"Information Assurance (IA)" is a new area which lacks formal definition and is dependent on many underlying Information Technology (IT) areas to succeed. At present, many efforts to effect IA focus narrowly on one or another of these underlying technologies. The need for a comprehensive, "holistic" approach to IA is required if IA is to succeed. The IEEE Task Force on Information Assurance (TFIA) is being formed to provide a forum for the IA perspective on these underlying technologies; to give definition to "Information Assurance"; and to promote development of IA standards.
Please also read the IEEE Computer Society's thumbnail description of the IEEE TFIA.
Characteristics of the TFIA:
Formation of the Task Force on Information Assurance (TFIA) was approved in 2001 by the IEEE Computer Society's Technical Activities Board (TAB) to address the needs of Information Assurance (IA), a new, immature Information Technology (IT) area with a broad scope and an initial narrow focus. The proposal received by the TAB, written to conform with the TAB template, and the discussion below are intended to express the motivations for founding the TFIA.
IA is currently most closely associated with detection of and response to vulnerabilities and events relating to cyber attacks. This is the reactive mode, narrow focus environment beyond which IA must grow to succeed.
The broader scope of IA relates to the words “information” and “assurance”; to the scope of the U.S. Presidential Decision Directive 63 calling for protection of infrastructures critical to society; and to the fundamental need in IT for timely, undisturbed delivery of information to pre-determined recipients. IA relates directly to “knowledge management”.
Both in its broader scope and its current narrower focus, IA success depends on simultaneous successes in many underlying IT areas. In the narrow focus of the threat of cyber attacks, for example, the best cryptography will not ensure IA success if good software engineering does not avoid buffer overruns and memory leaks in creation of applications. In the broader focus, if the mechanisms to deliver information are incapable of doing so, then the resulting failure will have similar effects to cyber attacks. For example, unbalanced development between IT areas has created the following problem in delivery of information: storage capacity is growing ten times faster than storage throughput.
With the costs of responding to malicious code effects rising into the billions of dollars, a favorable climate exists for serious examination of information assurance beyond reacting to intrusions and patching vulnerabilities. This climate includes a growing appreciation for the needs to 'lead the target' in technologies underlying IA and for these technologies to work in concert to effect IA. And it includes an appreciation of the possible product liabilities in marketing 'buggy' software and systems designed without care for vulnerabilities.
“The almost daily onslaught of computer viruses and attacks is
prompting calls in the industry to bolt-in better security at the application
development stage. Experts say if these escalating concerns among users are not
addressed, application providers may become legally accountable.” Brian
Fonseca, Tom Sullivan, Infoworld, August 12, 2001
“Security must be baked in, not painted on. [We] can't
wait for evolution to produce better code. Security should be an integral part
of your software life cycle process, beginning with design and continuing
through development and testing.”
updated Tuesday, March 12,
This site and all contents
(unless otherwise noted) are Copyright
Institute of Electrical and Electronics Engineers, Inc.
All rights reserved.