1) The document proposes a vendor risk rating system to address asymmetric information between clients and vendors in outsourcing services, especially cloud computing. 2) It suggests a rating approach as an alternative to audits and certifications to provide a relative risk level for vendors using fewer resources. Ratings would segment vendors into risk categories to match client needs. 3) The proposed system uses a mixed self-statement and assessment approach to determine ratings, with audits to strengthen monitoring, in order to avoid conflicts of interest from third parties. Service conditions define proper rating system use with penalties for non-compliance.

1. leet security
Corporate presentation
F38ru4ry 2012

2. Content
• Initial concepts
1
• Vendor risk rating
• Our proposal for a
rating system

3. 2
INITIAL CONCEPTS

4. What is a rating?
• Rating (Collins English Dictionary)
– “a classification according to order or grade; ranking.”
3
– (Economics, Accounting & Finance / Banking & Finance) “the
estimated financial or credit standing of a business enterprise or
individual”

5. What is a rating?
• Ratings of main agencies
are expressed with a
nomenclature that combines 4
letters, upper and
lowercase, numbers and
symbols.
• Although they can change
from one to another, in
general, better rating is
expressed as AAA or A1+.

6. What is a risk rating agency?
• “Company that assigns credit ratings for issuers of
certain types of debt obligations as well as the debt
instruments themselves”, www.wikipedia.org 5
• Companies specialized in securities analysis and that
analyse issuers with their own methodologies (that
combines quantitave and qualitative financial analysis
methods).

7. What is it for a rating?
• Show the synthesis of a company capacity analysis to
deal with its financial liabilities in the short and long term.
That means, it shows the solvency of that company. 6
• It is a succinct indicator of an issuance risk. Issuance with
lower rating, normally, provide higher returns to
compensate the risk.
• Allows investors to compare the risk of different
investments although they come from different issuers,
countries, industries…

8. Rating challenges
• Time, energy, or money
that agent side
(provider) should use to Time 7
send a signal.
• Mechanisms for the
receiver (potential
client) to trust that the
signal is a credible Money Effort
statement of its
information.

9. Theoretical Foundation
• In some economical transactions
(contract theory), disparities in access
to information alter the normal 8
functioning of markets, creating
problems of adverse selection and
moral hazard.
• There are two solutions for opposing
imperfect information (George Akerlof,
1970):
– Signaling
– Screening

10. Theoretical Foundation
• Signaling (Michael Spence, 1973)
– Two sides can circumvent asymmetric
9
information problem if one of them
sends a signal to the other party to
disclose relevant information.
– Signaling consist precisely in that the
agent submit credibly some
information about itself to the other
party.

11. Theoretical Foundation
• Screening (Joseph E. Stiglitz, 1973)
– In this theory, one of the sides can lead
10
the other to show its information.
– In this situation, the side that posses
information is not the first to act, but the
side without information the one who
accept to learn what it can from the other.

12. 11
VENDOR RISK RATING

13. Need description
• In services outsourcing (especially in ICT
sector) we find an example of assymetric
information that can leads to adverse 12
selection.
– The client does not really know the security
measures that the vendor implements.
– Lack of information could lead the client to
choose always the cheaper service although it
was not the one that better fits its needs.
• This situation is really pressing regarding
cloud computing market.

14. Need description
• There is a need of a
Audit
mechanism that helps to (screening)
balance the asymmetry of 13
information.
• Options (all of them based
on trusted third parties) : Options
Rating ISMS
Certification
(signaling) (signaling)

15. What shows risk vendor rating?
• Rating (for services) gives a relative value
that can be understood as a forecast about
technical solvency of the vendor in relation 14
to its security and resiliency.
• In this way, services with a better rating are
the ones with fewer probability of suffering
an incident that affects Service Level
Agreements in a significant way.

16. Rating advantages
Rating Other options 15
• Less resources (time, • More used / known by
money and efforts) security sector
• Focus on security and
resiliency
• Feasibility of
homogeneous
comparison (single scale)

17. Rating advantages: Supply
segmentation
Current situation – Segmented services
Provider only has one with different ratings
option Users that
16
buy the
service
Fee Users that Fee
Low risk
buy the service
service
Service risk Medium risk
level service
User needs High risk
service
Risk Risk

18. Ventajas de la calificación: Cada
proceso su nivel de riesgo
Situación actual – Los Diferentes procesos
servicios son “café con diferentes
para todos” necesidades
Usuarios que
17
contratan el
servicio
Precio Usuarios que Precio
Servicio riesgo
contratan el bajo
servicio
Nivel de riesgo Servicio riesgo
del servicio medio
Necesidades Servicio riesgo
de los usuarios alto
Riesgo Riesgo

19. 18
OUR PROPOSAL FOR A RATING
SYSTEM

20. Dimensions
A
B
C 19
D
E
+ Compliance specific levels: D+, C+, B+

21. Areas / chapters
20

22. General information
21

23. Mixed approach Self-statement &
Assessment
• Goal: Avoid the usual conflict of interest arising from the
trusted third party fees being paid by the provider.
22
– Enter to the system: Explanatory dossier.
– Once accepted: Provider self-declare the service rating.
– Upper rating level can be defined by the agency.
• Consequence: Strengthen monitoring mechanisms
– Random and periodic audits.
– Incident notification channel.
– Disciplinary proceedings.

24. Service use conditions
• Allows service providers to use the rating system.
• Establish vendor commitment to use the system in a
23
correct way when self-statement rating levels.
• Defines penalties in case of non-observance of rating
system guide.
• Gives right for the necessary training to self-state rating
levels.
• Annual renewals.

25. Thank you…
… Questions? 24

26. Contact
25
leet_security
www.leetsecurity.com
info@leetsecurity.com
antonio.ramos@leetsecurity.com