Posted: September 25th, 2022

Information Assurance

Information Assurance
As software and systems engineering have matured, there is a clear need for an “architectural view” of organizational systems. This need has grown as a result of the increasing complexity of systems and their interactions within and between organizations. Additionally, continued pressures to reduce information technology costs and deliver real, quantifiable business benefits from solutions necessitate a clear understanding of how systems support, add value, and enable the business.

Directions: Read the article “An Enterprise Security Program and Architecture to Support Business Drivers” (attachment ) Preview the document by Brian Ritchot.
How does the author leverage an enterprise security architecture to link the goals and objectives to meet the information assurance of an organization?
Using the knowledge you’ve gained from this article, create a model of business risk for the company you selected in week 1 (United Health Group) . In your model of business risk, describe and include examples for each of the following:
Your trust model
Your threat model
Your safeguards

Information Assurance
Information assurance relates to the management or processing, transmission, use, and processing of data. Confidentiality, Integrity and Availability must be upheld to maintain a successful business. For any connected network it is natural that there may be information assurance challenges, therefore the need to come up with IT guidelines to manage possible risks. Information Assurance being theoretical, it provides a way to achieve solutions for data through transformation of data policies (Paul, 2018). Considering risks in alignment to business objectives enables one to apply appropriate controls to keep the company running successfully.
Brian Ritchot (2013) in his article “An Enterprise Security Program and Architecture to Support Business Drivers” addresses the issue of linking goals and objectives to meet the information assurance of an organisation. He claims that security architecture is an important aspect that could be used by organisations to thrive in information assurance. Through the Sherwood Applied Business Security Architecture (SABSA) methodology, Ritchot suggests aligning security measures alongside objective while considering possible risks that may arise. IT security should be viewed as a tool of success rather than an avoidable obstacle. The SABSA model breaks down the security architecture into six parts and considers an essential element for each. There is the contextual, conceptual, logical, physical, component, and operational architectures on the model and the levels are expected to consider assets, motivation, process, people, location and time respectively. The SABSA methodology focuses on controlling the operational risks of a company to enable the objectives, unlike other approaches that focus on eliminating threats toward an organisation (Buecker et al., 2014). The countermeasures offered by the method preserves Confidentiality, Integrity, and availability.
Understanding a business through its drivers and attributes is the first step to risk identification. Drivers concern the strategies of an organisation that are considered vital to their success while attributes are crucial parts of objectives that need protection from the enterprise security. Driver’s can be identified through the mission statement while attributes can be discovered by interviewing top management. It is then possible to come up with proxy assets by linking the drivers to attributes. Once a business is understood, prioritisation for risk identification is possible. An organisation can opt for a risk assessment to control potential threats. Managing risks means considering their duality, in that they can be avoidable or unavoidable. Hence, an organisation is expected to form key performance indicators and key risk indicators. Key risk indicators can be used to tell when the risk will be considered more than bearable for the business. Once the understanding of risks is accomplished, an organisation can head towards business risk modelling. These models of business risk include trust models, threat models and safeguards that are used to affect enterprise-wide risks hence formation of logical security services.
Using the above information, the following is a model of business risk for United Health Group:
United Health Group trust model
Trust is established when two business entities interact and exchange information. Our trust model towards healthcare providers will include checking equity resources in hospitals by analysing the time and money spent by patients. This information will give a view of the inventory a hospital claims to have in accordance to the services they claim to give. Trust is established if the provider is able to meet our requirements by having the appropriate equipment and services to give the clients who seek them. Furthermore, personal information of patients will be necessary as well as the link between hospitals and patients who have already come into contact (Massaci & Znnone, 2004). There has to be a link between third parties as proof that clients did receive the said services. Hence, patients will be required to fill out forms that will act as evidence of visiting the establishment. Clients are also required to sign any payments they make to the hospital. Moreover, customers will be required to provide their personal information such as age, names, gender, address, and contacts. Such information gives more information about the customer and how to treat them better. Using this information, it is possible to derive purpose-based trust management solutions.
United Health Group threat model
Threats involve the possible risks that could cause damage to a business. Our threat model consists in considering a potential breach in data or cyber-attacks. To make this possible, the model focuses on correlating threat intelligence to the perceived threats, looking for current threats that are common within the industry, prioritization of risks, and understanding the attack vector relative to the threat identified (UcedaVelez, 2015). Once these activities are incorporated into the threat model, it will be easier to ensure the continued success of the business. Threats need to be identified prior to mitigation to decide on the most appropriate way to deal with them. Some threats never die, hence the need to come up with methods that help reduce them. Through proper prioritization we shall be able to move through each level with proper solutions. Identification of the source of a threat will give the organization a view of how to handle the situation without interfering in business activities. Reoccurring malware threats shall be analyzed to check if the present threat is the same version as the previous one. As the technological world advances, so do cybercrimes. There is a need to ensure that information security is up to date, to combat the ever advancing cyber-criminal. These measures ensure preservation of information confidentiality, integrity and availability within an organization.
United Health Group safeguards
United Health Group considers ISO 27001 as its information security management guideline. As the de facto international standard for information security management, it will provide the roadmap to proper commercial, legal and contractual responsibilities. With the use of the ISO 27001 framework, it will be possible to show clients that our organization has identified the risks and is willing to reduce them. Through this achievement, business is expected to be more resilient towards providing the best information security to clients. This framework increases reliability and security information’s since the establishment strives to uphold the guidelines stated. Achieving these standards proves that the business is aligned with customer requirements with their security in mind. Hence, customer and business partnerships are improved.
In conclusion, describing and representing the inherent risk a business faces is possible once all the control measures, threats, trust, and risks are identified. Organizations shouldn’t solely focus on eradicating risks because sometimes risks cannot be done away with. Hence the need to come up with models that focus on containing those risks at a manageable level. It is possible to achieve information assurance for the success of a business.

References
Buecker et al. (2014). Using IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security (p.123). IBM Redbooks
Massacci, F. & Zannone, N. (2004). Privacy Is Linking Permission to Purpose. Lecture Notes in Computer Science. 3957. 10.1007/11861386_20.
Paul, P., Bhuimali, A., Aithal, P., & Rajesh, R. (2018). Cyber Security to Information Assurance: An Overview. Nternational Journal On Recent Researches In Science, Engineering & Technology, 6(4), 8-14. Retrieved from https://www.researchgate.net/publication/325202411_Cyber_Security_to_Information_Assurance_An_Overview
Ritchot, B. (2013). An enterprise security program and architecture to support business drivers. Technology Innovation Management Review, 3(8).
UcedaVelez, T. (2015). Risk Centric Threat Modelling (p. 429 – 431). John Wiley & Sons