Every once in a while in my corporate gig some snarky guy with some book smarts and no actual infosec experience poses this question to show off. While I passed my CISSP years ago, which is where I would have probably memorized this, I often have a hard time recollecting the exact difference. Mr. Snark and I will talk about it and I’ll be reminded … and it’s like “Oh, duh… should have known that.” So I thought looking it up (yet again) and putting it out as a blog post would help it stick better for me as well as maybe assist others that want to find a quick understanding of the differences.
(Note: As part of a campaign to bring forward some of our older posts that we feel still benefit the community, we’ve added this article to our Best Of category that will periodically get tweeted out. Please mention it to me on Twitter or contact us if there are any other posts you feel we should include in this category. This post was previously categorized under Infosec Blogs/Podcasts. [email protected]grecs)
And of course you have the “official” definitions as of February 2011 from NIST IR 7298 Revision 1 Glossary of Key Information Security Terms [PDF]. These write-ups are great if you need something official to use in a C&A package or a design document; however, I find that they really don’t explain them well to anyone trying to recollect or learn this stuff. Anyway, here they are…
- Information Assurance: Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. (Source: SP 800-59; CNSSI-4009)
- Information Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. (Source: SP 800-37; SP 800-53; SP 800-53A; SP 800-18; SP 800- 60; CNSSI-4009; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542)
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—
- integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;
- confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
- availability, which means ensuring timely and reliable access to and use of information. (SOURCE: SP 800-66; 44 U.S.C., Sec 3541)
Well that’s it. Hopefully, the differences will stick with me (and you) after writing this blog post. I’d appreciate any thoughts or feedback in the comments below. See ya!