Information Assurance (IA)
Information Assurance (IA) is the practice of managing information-related risks. IA practitioners seek to protect and defend information and information systems by ensuring confidentiality, integrity, and availability. These goals are relevant whether the information is in storage, processing, transit, or threatened by malice or accident.
In today’s high paced, instant delivery and interconnected environments, our future is tied to the integrity, availability and confidentiality of information. IA is needed now more than ever, even though IA cannot be achieved solely via technology, it can be attained through a multilayered approach.
Our IA practitioners provide a multilayered approach to Information Assurance. Through this unique approach to IA, we provide robust solutions to a broad range of clients and industries. These solutions enable the clients to boldly explore Information Assurance initiatives. Without a multilayered approach, things like a Department of Defense (DoD) only information-sharing network would not be able to succeed in protecting its information from dissemination to non DoD parties.
IA is an agency/company wide effort, which begins with a mission-driven information technology policy and is ever evolving. The mission policy is utilized as a guide for all IA operations. Not only does IA require strong policy as the base to its construct, it also requires considerable investments in human capital through proper training as well as proper implementation and security of its technology. The entire IA process must be supported by management, and combined into an evolving IA program.
Our multilayered approach addresses these two main areas of IA:
Certification & Accreditation (C&A)
Initiate and plan Information Assurance (IA) Certification and Accreditation (C&A) – Conduct documentation reviews, prepare Department of Defense Information Assurance and Accreditation Process (DIACAP) packages and assist customers through final accreditation decisions.
Implement and validate assigned IA controls – review DIACAP packages for compliance with goals of existing Industry Best Practices and DoD regulations, conduct controls based testing for compliance to measure risk to the corporation or DoD.
Make certification and accreditation recommendation – review documentation and Controls Validation Test (CVT) results to make an informed recommendation to the Chief Information Officer (CIO) or Designated Approving Authority (DAA) whether or not the system should gain an Authorization To Operate (ATO), Interim Authorization To Operate (IATO), Interim Authorization To Connect (IATC), Authorization To Connect (ATC) or Interim Authorization To Test (IATT).
Track accreditation sustainment – keep records on accreditation decisions and their expirations, review Risk Acceptance Requests (RAR) for the new risks to the accredited system, collect information to update the accreditation package prior to reaccreditation decisions.
Prepare for Decommission – aid in the preparation of the paper work required at the end of a systems lifecycle, draft the Denial of Authorization to Operate (DATO), Denial of Authorization to Connect (DATC).
Controls Validation Testing (CVT)
Develop test plan & schedule – preparing, coordinating and aligning resources and personnel in an effort to conduct testing with the minimal impact to the customer or their mission.
Review DIACAP Documentation – review DIACAP Implementation Plan (DIP), System Identification Profile (SIP), Plan of Action and Milestones (POA&M) and System Security Questionnaire (SSQ) in an effort to streamline testing to reduce down time of the customers systems and their mission.
CVT Methodology – utilize the IDT&O approach; we conduct Interviews, Documentation reviews, Testing with technical tools and Observations to gather the best picture of the system under test.
Technical Test - Perform vulnerability testing which consists of utilizing multiple scanning tools, both local and network based, to collect as much information about the system as possible.
Analyze testing results – utilize multiple tools to organize the data collected from technical scans to reduce the number of false positives, provide accurate results and prioritize findings to reduce the amount of time the customer needs to align the system with the goals of the Industry Best Practices or DoD guidance.
POA&M - Recommend and coordinate IA efforts through POA&M creation and updates, coordinate with system owners to aid them with the mitigations for items found not in compliance with Industry Best Practices or DoD guidance, and assist through the Risk Acceptance Request (RAR) process for items in the POA&M that cannot be mitigated
Even though all layers are necessary, many organizations only consider one of these approaches to Information Assurance. DECISIVE ANALYTICS, with the know-how of many experienced IA professionals, has brought its unique expertise and approach in Information Assurance to a variety of sectors, to include the Department of Defense, the intelligence and corporate communities.