Information Security

 is no longer a

CIA model


Even Information Security can be built in a modular approach

Information Assurance
Needs to Protect the Information Owner
 as much as the Information Asset


Total Information Assurance Framework For Modular Implementation




 Information Security is a concept reasonably well understood in the IT circles. It is defined as "Protecting the "Confidentiality", "Integrity" and "Availability" of Information"

BS7799 practitioners adopted this definition (CIA model) and worked towards checking the measures adopted by an organization to achieve this objective of protecting the confidentiality, integrity and availability of information. This was continued in the practice of ISO 27001 practice.

Over the years ISO 27001 has evolved and a section on "Compliance of Regulatory Aspects" has been added to the traditional ISO 27001 specifications. However there is a lack of proper guidance on defining the scope of an ISO 27001 assessment and hence ISO 27001 does not fully meet the requirements of an assessment of risks arising out of non compliance of ITA 2008 or similar laws addressing Computer misuse/abuse or digital contracts/signature or E Commerce activities.

As a result the IS community evolved a new term "Information Assurance" which extended the scope of IS. Information Assurance (IA) was defined as "Measures for protecting the "Confidentiality, Integrity, Availability, Authenticity and Non Repudiation of information".

The risk assessment and mitigation policies of IS practitioners correspondingly moved from the  CIA model to this CIA++ model.

 IA did recognize that IS was a management responsibility and not limited to IT. In this respect it did recognize the need for IS to go beyond "Technical Security aspects" to "Management of Security". Hence IA was an improved concept though in many circles IS and IA are terms used synonymously. The COBIT framework of IA appears to address this issue effectively and distinguish itself from the ISO 27001 framework.

Though this CIA++ model used the term "Non Repudiation" as an essential goal of securing information, it was not however clear if "Non Repudiation" was strictly a "Technical" aspect or a "Legal Aspect".

Hence even the term IA appears to be not fully reflective of what Naavi has been advocating as "Three Dimensional Approach to Information Security" which is inclusive of Technical, Legal and Behavioural Science aspects.

The concept which is nearest to Naavi's approach is the model framework for establishing and evaluating information security/information assurance programs by John Mccumber, introduced in 1991 and  often referred to as the "Mccumber Cube"  which is depicted below.

The concept of this model is that, in developing information assurance systems, organizations must consider the interconnectedness of all the different factors that impact them.

It propounded that to devise a robust information assurance program, one must consider not only the security goals of the program, but also how these goals relate specifically to the various states in which information can reside in a system and the full range of available security safeguards that must be considered in the design.

The McCumber model is said to help one to remember to consider all important design aspects without becoming too focused on any one in particular (i.e., relying exclusively on technical controls at the expense of requisite policies and end-user training).

Naavi's approach has been to redefine the end objective of Information Security by stating the goal as

"Protecting the Information  Owner" which is inclusive of but beyond "Protecting the Information".

It recognizes that the Information owner by virtue of possessing the information is exposed to certain risks of "liability" and "Security" should mean "Protecting the information owner" from such liability. The liability arises because the information was not secured properly and hence "protecting the information owner from liability" includes "Protecting the information".

Hence Naavi's approach adds an additional layer to IS approach. Since "Liabilities" arise because of laws applicable to information handling, this approach was recognized as "Techno Legal Information Security".

After pursuing this "Techno Legal Approach to Information Security" for several years, Naavi realized the importance of motivating people in an organization to adopt information security as a culture. It was no use to have the best of technical tools and the law of the land. People still had to be motivated. Hence Naavi adopted the "Three Dimensional Model" of Information Security incorporating "Behavioural Science" as the third dimension of information security implementation in an organization.

In order to provide clear guidance to IS practitioners, Naavi postulated that IS Motivation needs to be addressed over five different elements namely "Awareness", Acceptance", "Availability", "Mandate" and "Inspiration". These five elements were placed as walls of a Pentagon that was required to be completed for a good IS implementation program.

The "Theory of IS Motivation" and the "Pentagon Model" gave a new direction to the IS approach.

The model went beyond employee training (Awareness) into obtaining employee commitment (acceptance) and creating an environment where employees would feel inspired. Similarly the "Mandate" included both external legal mandate as well as internal HR mandate. The internal mandate and inspirational promotion suggested a "Carrot and Stick" approach to ensure that the people used the security tools made available (Availability) to achieve the security objectives. All technical aspects of the CIA++ approach to security were codified as "Tools" which are made "Available" by the organization. (P.S: The term "Availability" is used both in TISM as well as in CIA principle but with different meanings)

The three dimensional approach of Naavi to IS therefore presented a different approach to the existing approaches which included "people" as a factor of IS implementation policy.

