Information Security

 is no longer a

CIA model


Even Information Security can be built in a modular approach

Information Assurance
Needs to Protect the Information Owner
 as much as the Information Asset


 A New Approach to Information Security

Information Assurance (IA)  is an emerging term which captures the expanded responsibilities involved in Information Security (IS).

Information Security had identified three components namely "Confidentiality", "Integrity" and "Availability" as the objectives. This CIA concept of Information Security was adopted in information security Implementation standards and also the audits.

Today it has been realized that IS is inadequate if it is confined to the CIA concept. Hence various approaches are being developed to make IS more meaningful and useful

In India, Naavi tried to expand this CIA concept by adding the "Cyber Law Compliance" and calling the approach as "Techno Legal Information Security Concept". Subsequently he expanded it further to add "Behavioural Science" and called the approach as "Three Dimensional Approach to Information Security".

In US, CIA concept was expanded to include two other components namely "Authenticity" and "Non Repudiation". Further with the development of IS standards from BS7799 to ISO 27001, the basic IS concept had included "Compliance Aspects" and "People Aspect" as part of the CIA implementation approach.

However the international approach was still led by technology and hence the "Authenticity" and "Non Repudiation" was addressed basically as technology tools required for the purpose. Naavi's approach differed from this approach because he focussed on what the law said about authentication and non repudiation and looked for the same in IS implementation.

Also the compliance aspects included by ISO practitioners revolved around "IPR" and more recently "Privacy" issues. It addressed software licensing aspects and encryption for privacy.  Similarly, the "People" aspect addressed "Awareness" and "Training" in information security policy and procedures.

Naavi's approach was however much more in depth since by trying to include compliance of ITA 2008 and other regulations such as HIPAA (For US oriented Health Care service providers in India or GGWG (For Bankers in India), DPA (For EU oriented service providers), he had enlarged the concept of "Authenticity" and "Non Repudiation" to very high levels. Also when it came to "People aspect", Naavi insisted on "Motivating" employees through a structured approach which included building a "Security Culture" in an organization including "identification of deviant minds", "Management of human risks".  Hence Naavi's horizon was beyond the usual boundaries of the Information Assurance concept which may be called  the CIA++ approach which is a five component program including Authenticity and Non Repudiation to the original CIA concept.

This site therefore calls this approach as the "Total Information Assurance" (TIA) concept. Presently TIA also uses the five parameters used in the IA concept but the treatment of each of the five components is different from the IS concept (using CIA as components) or the IA concept (using CIA + Authenticity +Non Repudiation as components).

Information Assurance itself is a new concept for India and obviously TIA is a more nacent thought. It is however considered that in due course the IA concept used internationally will converge into TIA concept used here.

At present, we may recognize that TIA concept is a basic concept under development and IS professionals, Legal experts and Psychology specialists may contribute towards development of this TIA approach into a well rounded augmented IS approach.

Ujvala Consultants Pvt Ltd, promoted by Naavi is in the process of development of a framework for implementation of the TIA concept under an innovative modular approach and will continue to work in this direction in the coming days. Such work will also be showcased here. Others can also contribute their approaches for publication here either as the TIA concept or within the individual concepts such as Technical, Legal and Behavioural components. It is understood that the content has to be aggregated over a period and more the participation of the public, better it would be for a speedier development of the concept.

Being a leader in Information Technology is only a starting point. India has to achieve leadership in IS and IA and towards this direction we need to provide new thoughts. Let this website provide such thought leadership


November 29, 2012



[Comments welcome]