cto-cybersecurityforum-2010-des ward
TRANSCRIPT
The new business assurance barometer
Common Assurance Maturity Model (CAMM)
R Samani
Who can accessyour information?
Increase in use of third parties to process/store information.
Number of information risks are increasing...
• Secure and useable information (CIA) is the lifeblood of the business.
• Third party access will increase, and will have to be done quicker to support agility
• More effective measurements of information risk management are required
The outsourcing ‘dividend’
How is your informationaccessed?
Where is the data stored?
Many providers use services across many countries, which have varying e-crime laws
How do youassure the business?
Multiple audits of same suppliers, using subjective audit frameworks and standards that do not apply to all countries
Poor transparency or consistency of measurement regarding information risk management.
Perimeter security is obsolete, increased need to understand performance of information risk management within providers
The 5 big Challenges
More challenging with less resources
1. Measure the inherent security of a third party wishing to access the business in a scalable manner
2. Be able to objectively and reliably measure the risk management maturity of third parties
3. Ensure that all risk management requirements are reflected in contracts (and will be applicable in future)
4. Perform the due diligence required within current resourcing constraints
1. Find an approach that allows Information Risk management to be incorporated objectively into tender process
2. Find a way to compare risk management maturity between different suppliers
3. Achieve the level of transparency when self-audit is not an option
4. Find a solution that satisfies changing regulatory requirements
Third Party Access
Service Procurement
5. Find an approach that leverages existing investment AND will be adopted by suppliers
5. Find an approach that will be adopted by suppliers
A new approach…
CAMM – New business assurance barometer
Business Assurance
Provides a genuine USP to organisations that have
higher levels of information risk maturity
Risk management maturity is open for stakeholders to view,
using appropriate language and detail.
CAMM is built on existing standards, leveraging existing compliance expenditure.
Measures maturity against defined controls areas, with particular focus
on key controls.
A business benefit that creates consumer trust that is
meaningful, understandable and creates a clear strategy to achieve greater maturity.
How it works…(a simplified view)
Achieving transparency...
Third Party Assurance Centre
Maturity
Maturity
Maturity
Third party requesting access
Third party service provider
Internal hosting provider
Risk Appetite
1. Business sets level of risk they are willing to tolerate (number of levels
depending on the data). Maturity will include CAMM plus possible bespoke
modules.
2.Level of risk management maturity is
communicated to business partners (and
possible partners)3. Evidence of compliance may be uploaded to central repository that can
be used by numerous customers.4. Leverage existing expenditure and remove
need for duplicate verification (e.g. many customers wishing to audit third party service
provider).
How it works…
Modular approach provides flexibility
PhysicalSecurity
BusinessContinuity
IncidentMgt
HR
Governance
IT Services
3. Responses against common control areas provide a measurement that
indicates a level of maturity
1. Controls based on existing standards such as COBIT, ISO 27001/27002, PCI, CSA
Controls matrix, BS25999, etc.
A.Average
3.8
2. Criteria for controls will be;• Are the controls complete (missing
anything)• Are the controls essential• Auditable• Measurable
PCI SOX
4. Aim to allow bespoke modules to provide flexibility to suit business
requirements.
Trusted Auditor
May be self assessed, or use trusted auditor (for
higher score). Will depend on risk appetite and/or
commercial requirements.
It is anticipated for the initial set of COMMON controls and associated guidance to be completed by Q4 2010. The following details the key milestones:• Major client, standards and service provider organisations engaged • Development of framework and appropriate weighting mechanism underway
Development of the framework • Ready for initial review by mid-July 2010• Development of weighting mechanism by end of May 2010
Development of the guidance• Guidance material to be completed by end of October 2010
Pilot• July – September 2010; pilot study to validate controls framework
Progress
Still on track for Q4 2010...
Who is involved?
A global collaborative effort
End User Organisations
Security Associations
Cloud Providers
Consultancies
Independent consultants
Over 40 organisations already involved, including….
IISP
ISACA
ISSA UK
ENISA
ISF
Website on its way……….