1. The new business assurance barometer Common Assurance Maturity Model (CAMM) R Samani
2.
3. The 5 big Challenges More challenging with less resources 1. Measure the inherent security of a third party wishing to access the business in a scalable manner 2. Be able to objectively and reliably measure the risk management maturity of third parties 3. Ensure that all risk management requirements are reflected in contracts (and will be applicable in future) 4. Perform the due diligence required within current resourcing constraints 1. Find an approach that allows Information Risk management to be incorporated objectively into tender process 2. Find a way to compare risk management maturity between different suppliers 3. Achieve the level of transparency when self-audit is not an option 4. Find a solution that satisfies changing regulatory requirements Third Party Access Service Procurement 5. Find an approach that leverages existing investment AND will be adopted by suppliers 5. Find an approach that will be adopted by suppliers
4. A new approach… CAMM – New business assurance barometer Business Assurance Leverage existing expenditure Transaparent risk management Genuine USP for providers Provides a genuine USP to organisations that have higher levels of information risk maturity Risk management maturity is open for stakeholders to view, using appropriate language and detail. CAMM is built on existing standards, leveraging existing compliance expenditure. Objective Measures maturity against defined controls areas, with particular focus on key controls. Meaningful A business benefit that creates consumer trust that is meaningful, understandable and creates a clear strategy to achieve greater maturity.
5. How it works… (a simplified view) Achieving transparency... Third Party Assurance Centre Maturity Maturity Maturity Third party requesting access Third party service provider Internal hosting provider Risk Appetite 1. Business sets level of risk they are willing to tolerate (number of levels depending on the data). Maturity will include CAMM plus possible bespoke modules. 2.Level of risk management maturity is communicated to business partners (and possible partners) 3. Evidence of compliance may be uploaded to central repository that can be used by numerous customers. 4. Leverage existing expenditure and remove need for duplicate verification (e.g. many customers wishing to audit third party service provider).
6.
7.
8. Who is involved? A global collaborative effort End User Organisations Security Associations Cloud Providers Consultancies Independent consultants Over 40 organisations already involved, including…. IISP ISACA ISSA UK ENISA ISF Website on its way……….
![Who can access your information? Increase in use of third parties to process/store information. Number of information risks are increasing... ,[object Object],[object Object],[object Object],The outsourcing ‘dividend’ How is your information accessed? Where is the data stored? Many providers use services across many countries, which have varying e-crime laws How do you assure the business? Multiple audits of same suppliers, using subjective audit frameworks and standards that do not apply to all countries Poor transparency or consistency of measurement regarding information risk management. Perimeter security is obsolete, increased need to understand performance of information risk management within providers](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)