IA Explained
While the term cybersecurity is often used to refer to the practice of securing electronic data, a more accurate, and more appropriate term, is information assurance (IA). The existence of two terms to represent the same concept is indicative of the rapid pace of change underlying cybersecurity. In fact, there are several terms used to refer to the practice of securing electronic data, with each of them contributing a specific meaning within the IA family.
Computer Security
The early use of access control to manage physical and logical security of electronic data. Components of access control include process controls associated with the security aspects of identity, authentication, authorization, and accountability (Whitman & Mattord, 2017).
Cybersecurity
Refers to ensuring the confidentiality, integrity, and availability (CIA) of electronic data in all of its varied forms; whether at rest, in motion, or in use, regardless of whether it resides in the information technology (IT) domain, the operational technology (OT) domain, or the internet-of-things (IoT) domain (Whitman & Mattord, 2017). Cybersecurity is closely associated with networking security and TCP/IP.
Information Security
Concerns the security of electronic information (InfoSec). Electric information is electronic data that has meaning. From that meaning, information derives its value, the value InfoSec professionals seek to quantify and protect. Information may be in the process of being analyzed, visualized or transformed. Regardless of its state, it must remain secure. Securing information throughout its life requires architecting, implementing, and maintaining operating systems, applications, file systems, and the hardware that runs them. (Whitman & Mattord, 2017).
Information Assurance (IA)
Ensures that information systems protect private, sensitive information. IA is closely linked with risk management. An organization, such as a business, identifies its information assets and the systems and applications that store, process, and communicate them. It estimates the vulnerability of those assets to attack, whether by disclosure (a loss of confidentiality), modification (a loss of integrity), or disruption (a loss of availability), and it quantifies the effect, usually in dollars, of those unwanted occurrences. From this, a risk assessment can guide an organization on how to devote personnel and capital resources to protect its information (Klump, 2018).
Today's CISO implements IA policies through a GRC framework from the executive level, with the understanding and approval of the board of directors, to achieve the desired enterprise risk tolerance. By aligning sound IA/GRC practices and IT management with organizational objectives, organizational electronic data is secured and better positioned to contribute to the achievement of organizational goals (Gibson, 2015; Whitman & Mattord, 2017).
GRC Explained
GRC (Governance, risk management, and compliance)
An approach to information security strategic guidance from a board of directors or senior management perspective that seeks to integrate the components of governance, risk management, and regulatory compliance (Whitman & Mattord, 2017). Intended to provide an over-arching framework of how IA will be enacted across an enterprise, in the form of policy, procedures, and guidelines. From an enterprise perspective, GRC covers electronic IT/IoT/OT data at rest, in use, and in motion.