Risk protection and risk management associated with the use, storage and transmission of data and information systems.
Activities may include, but are not limited to:
Protect against and manage the risks associated with the use, storage, and transmission of data and information systems.
Certification and accreditation of formal systems
technical analysis and evaluation to determine the effectiveness of controls.
Information and data are generally protected through the following five principles:
Accessibility - ensuring that authorized users can easily access the information they need
Integrity - protecting information from unauthorized alteration, extraction or deletion
Authenticity - verifying the identity of users and devices
Confidentiality - limiting access to authorized users only
Irrevocability - preventing possible denial that an action has taken place by ensuring the validity of the data as to its origin.
Information Assurance: Level 3
Adheres to standard approaches to technical assessment of information systems in accordance with information security policy and business objectives. Makes routine accreditation decisions. Recognizes and escalates decisions that are outside of his/her scope and level of responsibility. Reviews and executes risk assessments and risk treatment plans. Identifies typical risk indicators and explains risk avoidance measures. Maintains integrity of records to support and justify decisions.
Information Assurance: level 4.
Performs technical assessments and/or accreditations of complex information systems or high-risk information systems. Identifies risk mitigation measures required in addition to the organization's or domain's standard measures. Establishes evidence requirements for accreditation from delivery partners and communicates accreditation requirements to stakeholders. Contributes to the planning and organization of information security and accreditation activities. Contributes to the development and implementation of information security processes.
Information Assurance: level 5.
Interprets information security and information assurance policies and applies them to risk management. Provides advice and guidance to ensure adoption and compliance with information security architectures, strategies, policies, standards, and guidelines. Plans, organizes, and conducts information security assurance and accreditation of complex areas, cross-functional areas, and the entire supply chain. Contributes to the development of policies, standards, and guidelines.
Information Assurance: level 6.
Develops information security policies, standards, and guidelines. Contributes to the development of organizational strategies that address changing business risks and information control requirements. Promotes adoption and compliance with policies and standards. Ensures architectural principles are followed, requirements are defined, and security testing is thorough. Ensures that accreditation processes support and ensure achievement of organizational goals. Monitors environmental and market trends and assesses any impact on organizational strategies, benefits, and risks.
Information Assurance: level 7.
Leads the creation and analysis of an enterprise information security strategy to support strategic business requirements. Ensures alignment between business strategies and information security by developing strategies, policies, standards, and practices. Leads the provision of expertise, advice, and guidance on information assurance across the organization's information systems.