Information assurance is sometimes categorized as an information technology specialty, but it really deserves to be considered separately. Although an information assurance specialist needs to have a deep understanding of IT and how information systems work, they use this knowledge for a very specific purpose.
The main role of information assurance is to protect information systems, like networks and computers, from being tampered with. Specialists in this field use many methods to protect information systems, including selecting anti-virus software and drafting policies to prevent users from accidentally letting malicious software into the network.
Ultimately, the role of an information assurance specialist is to protect information. They do this by using passwords, biometrics, user names, and tokens to track all of the activity on a network or program. They maintain confidentiality while tracking network activity.
The Five Pillars of Information Assurance
Before we take a deeper look at the role of an information assurance professional, let’s look a little more closely at what information assurance is. The official definition from the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce is as follows:
Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities.
The NIST has transitioned from using the term information assurance, replacing it with cybersecurity. The two are closely related and, for some purposes, interchangeable. But the field of information assurance is still typically defined by the five pillars used in this definition.
The five pillars are:
Integrity means that all information systems are intact and not tampered with. Information protection is a key role for an information assurance professional. To maintain integrity, specialists use many tools, like anti-virus software, intrusion detection, and firewalls, and inform and train staff about computer security, password, and log-in protocols as well as phishing scams and other security risks.
This pillar means that those who need access to the information system can get it, safely and securely.
Authentication is the process by which the people who are permitted access to certain information are properly identified. Information assurance professionals prevent unauthorized access by implementing strong password rules, two-factor authentication, or biometrics, like face, retinal, or fingerprint scans.
Confidentiality ensures that sensitive information is only seen by those with prior authorization. A good example of this is in healthcare where personal data and other information are only to be shared between the patient, their doctors, and anyone they authorize to receive it. This means that certain protocols have to be put in place so that only authorized users are permitted access to online medical records, etc. Confidentiality doesn’t only apply to healthcare. All personal information kept on file at any institution, be it a bank, online store, or your place of employment should keep private information confidential.
The last pillar is nonrepudiation, which is a way to ensure that every action can be tracked in some way to prove or disprove wrongdoing. Going back to the example of the medical record, someone who looks at the private information of a patient they are not caring for will leave behind footprints that they were improperly accessing confidential information.
History of Information Assurance
Computer technology has advanced in leaps and bounds over the last few decades, and the speed at which things evolve can be intimidating. This field moves quickly, and those who wish to be a part of it have to have the skills and drive to keep up.
Many of the common components of information assurance that are in use today have evolved from some of the earliest computer security measures, and understanding the basics is key to understanding how far the technology has come. Here are some of the biggest developments in this industry over the last several decades:
One of the first components of information assurance is computer mainframes. These vast, powerful systems were used by large companies because they are reliable and could hold insane amounts of data. IBM created the first mainframe computer, which dates back to the 1950s and 60s. As you can imagine, things have changed a lot since then. Although the basic concept remains the same, processing capabilities have improved in leaps and bounds.
Data and Domains
The concept of digital data structures dates back to Boolean algebra in 1847. This type of math was one of the first ways of storing digital data with true and false values. As the math concepts advanced, arrays were introduced and, when combined with linguistics, lead to the development of modern data storage.
Internet viruses trace back to 1988. The first was created by Robert Morris, who claimed he developed it to exploit and identify the weaknesses in the current security systems. His virus cost some companies as much as $53,000 in damages in 1988, which is the equivalent of nearly $120,000 today, and Morris was ultimately convicted.
Morris shone a light on just how vulnerable some of these systems were. To get a better grasp on the viruses of today, it helps to understand where they form and how the earliest forms were transmitted.
The concept of encryption goes back to 1971 and IBM’s invention of LUCIFER, a 128-bit cipher. It wasn’t long until the U.S. The National Bureau of Standards partnered with IBM to update LUCIFER and create a 64-bit cipher, the Data Encryption Standard (DES). This system was used until 1990 when it was updated to the Advanced Encryption Standard, which is still in use today.
