Common Assurance Metric
description
Transcript of Common Assurance Metric
Common Assurance Metric
Develop a framework capable of providing a quantifiable objective metric to attest the Information Assurance Maturity of a given
organisation or (range of) asset(s).
OBJECTIVES
Purpose
Provide a framework to provide the necessary transparency in attesting the Information Assurance Maturity of a third party (e.g. Cloud provider). Allow the publication of results to be performed in an open and transparent manner, without the mandatory need for third party audit functions. Allow for data processors to demonstratively publicise their attention to Information Assurance over other suppliers that may not take it as seriously. Avoid the subjective and bespoke arrangements that customers of such services are currently faced with.
Method
Utilise existing standards such as ISO 27001, BS 25999, NIST SP 800-53, etc to develop a series of control questions specific to the organisation. Responses to such questions (and the subsequent detail) to be published and available.Output to also include a score that details the providers Common Assurance Metric.ScopeOutputs will be aimed at a restricted circulation and distributed on a need to know basis only until the public release (14.02.2010)An framework for approved audit firms
Scope
Outputs will be aimed at a restricted circulation and distributed on a need to know basis only until the public release (14.02.2010)An framework for approved audit firms
BENEFITS
Outsourcer– Demonstrate a genuine USP compared to other
outsourcers that may not take Information Assurance as seriously.
– Avoid the need for multiple auditors from various customers. One single (trusted) audit will satisfy all customers.
– Provide outsourcing facilities to customers based on risk appetite and not sector or geography. E.g. one for government, finance, etc.
Customer– Be able to distinguish providers based on their IA maturity. – Having a trusted IA framework removes the need to spend
considerable sums in monitoring suppliers throughout the year.
– Apply different levels of controls to information, for example HR data can have LOW controls, and Finance HIGH. This means that cost savings can be made based on data classification (as opposed to everything HIGH).
BENEFITS 2
Senior Management– Be able to quantify risk appetite.– Quantify Return on Investment, e.g. if x number of
incidents are experienced with outsourcers scored LOW, and y with MED then is the cost differential justified?
– Achieve transparency in controls, and locations.– Single trusted framework across industry and geography.
BENEFITS 3
Involved Stakeholders Name Affiliation
Daniele Catteddu & Giles Hogben ENISA
Dougie Rawlinson & Peter Hooper CESG
Ron Hale ISACA
Kerry Davies & Malcolm Marshall KPMG
Jim Reavis Cloud Security Alliance
Des Ward ISSA
Andrew Powell CPNI
Lord Erroll n/a
Professor Fred Piper Tbc
Carl Matthews Amazon Web Services
Dr David King ISAF
Rt Hon David Blunkett n/a
Emma Tommony Reed Exhibitions
David Clancy ICO
John Colley ISC2
Diane Wailing Cabinet Office
Adrian Davis ISF
Jay Heiser Gartner
Neil Stinchcombe Eskenzi PR
•Note: Additional Stakeholders are being consulted and the above list is not finalised