ISACA Journal - 2012 Volume 2

Feature

haris hamidovic, CIA, ISMS IA, IT Project+, is chief information security officer at Microcredit Foundation EKI Sarajevo, Bosnia and Herzegovina. Prior to his current assignment, Hamidovic served as IT specialist in the North American Treaty Organization-led Stabilization Force in Bosnia and Herzegovina. He is the author of five books and more than 70 articles for business and IT-related publications. Hamidovic is a certified IT expert appointed by the Federal Ministry of Justice of Bosnia and Herzegovina and the Federal Ministry of Physical Planning of Bosnia and Herzegovina. He is a doctoral candidate in critical information infrastructure protection at the Dzemal Bijedic University, in Mostar, Bosnia and Herzegovina.

Fundamental Concepts of IT Security Assurance
Do you have
something
to say about
this article?

Visit the Journal pages of the ISACA web site ( www.isaca. org/journal), find the article, and choose the Comments tab to share your thoughts.

Go directly to the article:

Government and commercial organizations rely heavily on the use of information to conduct their business activities. Loss of confidentiality, integrity, availability, accountability, authenticity and reliability of information and services can have an adverse impact on organizations. Consequently, there is a critical need to protect information and to manage the security of IT systems within organizations. Alongside significant benefits, every new technology introduces new challenges for the protection of this information. The requirement to protect information is particularly important in today’s environment because many organizations are internally and externally connected by networks of IT systems. 1

IT systems are prone to failure and security violations due to errors and vulnerabilities. These errors and vulnerabilities can be caused by many factors, such as rapidly changing technology, human error, poor requirement specifications, poor development processes or underestimating the threat. In addition, system modifications, new flaws and new attacks are frequently introduced, which contributes to increased vulnerabilities, failures and security violations throughout the IT system life cycle. 2

The industry came to the realization that it is almost impossible to guarantee an error-free, risk-free and secure IT system due to the imperfection of the opposing security mechanisms, human error or oversight, and component or equipment failure. 3

Completely secure IT systems do not exist; only those in which the owners may have varying degrees of confidence that security needs of a system are satisfied do. 4

In addition, many information systems have not been designed to be secure. The security that can be achieved through technical means is limited and should be supported by appropriate management and procedures. 5

The task of IT security (ITS) engineering
and management is to manage the security risk
by mitigating the vulnerabilities and threats
with technological and organizational security
measures to achieve an IT system with acceptable
assurance. ITS management has an additional
task: establishing acceptable assurance and risk
objectives. In this way, the stakeholders of an IT
system will achieve reasonable confidence that
the IT system performs in the way intended or
claimed, with acceptable risk and within budget. 6

ASSurAnCe AnD COnFIDenCe

It is important to emphasize that assurance and confidence are not identical and cannot be used in place of one another. Too often, these terms are used incorrectly because they are closely related. 8

ISO/IEC TR 15443 defines these terms as follows: “Confidence, from the perspective of an individual, is related to the belief that one has in the assurance of an entity, whereas assurance is related to the demonstrated ability of an entity to perform its security objectives. Assurance is determined from the evidence produced by the assessment process of an entity.” 9

For security engineering, “assurance” is defined as the degree of confidence that the security needs of a system are satisfied. 10 Assurance does not add any additional controls