what is Assurance in information technology





Assurance—(1) Grounds for confidence that the other four security goals (integrity, availability,
confidentiality, and accountability) have been adequately met by a specific implementation.
“Adequately met” includes the following: functionality that performs correctly, sufficient
protection against unintentional errors (by users or software), and sufficient resistance to
malicious penetration or by-pass. (2) A measure of confidence that the security features and
architecture of an AIS accurately mediate and enforce the security policy. (3) A measure of
confidence that the security features and architecture of an AIS accurately mediate and enforce
the security policy. Note: Assurance refers to a basis for believing that the objective and approach
of a security mechanism or service will be achieved. Assurance is generally based on factors such
as analysis involving theory, testing, software engineering, validation, and verification. Life-cycle
assurance requirements provide a framework for secure system design, implementation, and
maintenance. The level of assurance that a development team, certifier, or accreditor has about a
system reflects the confidence that they have that the system will be able to enforce its security
policy correctly during use and in the face of attacks. Assurance may be provided through four
means: 1. the way the system is designed and built, 2. analysis of the system description for
conformance to requirement and for vulnerabilities, 2. testing the system itself to determine its
operating characteristics, and 4. operational experience. Assurance is also provided through
complete documentation of the design, analysis, and testing.





- -

FREE IEEE PAPER