In all the above approaches the offer from the IS community to an organization was that "Here is an IS/IA framework. If you comply, you are compliant. If not, you are non compliant".

This either 1 or 0 approach meant that before an organization embarked on an IS audit, they should be reasonably sure of their readiness. Otherwise there was a definite risk of an audit which would end in a negative report which the management would find a waste of resources as well as an additional risk of documentation of the "awareness of non compliance". Many managements were therefore hesitant of undertaking an "Audit" or looked for "Pliable auditors".

There was therefore a need to find a method by which one could break up the ideal information security implementation into smaller implementation milestones. In other words like in the CMMI approach there had to be "Levels" in IS implementation. However purists in IS found this concept of "Levels" in information security unacceptable since we accept the old adage "Security is as weak as its weakest link".

While there is no two thoughts about the efficacy of this old adage, Naavi still felt the need to find a method of breaking up the security implementation into small dozes for companies which cannot make a one single leap to IS compliance. The thought was inspired by observing the difficulty of applying HIPAA-HITECH framework to an Indian hospital which is in the nascent stage of IT implementation.

HIPAA compliance is not mandatory for Indian hospitals but reasonable information security is a legal compulsion under Section 43A of ITA 2008. However Reasonable Security for a hospital under ITA 2008 cannot be much farther from HIPAA-HITECH framework.

Rather than suggesting the hospitals, that they should adopt the entire HIPAA framework in one single step or remain non-Hipaa compliant Naavi has now tried to find a way to sub divide the IS implementation by creating levels based on the IS objective..

The Total Information Assurance Framework (TIAF) developed by Naavi now is depicted as the "Naavi Pyramid" as follows:

Naavi Pyramid

The Naavi Pyramid divides the Total Information Assurance based on the three dimensional pentagon model of IS motivation into five progressively implementable levels based on the well known five principles of Information Security accepted by the current IS and IA practitioners.

The five principles of Information Assurance have been placed in this model as five hierarchial levels starting from "Availability" through "Integrity","Confidentiality", Authentication" and "Non Repudiation". The hierarchy of levels move from the easiest to the more difficult aspects of IS/IA implementation. The five elements of the TISM pentagon run through all the five levels but with different objectives.

To explain the concept further, at level I, the organization is only addressing "Availability of Information at the right time" as the objective. Denial of Access prevention as well as DRP and BCP are parts of this Level. However "Digital Signature" or "Two factor authentication" is not within the objectives of this level.

At Level II, organization will implement measures to maintain "Data Integrity" by introducing version controls, hash tables etc. However "E-Audit" under Section 7A is still not the objective under Level II.

Level III addresses the "Confidentiality" objectives which may include "Privacy Policy" and "Privacy Training".

At Level IV, privacy policy is secured  by "Authentication Control". For example, HIPAA privacy belongs to Level III while HIPAA security belongs to Level IV.

At Level V, all the technical, legal and HR measures are benchmarked to the legal requirements and every transaction needs to be capable of standing the test of judicial scrutiny. The evidentiary management requirements as well as managerial responsibilities such as the due diligence responsibilities under Section 85 of ITA 2008 belong to this level.

At each of the five levels the five TISM elements (Awareness, Acceptance, Availability, Mandate and Inspiration) will also undergo changes since the objectives change.

At the end of the Level V, the organization would have achieved a level of security which will also pass the test of a HIPAA-HITECH audit or ITA 2008 audit or ISO 27001 audit or the COBIT Audit.

It may be necessary to consider a further sub division of each level into perhaps A/B/C stages indicating "Adoption", "Implementation" and "Achievement" as the stages of achievement within each level. The fine distinction between these sub divisions may be left to the auditor to judge from the "Commitment" shown by the management, the "Ability" of the work force and "Sustainability" of what has been implemented.

This hierarchial approach to Information Assurance provides the management with some realizable goals and a perceivable return on investment at each level. It makes a "Modular Approach" to Information assurance possible. Hence this approach is titled Total Information Assurance Framework For Modular Implementation (TIAF4MI) This is a huge motivational factor for any management and hence has a better probability of adoption.

For actual implementation, there is still a need for different parameters to be identified as a check list. This is done through a list of IA specifications on the lines of IISF 309 suggested by Naavi. This specification list is still relevant under the Total Information Assurance Framework but the objectives of each specification changes from level to level.

Detailed specification list under TIAF4MI is being developed by Ujvala Consultants Pvt Ltd for its own implementation.

The TIAF4MI is therefore an approach which incorporates the best practices inherent in the current IS and IA practices and increases the acceptability amongst corporate managers. Hopefully the industry will respond positively to this new approach to Information Security and Information Assurance.


19th Nov 2012

Download PDF Version of this article


[Comments welcome]