Beyond Cybersecurity: What is Information Assurance?

Cybersecurity tactics guard your internet connections against unwanted intruders. But information assurance (IA) goes one step further to better protect the systems and data within your network.

The term "information assurance" was first used by the U.S. government, but has since made its way into common usage. The term describes the technical and managerial components of information, particularly maintaining control over it and ensuring it’s only accessible to those who have authorization.1 Complying with Information Assurance (IA) standards is a mandatory requirement for security personnel with privileged access to monitoring, system control, and administration functions.

Many types of information assurance (IA) standards exist: Common Criteria, NIAP, EAL, and TEMPEST, for example. In this article, we will explain these IA provisions and what each means for your secure network.

The Basics of Common Criteria

The Common Criteria for Information Technology Security Evaluation (CC) accompanied by the companion Common Methodology for Information Technology Security Evaluation (CEM) are the technical basis for the Common Criteria Recognition Arrangement (CCRA), which is an international agreement that verifies:

  • Security properties of products are evaluated by licensed laboratories to comply with a specific assurance level.
  • Evaluation methods are backed up by supporting documents.
  • Certifications issued are based on results of the evaluations.
  • CCRA recognizes the issued certificates.

The CC is the gold standard for the recognizing secure IT products worldwide.

NIAP and CC Work Together to Guard Your Sensitive Data

The National Information Assurance Partnership (NIAP) implements the Common Criteria in the U.S., and manages the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) validation process.

Partnering with the National Institute of Standards and Technology (NIST), NIAP also approves Common Criteria Testing Laboratories to conduct these security evaluations in private-sector operations across the U.S.

EAL Delivers World-Class Security

An international standard introduced in 1999 defines the Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system. The EAL level measures the security assurance level of an IT product or system recorded during a Common Criteria security evaluation. Higher levels of security indicate that the system’s main security features meet more stringent assurance parameters. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested.

Requirements for EAL involve design documentation, design analysis, functional testing, or penetration testing. The higher EALs include more detailed documentation, analysis, and testing than the lower levels. Reaching a higher EAL certification usually costs more money and takes more time than achieving a lower level. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.

What is a Security Target (ST)?
Each product and system must meet the same assurance requirements to achieve a particular EAL level, but they do not have to satisfy the same functional requirements. The functional features for each certified product are established in the Security Target document tailored for that product's evaluation. A product with a higher EAL may not be "more secure" in a particular application than one with a lower EAL, because they may have dissimilar functional features in their Security Targets. A product's suitability for a particular security application depends on how well the features listed in the product's Security Target meet the application's security requirements. If the Security Targets for two products both contain the necessary security features, then the higher EAL reveals a safer product for that application.

Optimize TEMPEST for National Security

Originating in the late 1960s, “TEMPEST” is codename for a classified (secret) U.S. government project to protect sensitive information from outside hackers. The acronym stands for Telecommunications Electronics Material Protected from Emanating Spurious Transmissions. The TEMPEST specification (designated by U.S. National Security Agency) measures the data theft risk of computer and telecommunications devices. TEMPEST compliant devices guard against leaking unintentional radio or electrical signals, sounds, and vibrations that could provide a doorway for hackers to compromise secure systems.

Next Steps

Now that you know the basics of Information Assurance, you are ready to put the Common Criteria, NIAP, EAL, and TEMPEST standards to work to help you protect your sensitive data in your public- or private-sector network. Download the free white paper, “Meeting Cybersecurity Threats with Secure KVM Switches” to learn more about Secure KVM and these security standards.

Download white paper:

Need more information? We can provide further advice, answer your questions, and/or consult with you about your specific application. Contact us at 877-877-2269 or [email protected]



Subscribe Now