As you can see, information assurance goes back decades, and it’s continuing to advance alongside technology. Understanding where it came from offers insight into where it’s going and how today’s information assurance experts can meet the challenges facing them.
Responsibilities of Information Assurance Professionals
An information assurance engineer protects information by making it difficult for people to hack or crack a system. There are many ways they go about doing this, and they need a specific skill set to be good at the job.
Why is information assurance important?
Any business can be targeted by cyber criminals. Some people think that large companies worth a lot of money are the only ones that have to worry about cyber-crime, but this is not true. Any business can be the target of a cyber attack, and the sad truth is that a small business has fewer resources to protect itself or weather the storm. Some people think that the IT department can handle the information assurance side of things, but that puts an incredible load on them. Most IT professionals know a bit about security controls, but they aren’t information security professionals.
Information assurance should be a part of any business because it ensures that important data is available to only qualified personnel. Businesses that keep information about their customers and clients should be sure that all data is secure, especially with recent upticks in cyber attacks in the last few years.
What does an information assurance officer do?
An information assurance office should know a lot about IT, especially computer network infrastructure and design. When building a network, they have to consider the professional and business needs of the client or company they work for while also keeping core information safe.
One of the main tools that information assurance uses is cryptography, which takes the data in its readable form and encrypts it so it’s impossible to read without an encryption key.
Information assurance specialists must also be able to determine when a system is compromised, either from inbound or outbound activity. They should be able to identify patterns that could indicate something suspicious is going on, like too many failed log-in or authentication requests. Granting and denying access to users is one of the key systems that information assurance puts in place to ensure that people are who they say they are.
If data is compromised, it’s the information assurance specialist’s job to determine what was lost and what can be recovered. Many things can cause data to be compromised, including system crashes, viruses, human error, floods, and fire. Appropriate backup systems are essential for quick disaster recovery.
Differences Between Information Assurance and Information Security
Information assurance and information security have some overlap, but there are some significant differences between them. Professionals in both of these fields defend against hackers and cyber attacks, but the techniques used by each are a little different.
As mentioned, information assurance protects that data collected by organizations and some individuals, specifically in the processing, transferring, and storing of that data. It not only covers digital information, but the hard drives and other devices used to store data. Information assurance is technically defined as protecting and defending information and information systems by ensuring availability, authentication, confidentiality, integrity, and non-repudiation. This field is about protecting, detecting, and reacting.
Information security keeps private information secure by preventing the wrong people from accessing it. It primarily focuses on developing tools and techniques for keeping data secure, whether it’s creating a new infrastructure that’s harder to penetrate or a software program to block threats. While information assurance focuses on five metrics (availability, authentication, confidentiality, integrity, and non-repudiation), information security focuses on only three: availability, confidentiality, and integrity.
The similarities between information assurance and information security are obvious. They both involve protecting data using similar tools and work against the same type of threats. For example, both use things like firewalls and anti-virus software to ward off hackers and protect data against fraud. In the event of a data breach, both also attempt to recover as much of the information as possible.
Information assurance has a broader scope than information security. Information assurance typically applies to large organizations, and the strategies these specialists create are system-wide. For example, an information assurance program might overhaul user authentication or set new password standards. The job of an information assurance analyst is to design defensive measures against any general threats that may attack the system.
On the other hand, information security is more specific. It involves developing specific tools, often to protect against specific threats. Admittedly, the differences are subtle. There is a lot of overlap, but generally, information assurance is about the bigger picture while information security involves putting specific protections into place.
How does information security relate to information assurance and cybersecurity?
Cybersecurity is another specialty that is closely related to both information assurance and information security. It falls under the umbrella of information security, which falls under information assurance. Again, information assurance is broad, involving processes like compliance audits, management policies, and security checks. Cybersecurity is a specific subsection of information security that can focus on protecting a specific type of data or against a specific threat.
What Skills Do You Need for Information Assurance?
The skills that you need for information assurance are also useful for cybersecurity or information security. They include:
- Investigatory skills. Knowing how to find and fix weaknesses and vulnerabilities in the system helps prevent future attacks and mitigates risk.
