The Standard for IT Security Assurance: ISO 155443
Laptop Fingerprint Scanner
What is Information Assurance?
Information assurance or IA is part of information security. In information assurance, data is protected from unauthorized changes and deletions. This is part of information security’s mission to prevent unauthorized parties from seeing or altering data.
A common access control limit is permitting general users to view files but restricting the ability to modify or delete records. Then companies can ensure that no one can accidentally or intentionally modify or eliminate records except the few who have the authority to authorize new versions of those records.
Information assurance teams or IAT review access control limits, privacy policies and information security policies to ensure that only authorized people can view information that is sensitive or private. For example, an information assurance expert could verify that only doctors and nurses can view a patient’s medical files while a guest accessing the system to view appointment schedules could not.
Another area of information assurance is protecting personally identifiable information or PII. While an employee’s Social Security Number is contained within a personnel file, only payroll and the benefits department should be able to see this, not the employee’s coworkers or supervisor.
Another example is the information assurance of data on intranets and shared online workspaces. An information assurance expert could design and test a system to ensure that only contractors working on a project can view the drawings on that particular project while contractors on other projects do not have access to drawings except what they are working on.
Sections of Standard ISO 15443
ISO 15443-1 gives the framework for IT security assurance. ISO 15443 part 1 also outlines the need for periodic assurance assessment audits.
ISO 15443-2 outlines the methods that can be used to ensure IT security assurance. Different methods apply to different stages of the product design lifecycle. During the development of products like software, a risk analysis is performed to identify the most likely risks and greatest risks and then try to eliminate them or mitigate them as the software is coded and tested.
ISO 15443-3 describes the analysis of information technology security assurance methods. Different assurance methods will be used for different environments and user needs.
Methods of Ensuring Information Assurance
One option for ensuring information assurance is the use of biometrics to control access to terminals with sensitive information. The user must confirm his or her identity with a thumb print or retina scan before being allowed to access the information. Another option is the use of badges with RFID chips. Only someone with a badge with a built in chip referencing his or her access level can enter work areas where sensitive data is processed.
Dual factor authentication can be set up, requiring the entry of a personal identification number and code from a code generating key fob in addition to a user name and password before someone can access a database and enter or alter information. Confidentiality of information can be as simple as the placement of screens on either side of a monitor; when the doctor or nurse accesses patient records, passerby cannot read private information over the medical professional’s shoulder.
This list is by no means all inclusive. Refer to ISO 15443 and related ISO standards for more further recommendations endorsed by the ISO on ensuring information assurance, IT security and data quality.
Related Industry Standards for IT
ISO 15408-3 defines assurance classes, families and components that targets of evaluation must meet. ISO 15816 gives ISO’s recommendations on access control. ISO 27002 describes the appropriate methods of ensuring Human Resources security.
ISO standard 19792 applies to the protection of biometric system data such as fingerprints and retina prints. This industry standard for IT applies to mundane technologies like Apple's thumbprint recognition system.
ISO 27006 sets the requirements for bodies that audit and certify information security management systems or ISMS. ISO 13335 outlines the models for information and communication technology or ICT and securing it.
ISO 15408 outlines a set of Common Criteria or CC used for evaluation the IT security of different devices. The Evaluation Assurance Levels or EAL of the common criteria used to measure the performance of a device includes measurement of the information security assurance the device provides.