Information Assurance versus Information Security

Every once in a while in my corporate gig some snarky guy with some book smarts and no actual infosec experience poses this question to show off. While I passed my CISSP years ago, which is where I would have probably memorized this, I often have a hard time recollecting the exact difference. Mr. Snark and I will talk about it and I’ll be reminded … and it’s like “Oh, duh… should have known that.” So I thought looking it up (yet again) and putting it out as a blog post would help it stick better for me as well as maybe assist others that want to find a quick understanding of the differences.

I could copy/paste/modify from several sources I found but thought conglomerating them all into a picture would be better in this case. And here it is for you viewing pleasure…

(Note: As part of a campaign to bring forward some of our older posts that we feel still benefit the community, we’ve added this article to our Best Of category that will periodically get tweeted out. Please mention it to me on Twitter or contact us if there are any other posts you feel we should include in this category. This post was previously categorized under Infosec Blogs/Podcasts. [email protected]grecs)

Comparison of Information Assurrance and Information Security

And of course you have the “official” definitions as of February 2011 from NIST IR 7298 Revision 1 Glossary of Key Information Security Terms [PDF]. These write-ups are great if you need something official to use in a C&A package or a design document; however, I find that they really don’t explain them well to anyone trying to recollect or learn this stuff.  Anyway, here they are…

  • Information Assurance: Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. (Source: SP 800-59; CNSSI-4009)
  • Information Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. (Source: SP 800-37; SP 800-53; SP 800-53A; SP 800-18; SP 800- 60; CNSSI-4009; FIPS 200; FIPS 199; 44 U.S.C., Sec. 3542)

Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—

  1. integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;
  2. confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
  3. availability, which means ensuring timely and reliable access to and use of information. (SOURCE: SP 800-66; 44 U.S.C., Sec 3541)

#####

Well that’s it. Hopefully, the differences will stick with me (and you) after writing this blog post. I’d appreciate any thoughts or feedback in the comments below. See ya!

18 comments for “Information Assurance versus Information Security

  1. August 30, 2011 at 1:53 pm

    BLOGGED: Information Assurance versus Information Security http://t.co/TZTRn7g

  2. August 30, 2011 at 2:39 pm

    #NOVABLOGGER: Information Assurance versus Information Security http://t.co/TZTRn7g http://t.co/rJHPBce

  3. August 30, 2011 at 4:33 pm

    Great post! #CISSP RT @Hfuhs: Information Assurance versus Information Security http://t.co/M98yFOh

  4. August 31, 2011 at 12:19 am

    Thanks for the reminder of the official definitions of these things.

    I also find using a metaphor useful in explaining the differences between the two disciplines to non-security people. A plumber has a similar approach to his craft as an information security professional, concerning himself with the size and type of pipe used, the fittings needed to provide access to the water, and fixing leaks. In contrast to that, a water quality expert has a similar approach to an information assurance professional, ensuring that the expected characteristics of the water are maintained, that people needing the water have access, and that the risk of leaks is managed.

    Regards.

  5. August 31, 2011 at 5:00 am

    Information Assurance versus Information #Security: [nova#infosecportal.com] Every once in a while in my corporate… http://t.co/BoouTAr

  6. March 18, 2012 at 11:13 pm

    Came across the following post. These folks seem to think it is somewhat opposite to what I stated above. Most of the definitions are the same however they put IA within IS instead.

    “Information Assurance Does Not Equal Information Security”

    http://www.sys-con.com/node/2208321

  7. March 18, 2012 at 11:18 pm

    Added comment to my Infosec vs. IA post .. these folks seem to define it opposite to what I did. http://t.co/A8jq1xEk

  8. March 18, 2012 at 11:28 pm

    RT @novainfosec Added comment to my Infosec vs. IA post .. these folks seem to define it opposite to what I did. http://t.co/k2ikdxo3

  9. March 29, 2012 at 1:42 am

    Best Of: Information Assurance versus Information Security http://t.co/JHgGtTuQ

  10. May 26, 2012 at 3:35 am

    Best Of: Information Assurance versus Information Security http://t.co/JHgBWjtW

  11. June 24, 2012 at 7:14 am

    Information security vs. information assurance http://t.co/7PZdL4j3 Short but #useful blog.

  12. November 17, 2012 at 9:17 am

    Best Of: Information Assurance versus Information Security http://t.co/Lt4SvunK

  13. November 27, 2013 at 10:14 pm

    Thank you a lot for sharing this with all of us you actually recognise what
    you’re speaking about! Bookmarked. Please additionally
    discuss with my web site =). We will have a hyperlink alternate contract between
    us

  14. December 5, 2013 at 3:34 pm

    Best Of: Information Assurance versus Information Security http://t.co/yULbRYaKcM

  15. March 4, 2014 at 4:47 am

    Best Of: Information Assurance versus Information Security http://t.co/yULbRYsTqU

  16. ASK Sastry
    July 8, 2014 at 2:22 am

    Very good post and given me an understanding on difference between InfoSec vs IA.. Plumber analogy is appealing

  17. December 4, 2014 at 2:12 pm

    Best Of: Information Assurance versus Information Security http://t.co/yULbRZ1xAY

  18. January 30, 2018 at 10:44 am

    I have checked your website and i have found some duplicate content, that’s why
    you don’t rank high in google’s search results, but there is a tool that can help you to create 100% unique content, search for; Boorfe’s tips
    unlimited content

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.