- Leadership. Leadership is especially important for people who hope to have a management position. Since information assurance often works in tandem with cybersecurity, having good leadership skills helps create and manage a cohesive approach for dealing with threats that cross departments.
- Risk management. Understanding what aspects of data and security are at risk and figuring out the best way to avoid corruption or limit the impact if something does go wrong.
- Technology skills. You need superior tech skills to work in information assurance. Understanding complex systems and keeping up with the quick evolution of tech are essential skills in this field
Career Paths in Information Assurance
There are many subspecialties in information assurance, and it’s a popular field to get into. According to the Bureau of Labor Statistics, jobs in this field are projected to grow by 31 percent between 2019 and 2029, in part because so many businesses are migrating to cloud storage and realize they need to invest more in their security.
There are many benefits for businesses that invest in strong information assurance. While some think it’s something that only large companies need to worry about, medium and small-sized companies need to think about protecting themselves, too. Here are a few reasons why this career is in high demand:
Delegating the right tasks makes everything run more smoothly.
When there’s a qualified information assurance professional on board, they can focus on defending against cyberattacks and increasing security while the rest of the IT team can tackle all of the other technical problems.
Information assurance reduces wasteful spending.
When a dedicated information assurance specialist is performing regular audits and managing a small staff of IT employees, many small to medium-sized companies save money. Why? Because they’re no longer investing in unnecessary software or paying a whole team of employees when they only need a few employees with the right skills on board. Not to mention, strong information assurance can save them from losing business from security breaches and stolen customer information.
Online user experience improves along with customer satisfaction.
When online customers know that their data is safe, they feel more comfortable engaging with the business’s website. If things run slow and security warnings pop up on the screen, web-savvy visitors will assume the site is trouble and steer clear.
Specific Career Paths in Information Assurance
Computer Network Architect
A computer network architect focuses on actually building networks, usually on a company-wide scale. They research the newest technologies and make sure the current infrastructure is suitable for the company’s current needs. This role is more involved with the hands-on building of various systems and is one of the most specific roles in the field of information assurance.
Computer Systems Administrator
This role focuses on managing every aspect of computer networks for an organization, including analyzing needs, installing the necessary system, and keeping up with routine maintenance. If anything needs to be changed or the data shows that something isn’t working quite right, it is the computer systems administrator’s job to identify the problem and correct it.
Information Security Analyst
An information security cyber analyst focuses specifically on computer systems, networks, and internet connections, ensuring that they are secure from both internal and external threats. To do this, they carefully monitor the security systems that are already in place, keeping a watchful eye out for any threats or breaches. Information security assurance analysts should stay in the know about new security products and may help other departments with their basic security systems.
Information Systems Manager
This management position oversees IT and information security activities, ensuring that all hardware and software is updated and maintained. They are responsible for hiring appropriately qualified personnel for information assurance and cybersecurity roles, investigating threats, and educating other departments and employees about policies relating to best practices for threat prevention.
Risk Management Specialist
This role is charged with identifying security risks and maintaining the systems to defend against them. Specialists in this role focus on analyzing statistics, creating risk modes, and assessing liability then figuring out how to mitigate any identified risk. They are also commonly asked to present their findings to management teams or colleagues.
Educational and Certifications for a Career in Information Assurance
The coursework for information assurance varies by school and the type of degree you’re pursuing. Bachelor’s programs are a little more basic while master’s programs focus more on specific areas and get much more in-depth. Some jobs in this field require a master’s degree, but the demand for people in this field is so high that many employers may be willing to hire someone with a bachelor’s degree and the right combination of soft skills and experience.
If you’re interested in pursuing a bachelor’s in information assurance, here are some of the best programs available:
- Southern Arkansas University
- Cameron University
- Missouri State University
- Dakota State University
- University of Illinois
- Brigham Young University
- Baker College
- Augusta State University
- Davenport University
- Capitol Technology University
- Fort Hays State University
- Our Lady of Lake University
- Belleview University
- Pennsylvania State University
- Lewis University
How much can you expect to make with a bachelor’s degree in information assurance?
