The new business assurance barometer Common Assurance Maturity Model (CAMM) R Samani
Who can access your information? Increase in use of third parties to process/store information. Number of information risks are increasing... <ul><li>Secure and useable information (CIA) is the lifeblood of the business. </li></ul><ul><li>Third party access will increase, and will have to be done quicker to support agility </li></ul><ul><li>More effective measurements of information risk management are required </li></ul>The outsourcing ‘dividend’ How is your information accessed? Where is the data stored? Many providers use services across many countries, which have varying e-crime laws How do you assure the business? Multiple audits of same suppliers, using subjective audit frameworks and standards that do not apply to all countries Poor transparency or consistency of measurement regarding information risk management. Perimeter security is obsolete, increased need to understand performance of information risk management within providers
The 5 big Challenges More challenging with less resources 1. Measure the inherent security of a third party wishing to access the business in a scalable manner 2. Be able to objectively and reliably measure the risk management maturity of third parties 3. Ensure that all risk management requirements are reflected in contracts (and will be applicable in future) 4. Perform the due diligence required within current resourcing constraints 1. Find an approach that allows Information Risk management to be incorporated objectively into tender process 2. Find a way to compare risk management maturity between different suppliers 3. Achieve the level of transparency when self-audit is not an option 4. Find a solution that satisfies changing regulatory requirements Third Party Access Service Procurement 5. Find an approach that leverages existing investment AND will be adopted by suppliers 5. Find an approach that will be adopted by suppliers
A new approach… CAMM – New business assurance barometer Business Assurance Leverage existing expenditure Transaparent risk management Genuine USP for providers Provides a genuine USP to organisations that have higher levels of information risk maturity Risk management maturity is open for stakeholders to view, using appropriate language and detail. CAMM is built on existing standards, leveraging existing compliance expenditure. Objective Measures maturity against defined controls areas, with particular focus on key controls. Meaningful A business benefit that creates consumer trust that is meaningful, understandable and creates a clear strategy to achieve greater maturity.
How it works… (a simplified view) Achieving transparency... Third Party Assurance Centre Maturity Maturity Maturity Third party requesting access Third party service provider Internal hosting provider Risk Appetite 1. Business sets level of risk they are willing to tolerate (number of levels depending on the data). Maturity will include CAMM plus possible bespoke modules. 2.Level of risk management maturity is communicated to business partners (and possible partners) 3. Evidence of compliance may be uploaded to central repository that can be used by numerous customers. 4. Leverage existing expenditure and remove need for duplicate verification (e.g. many customers wishing to audit third party service provider).
How it works… Modular approach provides flexibility Physical Security Business Continuity Incident Mgt HR Governance IT Services 3. Responses against common control areas provide a measurement that indicates a level of maturity 1. Controls based on existing standards such as COBIT, ISO 27001/27002, PCI, CSA Controls matrix, BS25999, etc. A. Average 3.8 <ul><li>2. Criteria for controls will be; </li></ul><ul><li>Are the controls complete (missing anything) </li></ul><ul><li>Are the controls essential </li></ul><ul><li>Auditable </li></ul><ul><li>Measurable </li></ul>PCI SOX 4. Aim to allow bespoke modules to provide flexibility to suit business requirements. Trusted Auditor May be self assessed, or use trusted auditor (for higher score). Will depend on risk appetite and/or commercial requirements.
It is anticipated for the initial set of COMMON controls and associated guidance to be completed by Q4 2010. The following details the key milestones: <ul><li>Major client, standards and service provider organisations engaged </li></ul><ul><li>Development of framework and appropriate weighting mechanism underway </li></ul><ul><li>Development of the framework </li></ul><ul><li>Ready for initial review by mid-July 2010 </li></ul><ul><li>Development of weighting mechanism by end of May 2010 </li></ul><ul><li>Development of the guidance </li></ul><ul><li>Guidance material to be completed by end of October 2010 </li></ul><ul><li>Pilot </li></ul><ul><li>July – September 2010; pilot study to validate controls framework </li></ul>Progress Still on track for Q4 2010...
Who is involved? A global collaborative effort End User Organisations Security Associations Cloud Providers Consultancies Independent consultants Over 40 organisations already involved, including…. IISP ISACA ISSA UK ENISA ISF Website on its way……….