and “Sustainability” of what has been implemented.
This hierarchial approach to Information Assurance provides the management with some realizable goals and a perceivable return on investment at each level. It makes a “Modular Approach” to Information assurance possible.
Hence this approach is titled Total Information Assurance Framework For Modular Implementation (TIAF4MI) This is a huge motivational factor for any management and hence has a better probability of adoption.
For actual implementation, there is still a need for Â IA specifications. Such a detailed specification list under TIAF4MI is being developed.
The TIAF4MI is therefore an approach which incorporates the best practices inherent in the current IS and IA practices and increases the acceptability amongst corporate managers. Hopefully the industry will respond positively to this new approach to Information Security and Information Assurance.