Introduction When Erik *****, of Hull Massachusetts posted one of his properties for rent on Craigslist, he was concerned

that the property would sit empty for a while. Most people did not want to rent oceanfront property in the middle of February. Erik was overjoyed when he received an email inquiry from a British National who was all too happy to not only rent the property but also would send Erik four months rent in advance. He only needed a little bit of that money sent back to him in England for travel expenses. He just needed Eriks address and he would happily send a cashiers check. Upon receipt of the check, Erik brought the funds to his bank, deposited the check and withdrew the funds to send to the address in England. It wasnt long before the Brit was nowhere to be found and Erik found himself with a $7000.00 bounced cashiers check. Eriks case is not uncommon. Email scams like this one happen every day. According to www.consumerfraudreporting.org, in 2008 over 275,000 cases of email fraud were reported. This showed a 33% percent increase from 2007. Though the rental scam is a common one, countless other scams, security breeches, and compromises occur quite frequently. These and an evergrowing number of other threats can be combated through the implementation of Information Assurance. This paper will examine a few of the technical applications of Information Assurance practices.

Background Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. (IAF Training, 2012). It serves to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording, or or destruction. IA pertains to the use of many different channels of communication including but not limited to the Internet, electronic mail, telephone, and personal interactions. Used interchangeably with information security, and sometimes computer security, the essential difference in IA is that it focuses on

the reasoning behind information protection. Information assurance can be traced back as far as the earliest days of writing. Military leaders and other heads of state realized a need for information to be safeguarded against compromise by the enemy. Julius Caesar invented a device called the cipher, which created a code by substituting each letter of the alphabet with the letter that was three letters after. (Secret Code Breaker, 2005) During WWII, technology advanced dramatically and Information Assurance evolved into more of a professional field. As technology evolved it became more readily available to the general consumer. The ease of use of these systems made for an eventual migration from the world of pencil and paper to that of electronic data and the inception of the Internet. With so much information to protect, and so many individuals with a means to access it, the need for Information Assurance became even greater. Thus there would be a need for much more than Caesars cipher to protect confidential information. Today there exist so many threats to information security that IA is constantly evolving. The field of Information Assurance envelopes environmental and human factors as well as technological it covers intentional attempts to gather information as well as information lost accidentally. IA is such a large and quickly growing area of study that many technology companies have dedicated IA departments.

Data Lineage Data lineage refers to the recording of the life of a piece of data. (Ostic, Ernie, 2009, web) Tracking data lineage is made possible with metadata. Metadata tags keep track of who opened, accessed, and altered the data and when they did it. A practical example would be the use of data lineage at an insurance company: an application is submitted for a policy and then scanned into the computer; the person who scans it is recorded, as is the next individual who underwrites the policy, right down to the final member of the team who issues the final product. All along the way, the metadata keeps track of every person who touched the policy and any changes they may have made. This tracking helps prevent mistakes but also ensures that information is kept confidential and that compliance can be

monitored. In the event that a problem occurred, the supervisor would be able to tell exactly where the mistake was made and see that it was corrected. He or she would also be able to tell if an unauthorized individual accessed the information. Aside from assuring the data, lineage tracking also allows for quick problem resolution which also allows for better (and more timely) decision making.

Password Policies Solid password policies are probably one of the easiest ways to assure information. An individuals password functions much like an electronic key. It is with this key that the person gains access to a whole host of information, including personal details such as account numbers or home addresses, company secrets, and on an even larger scale intelligence pertaining to National security. With so many scams, hackers and viruses, it is imperative that users take extreme care in crafting and safeguarding their passwords. According to technet.mircroft.com there are several components that make for safe password creation and use. Enforcing password history prevents the individual from alternating between two passwords because it keeps track of the passwords of the past and does not allow the user to reuse them. Implementing a maximum password age determines how long someone can continue to use the same password. This makes the password much harder to guess, or crack, as it is constantly changing. Conversely implementing a minimum password age prevents the user from changing a password and then immediately changing it back to the original one. Finally, the use of complexity requirements ensures that the individuals password is not easily guessed or compromised. The best passwords are comprised of letters, both capital and lowercase, special characters, and numbers. Passwords that reference birthdays, addresses, and family names are not considered strong passwords. (Stanek, W.R, 2012, web)

Firewalls Much like a physical firewall protects a compartment from the heat of an adjacent compartment, a

network firewall protects a smaller network from outside threats.. A firewall is a program or hardware device that filters what information is allowed into a system. (Tyson, Jeff, 2012, web) Individuals who use the Internet can expose their computers to many different threats by visiting unsafe websites or opening email from unknown sources. Inserting a firewall creates a barrier through which certain information that has been deemed potentially malicious, is not allowed to pass. Firewalls are customizable and can be configured to bypass virtually any material the network administrator chooses to block. Facebook is a site that many companies firewall against due to the immense amount of personal information it contains as well as the productivity ramifications that go with social networking.

