Camm Presentation E Crime June 2011


Published on

CAMM presentation during eCrime congress June 2011

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Security very important issue to peopleBut look at other areas – vendor lock-inAt the same time business teams (marketing) go to cloud services with their credit cards – as IT is tooooo slow
  • Picture kindly taken from a Microsoft presentationProbably more secure than your local IT – but how to measure thatRisk cannot be outsourced to cloud – so how to measure what the riks with the cloud provider, type and delivery model isIf I use IaaS I still am responsibel for application mangement and potentially OS management
  • There is 4 main layers”Hotel stars” for the consumers / CEO level -> security aware consumers can make comparation between the services they use, write blogs and echo their analysis. (Instead of numbers we can for sure use e.g. Credit rating style classification ”AA+” etc.Diamond diagrams with clearly defined and easily understandable dimensions are provided for the IT decision makers. Them to understand on high level what they purchase and what they still need to take care by themselves i.e. High level responsibility map in regards of SecurityLayer 3 consists the main control objectives, but not indivisual controls i.e. Only the ”corners of diamonds”Layer 4 has been devided in to two sectionsPublic section that has HOW TO guidance i.e. How a company can implement this control objective -> there would be hundreds of these pages and due to that we need to have single template to make it readable. Ugins public wikipedia would emphasize that this really is Transparent & open initiativeCompany specifid ”How we did it documentation” -> can be in what ever format the company prefersDocuments inside of company can logically fall to different confidentiality cathegories
  • Camm Presentation E Crime June 2011

    1. 1. Managing risks in the supply chain<br />14 June, 2011<br />Common Assurance Maturity Model<br />1<br />Vladimir Jirasek<br />CAMM Steering Group<br />Twitter @vjirasek<br />
    2. 2. People do not fully trust The Cloud<br />People say that they are concerned that their information is not secure in The Cloud<br />
    3. 3. Is the Cloud Secure?<br />14 June, 2011<br />Common Assurance Maturity Model<br />3<br />Can be as secure as any other IT system<br /> Depends on the model chosen<br />Understand the responsibilities<br /> All eggs in one basket is the real question<br />Implicit trust on provider<br />Exit and lock-in<br />
    4. 4. Problem to be solved – trust in the supply chain<br />14 June, 2011<br />Common Assurance Maturity Model<br />4<br />Suppliers for the cloud provider<br />Your business<br />Your cloud provider<br />End to end assurance<br />
    5. 5. 14 June, 2011<br />Common Assurance Maturity Model<br />5<br />CAMM MISSIONProvide an objective framework to transparently rate and benchmark the capability of a selected solution to deliver information assurance maturity across the supply chain<br />
    6. 6. Achieving Transparency & layers of CAMM<br />1. Consumer<br />3. Architects<br />2. CIO<br />4. Experts<br />Selfassess<br />Audited<br />Selfassessment<br />Audited on17.03.2012<br />Governance<br />4<br />3<br />A.Average3.8<br />A.Average3.4<br />HR<br />3<br />3<br />”Public How To”<br />IT Services<br />3<br />3<br />C.Average3.3<br />C.Average3.4<br />Physical<br />4<br />5<br />SecretNDA Public<br />E.Average4.6<br />E.Average4.4<br />Continutity<br />5<br />4<br />Incident <br />mgmt<br />”Company specificHow we did it”<br />4<br />4<br />CAMM allows different levels of confidentiality - e.g. only auditor sees full set of results or public disclosure via web site<br />
    7. 7. Overall structure of CAMM components<br />14 June, 2011<br />Common Assurance Maturity Model<br />7<br />TPAC<br />Final maturity scores<br />Mapping to other standards<br />Free GRC app<br />Scoring model<br />Non CAMM audit results<br />Maturityscores<br />Weightingframework<br />Please see next slide for details about importing CAMM audit results<br />WorkBench<br />App<br />Audited controls<br />Controls framework<br />Auditors<br />
    8. 8. Utilize your current investmentto an another standard e.g. ISO<br />The Statement Of Applicability (SOA) of source standard is used as a baseline for translation<br />CAMM Guidance documents will help auditors with ”yellow” area intepretations<br />14 June, 2011<br />Common Assurance Maturity Model<br />8<br />Souce standard<br />Target standard<br />e.g. ISO 2700x SOA<br />CAMM<br />Translate<br />Not implemented > to be CAMM audited<br />Auditor intepretation of applicability<br />1=1 applicable, no need of intepretation<br />
    9. 9. Stakeholders<br />Consumers – Can form trust relationship based on understantable facts<br />Companies – Can form trustworthy supply chains to provide real trustworthiness to consumers & other customers<br />Governents – Canhavemore confidence in corporategovernance to remove barriers from global single e-markets<br />Service Providers & Consultancies – Can buildcompetences to achieve the target<br />Industry Associations – can excel in defining harmonized model implementations <br />Consumer<br />Government<br />CAM Commitee<br />
    10. 10. Progress<br />It is anticipated for the initial set of COMMON controls and associated guidance to be completed by Q4 2011. The following details the key milestones:<br />Major client, standards and service provider organisations engaged<br />Development of framework and appropriate weighting mechanism underway <br />Development of the framework <br />Control framework created and reviewed<br /> Scoring model created<br />Development of the guidance<br /> Guidance material to be completed by end of October 2011<br />Pilot<br /> Pilot with major organisation planned for summer 2011<br /> Development of Free GRC tool<br /> Major GRC vendor engaged to ad CAMM module<br />