The new business assurance barometer

Common Assurance Maturity Model (CAMM)

R Samani

Who can accessyour information?

Increase in use of third parties to process/store information.

Number of information risks are increasing...

• Secure and useable information (CIA) is the lifeblood of the business.

• Third party access will increase, and will have to be done quicker to support agility

• More effective measurements of information risk management are required

The outsourcing ‘dividend’

How is your informationaccessed?

Where is the data stored?

Many providers use services across many countries, which have varying e-crime laws

How do youassure the business?

Multiple audits of same suppliers, using subjective audit frameworks and standards that do not apply to all countries

Poor transparency or consistency of measurement regarding information risk management.

Perimeter security is obsolete, increased need to understand performance of information risk management within providers

The 5 big Challenges

More challenging with less resources

1. Measure the inherent security of a third party wishing to access the business in a scalable manner

2. Be able to objectively and reliably measure the risk management maturity of third parties

3. Ensure that all risk management requirements are reflected in contracts (and will be applicable in future)

4. Perform the due diligence required within current resourcing constraints

1. Find an approach that allows Information Risk management to be incorporated objectively into tender process

2. Find a way to compare risk management maturity between different suppliers

3. Achieve the level of transparency when self-audit is not an option

4. Find a solution that satisfies changing regulatory requirements

Third Party Access

Service Procurement

5. Find an approach that leverages existing investment AND will be adopted by suppliers

5. Find an approach that will be adopted by suppliers

A new approach…

CAMM – New business assurance barometer

Business Assurance

Provides a genuine USP to organisations that have

higher levels of information risk maturity

Risk management maturity is open for stakeholders to view,

using appropriate language and detail.

CAMM is built on existing standards, leveraging existing compliance expenditure.

Measures maturity against defined controls areas, with particular focus

on key controls.

A business benefit that creates consumer trust that is

meaningful, understandable and creates a clear strategy to achieve greater maturity.

How it works…(a simplified view)

Achieving transparency...

Third Party Assurance Centre

Maturity

Maturity

Maturity

Third party requesting access

Third party service provider

Internal hosting provider

Risk Appetite

1. Business sets level of risk they are willing to tolerate (number of levels

depending on the data). Maturity will include CAMM plus possible bespoke

modules.

2.Level of risk management maturity is

communicated to business partners (and

possible partners)3. Evidence of compliance may be uploaded to central repository that can

be used by numerous customers.4. Leverage existing expenditure and remove

need for duplicate verification (e.g. many customers wishing to audit third party service

provider).

How it works…

Modular approach provides flexibility

PhysicalSecurity

BusinessContinuity

IncidentMgt

HR

Governance

IT Services

3. Responses against common control areas provide a measurement that

indicates a level of maturity

1. Controls based on existing standards such as COBIT, ISO 27001/27002, PCI, CSA

Controls matrix, BS25999, etc.

A.Average

3.8

2. Criteria for controls will be;• Are the controls complete (missing

anything)• Are the controls essential• Auditable• Measurable

PCI SOX

4. Aim to allow bespoke modules to provide flexibility to suit business

requirements.

Trusted Auditor

May be self assessed, or use trusted auditor (for

higher score). Will depend on risk appetite and/or

commercial requirements.

It is anticipated for the initial set of COMMON controls and associated guidance to be completed by Q4 2010. The following details the key milestones:• Major client, standards and service provider organisations engaged • Development of framework and appropriate weighting mechanism underway

Development of the framework • Ready for initial review by mid-July 2010• Development of weighting mechanism by end of May 2010

Development of the guidance• Guidance material to be completed by end of October 2010

Pilot• July – September 2010; pilot study to validate controls framework

Progress

Still on track for Q4 2010...

Who is involved?

A global collaborative effort

End User Organisations

Security Associations

Cloud Providers

Consultancies

Independent consultants

Over 40 organisations already involved, including….

IISP

ISACA

ISSA UK

ENISA

ISF

Website on its way……….