Information assurance
SFIA 3: Definition
The protection of systems and information in storage, processing, or transit from unauthorised access or modification. Denial of service to unauthorised users; or the provision of service to authorised users. Includes those measures necessary to detect, document, and counter threats to the integrity of stored information, such as the application of firewalls and intruder detection systems (IDS).
Proposed for SFIA 4.0:
The leadership and oversight of information assurance, setting high level strategy and policy, to ensure stakeholder confidence that risk to the integrity of information in storage and transit is managed pragmatically, appropriately and in a cost effective manner.
Information assurance
Posted by
dcflint
at
2008-07-24 11:38 AM
There are several difficulties with the SFIA3 definition.
a) It does not describe a skill, ie a human ability, but rather an organisational responsibility. It needs to be restated as an ability.
b) It's too broad.
c) It overlaps several other SFIA3 skills, ie Information Security, Compliance and the various quality skills.
A better approach would be to make a clear distinction between security (largely about resisting malicious and criminal threats) and information integrity (largely about preventing errors and omissions). Of course there is some overlap but the skills are different enough to merit separate description.
Within information integrity a second distinction is also helpful: Plan, execute and audit.
* Planning is largely covered by a broadened form DPRO, which we would call Information Policy Formation.
* Audit is covered by the Compliance (COMP) skill.
* So INAS should be the skill of executing policies on information integrity.
This is the intent of the redraft proposed by the IM group.
a) It does not describe a skill, ie a human ability, but rather an organisational responsibility. It needs to be restated as an ability.
b) It's too broad.
c) It overlaps several other SFIA3 skills, ie Information Security, Compliance and the various quality skills.
A better approach would be to make a clear distinction between security (largely about resisting malicious and criminal threats) and information integrity (largely about preventing errors and omissions). Of course there is some overlap but the skills are different enough to merit separate description.
Within information integrity a second distinction is also helpful: Plan, execute and audit.
* Planning is largely covered by a broadened form DPRO, which we would call Information Policy Formation.
* Audit is covered by the Compliance (COMP) skill.
* So INAS should be the skill of executing policies on information integrity.
This is the intent of the redraft proposed by the IM group.
Forgot your password?
New user?
The ability to ensure the accuracy, completeness and fitness for purpose of information in storage and transit. Includes the use of process design and validation checks.