According to PayScale, here are some of the jobs held by people with a bachelor’s in this field along with their annual salary:
- Information Technology (IT) Auditor: $57,000
- Network Administrator: $60,000
- Security Analyst: $61,000
- Cyber Security Analyst: $62,000
- Risk Analyst: $63,000
- Information Security Analyst: $68,000
- Software Developer: $74,000
- Penetration Tester: $75,000
- Systems Administrator: $79,000
- Information Security Specialist: $82,000
- Cyber Security Engineer: $89,000
- Information Security Engineer: $94,000
- Security Engineer: $98,000
- Information Security Manager: $98,000
- Security Architect, IT: $100,000
- Information Technology (IT) Director: $128,000
While it’s possible to get a well-paying job with a bachelor’s degree in this field, a master’s degree is likely needed for higher-level positions and management. Here are some of the best programs to consider for a master’s in information assurance:
- Georgia Institute of Technology
- Capella University
- Northeastern University
- Western Governors University
- Nova Southeastern University
- Robert Morris University
- Iowa State University
- Fort Hays State University
- Dakota State University
- Capitol College
- Davenport University
- Florida Institute of Technology
- Norwich University
- Regis University
- National University
How much can you expect to make with a master’s degree in information assurance?
The following are some of the job titles you can expect with a master’s degree in information assurance, according to PayScale:
- Senior Support Services Technician: $44,000
- Network Security Analyst: $68,000
- Support Engineer: $70,000
- Network Engineer: $83,000
- Information Security Analyst: $85,000
- Cyber Security Analyst: $90,000
- Cyber Security Engineer: $96,000
- Information Security Specialist: $97,000
- Information Security Officer: $105,000
- Information Security Manager: $112,000
- Technical Consultant: $113,000
- Senior Project Manager, IT: $119,000
- Security Director: $131,000
- Senior Professional Service Consultant: $132,000
- Staff Software Engineer: $137,000
- Security Architect, IT; $142,000
In addition to degree programs, there are also several certifications available to further your information security career. Some employers may require one or more of these certifications, but it’s a good idea to consider pursuing one even if it’s not required. These certifications are a great way to show that you are willing and able to continue to learn and grow in your field.
Some information assurance certifications are:
- Certified Information Privacy Technologist (CIPT)
This certification is offered by the International Association of Privacy Professionals and, as tog might have guessed, focuses on privacy. Specifically, it relates to how the professional demonstrates expertise as it relates to privacy practices, responsibilities, and expectations.
- Certified Information Security Manager (CISM)
A certified information security manager demonstrates a superior ability to prevent, assess, and manage threats while still meeting the goals of the business, institution, or organization. To qualify for this certification from the Information Systems Audit and Control Association (ISACA), you must have evidence of experience in the field, pass the exam, meet the continuing education requirements, and adhere to the ISACA’s ethics and general standards.
- Certified Secure Software Lifecycle Professional (CSSLP)
This certification comes from the (ISC)2 of the International Information Systems Security Certification Consortium. Someone with this certification is considered an expert in many types of security practices, including auditing, authentication, and authorization. To qualify to take this certification exam, you must have at least four years of experience and take the appropriate training course. Continuing education is necessary to maintain the certification, and you must renew it every three years.
- Cisco Certified Network Associate Cyber Ops
Although this certification doesn’t require any prior training, Cisco offers many resources to prepare you for the exam. This certification demonstrates the preparedness of internet assurance professionals to use cybersecurity software and must be renewed every three years.
- GIAC Certified Intrusion Analyst
Certified intrusion analysts demonstrate knowledge and skill in putting intrusion detection software in place and configuring it appropriately. They maintain records of any potential security breaches and make adjustments as needed. You can receive this certification by meeting general qualifications and passing a proctored exam.
Now that you know a little more about information assurance and what makes it such a unique field, take some time to think about whether or not you’re up for the challenge of pursuing an information assurance degree. If you have a talent for computers and an interest in cybersecurity, this might be the career path for you.