Transport Layer Security Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. (Nieminen, Mikko, 2001, web) When a server and a client communicate, transport layer security ensures that the channel cannot be tampered with by a third party. This effectively eliminates eavesdropping or the interception of messages by unintended parties. TLS built upon and replaced Secure Socket Layers (SSL) was the preferred protocol for securing private connections. Protocol for TLS consists of two components: TLS Record protocol and TLS Handshake protocol. TLS Record protocol encapsulates higher level interactions. (Dierks, 1999, web) This provides a secure environment in which the handshake can take place. By using hash codes and MAC keys, TLS Record protocol also provides a reliable connections. Once encapsulated, TLS Handshake protocol takes place the two systems authenticate each other and agree on some algorithm for encryption. (Nieminen)

PCI/SSC Compliance For businesses that conduct online commerce, another factor of IA is making sure that software is PCI/ SSC compliant. This refers mostly to organizations and individuals who exchange goods and services online. These standards are overseen by the PCI Security Standards Council. (PCI Secuity

Standards Council, 2012, web) PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. Merchants who accept credit or debit cards as payment are required to be compliant with PCI SSC standards. Like many of the other components of IA, PCI compliance is comprised of its own list of best practices. Following these guidelines helps prevent fraud and other misuses of sensitive payment data.

Education While any of these technologies are helpful in securing information, threats to the security and integrity of data are always evolving. The most state-of-the-art program or system will not protect against a user who is ignorant to the purpose and practices of IA. Constant and thorough education is the best defense against these types of threats because it sheds light on the risks that exist and empowers users to take steps to safeguard this information from those who would choose to misuse or steal it. Some organizations, such as Techsoup.org have entire reference libraries of material for Information Assurance compliance. (techsoup.org/security) Some organizations require their employees to complete one time compliance certifications while others such as the Department of Defense demand annual re-certification to cover newly discovered threats and potential breaches. The Department of Defense requires its employees to complete extensive IA training before being granted access to any networks or systems. They must renew their certification annually. (Grimes, J. 2007, web) As these threats become more prevalent and optimized for ultimate destruction and invasion, the need for IA increases dramatically. Norwich University offers both undergraduate and graduate programs in IA. (Norwich University, Web 2012) Georgia Institute of Technology boasts the top Masters degree program with Fort Hayes State rounding out the top ten. (Business Research Guide, Web 2012)

Conclusion

History shows that for every wall erected to keep someone out, some nifty device has been constructed to let that person in -- and for every method devised to hide some piece of information, some other method has been devised to reveal that information. As cyberspace solidifies itself as the preferred method of data exchange, cyber based attacks are continuously being developed to find and exploit that data. It is clear that many of the threats that exist today concerning information security can be mitigated by the proper implementation of Information Assurance. By complying with these best practices and providing continuing education for users, network administrators and persons in leadership positions can protect their data and information systems from compromise or damage.

Works Cited Dierks, T., Allen, C. The TLS Protocol Version 1.0. Internet Engineering Task Force. The Internet Society, January 1999. Web. 29 Apr. 2012. <http://tools.ietf.org/html/rfc2246>. Grimes, John G. DoD Information Assurance Awareness Training Requirement. Information Assurance Training Center. Department of Defense, Washington, D.C., 27 August 2007. Web. 29 Apr. 2012. <https://ia.signal.army.mil/docs/MemoDoDIAAwarenessTngReq.pdf>. "Information Assurance Fundamentals (IAF) Training." IASO Terminology. United States Army Signal Center, Ft. Gordon. Web. 29 Apr. 2012. <https://ia.signal.army.mil/IAF/IASOTerminology.asp>. Nieminen, Mikko. "Transport Layer Security (TLS)." SeachSecurity. Tech Target, 01 June 2001. Web. 27 Apr. 2012. <http://searchsecurity.techtarget.com/definition/Transport-Layer-Security-TLS>. Ostic, Ernie. "Real-Time Data Integration." Real-Time Data Integration. Wordpress, 15 Dec. 2009. Web. 28 Apr. 2012. <http://dsrealtime.wordpress.com/2009/12/15/what-exactly-is-data-lineage/>. "PCI SSC Data Security Standards Overview." PCI Security Standards Council. Web. 29 Apr. 2012. <https://www.pcisecuritystandards.org/security_standards/index.php>. "Secret Code Breaker." Caesar Cipher History. Secret Code Breaker, 1 Sept. 2005. Web. 25 Apr. 2012. <http://www.secretcodebreaker.com/history2.html>. Stanek, William R. "Best Practices for Enforcing Password Policies." Technet Magazine. Microsoft Tech Net Magazine, 2012. Web. 28 Apr. 2012. <http://technet.microsoft.com/enus/magazine/ff741764.aspx>. Tyson, Jeff. "How Firewalls Work." HowStuffWorks. How Stuff Works. Web. 28 Apr. 2012. <http://computer.howstuffworks.com/firewall3.htm>. "Welcome to the Information Assurance Program." Norwich University Master of Science in Information Assurance Online Masters Degree Program. Norwich University. Web. 28 Apr. 2012. <http://infoassurance.norwich.edu/>. "The Top 10 Best Master in Information Assurance Programs." Top 10 Best Master's in s The Information Assurance Programs. Business Research Guide. Web. 28 Apr. 2012. <http://www.businessresearchguide.com/it-security/masters-in-information-assurance/>.