Foundations of IA: Week 1 (version 2)

Week 1 – Introduction to Information Assurance

Welcome to Foundations of Information Assurance! I’m Professor Bishop, and I’ll be guiding you through the world of data protection, risk, and digital trust-building. This week is all about laying the groundwork for everything else you’ll learn in this course.

📌 What is Information Assurance?

Information Assurance (IA) is the discipline concerned with protecting information systems by ensuring the confidentiality, integrity, and availability (CIA) of data. It’s not just about firewalls or encryption—it’s a combination of people, policies, procedures, and technologies working together to manage risk and secure information.

“IA is the art and science of trust-building in digital environments.”

Professor Bishop

🔺 The CIA Triad – The Classic Three

  • Confidentiality – Preventing unauthorized access to data
  • Integrity – Ensuring that data remains accurate and unaltered
  • Availability – Ensuring data is accessible when needed

🛡️ The CIA Triad in Practice

Let’s look at each pillar of the CIA triad with examples:

  • Confidentiality: A hospital restricts access to medical records so that only authorized doctors and staff can see them.
  • Integrity: A banking system uses hashing and digital signatures to prevent someone from modifying transaction logs.
  • Availability: A university has backup generators and redundant servers to ensure students can always access the online portal, even during outages.

🔷 The Parkerian Hexad – An Expanded Model

To provide a more complete framework, security expert Donn B. Parker proposed the Parkerian Hexad in 1998. It includes six elements, expanding beyond the CIA triad:

  • Confidentiality – Prevent unauthorized access to information
  • Integrity – Ensure information is not modified in an unauthorized way
  • Availability – Ensure systems and data are accessible when needed
  • Possession or Control – Physical or digital control of the data itself
  • Authenticity – Confirming that data or identity is genuine
  • Utility – Ensuring data is useful and in the correct format

“The Parkerian Hexad expands our thinking—because real-world breaches don’t fit neatly into just three buckets.”

Professor Bishop

🧩 Parkerian Hexad – Real-World Examples

Here are practical examples that demonstrate how each element of the Parkerian Hexad can be affected:

  • Confidentiality: An HR employee accidentally emails salary information to the entire company. The data wasn’t encrypted or access-controlled properly.
  • Integrity: Malware alters configuration files in a hospital’s records system, changing patient allergy info—resulting in dangerous treatment mistakes.
  • Availability: A ransomware attack encrypts a city’s 911 system, making emergency response data inaccessible for hours.
  • Possession or Control: A thief steals an unencrypted backup drive from a finance manager’s car. Even though they may not access it, they now physically control the data.
  • Authenticity: A phishing site mimics a company’s employee login portal. Employees enter real credentials, believing the fake site is authentic.
  • Utility: A company receives log files from a partner, but they are in a format that’s unreadable by any internal tools. The data exists—but it’s not usable.

Each of these cases represents a different kind of impact. A strong IA program anticipates and defends against failures in all six areas—not just the traditional three.

🕰️ A Brief History of IA

Information Assurance originated from military needs. Here’s how it evolved:

  • 1980s: Classified government and military data protection
  • 1990s: Expansion due to the internet and e-commerce
  • 2000s: Rise of regulatory compliance (HIPAA, SOX)
  • 2020s: Focus on critical infrastructure, cloud security, and AI ethics

👥 Who’s Responsible for IA?

IA is not just “an IT thing.” It requires collaboration across multiple roles:

  • CIO/CISO – Set strategy and manage cyber risk
  • Governance Teams – Define policies and audit systems
  • IT & Security Teams – Implement controls and monitor environments
  • End-Users – Follow safe practices and report incidents

🧪 Case Study: The OPM Breach (2015)

The U.S. Office of Personnel Management was hacked, exposing sensitive background check information of over 21 million federal employees. Key failures included poor access control, lack of encryption, and insufficient monitoring. This event highlighted the need for comprehensive IA practices beyond simple perimeter defenses.

From the Parkerian Hexad lens, the breach impacted:

  • Confidentiality – Private data was accessed by unauthorized parties
  • Possession/Control – Attackers exfiltrated and took control of the data
  • Authenticity – Use of stolen credentials potentially masked malicious access

📚 Coming Up in This Course

  • Week 2 – Threats and Vulnerabilities
  • Week 3 – Risk Management and Assessment
  • Week 4 – Security Controls and Governance
  • Week 5 – Legal and Regulatory Frameworks

📝 Assignment

Due: Before next lecture

Instructions: In your own words, define each of the six elements of the Parkerian Hexad. Provide a real-world or fictional example for each element where a failure or breach has occurred. Keep your explanations clear, specific, and grounded in risk.

💬 Discussion Questions

  • Which part of the CIA triad do you think is most difficult to implement in real life?
  • Which Parkerian Hexad principle do organizations tend to overlook?
  • Have you experienced a data breach or system outage? What happened?
  • Where do you see IA being most important—in your current or future career?

Post your answers in the discussion forum and respond to at least one classmate!

That wraps up Week 1! You now understand both the CIA triad and the Parkerian Hexad—two powerful frameworks for thinking about information security. Next week we dive into threats, vulnerabilities, and real-world exploits. Stay secure, and don’t forget—Information Assurance starts with you. 🛡️

Scroll to Top