Common Assurance Metric

Develop a framework capable of providing a quantifiable objective metric to attest the Information Assurance Maturity of a given

organisation or (range of) asset(s).

OBJECTIVES

Purpose

Provide a framework to provide the necessary transparency in attesting the Information Assurance Maturity of a third party (e.g. Cloud provider). Allow the publication of results to be performed in an open and transparent manner, without the mandatory need for third party audit functions. Allow for data processors to demonstratively publicise their attention to Information Assurance over other suppliers that may not take it as seriously. Avoid the subjective and bespoke arrangements that customers of such services are currently faced with.

Method

Utilise existing standards such as ISO 27001, BS 25999, NIST SP 800-53, etc to develop a series of control questions specific to the organisation. Responses to such questions (and the subsequent detail) to be published and available.Output to also include a score that details the providers Common Assurance Metric.ScopeOutputs will be aimed at a restricted circulation and distributed on a need to know basis only until the public release (14.02.2010)An framework for approved audit firms

Scope

Outputs will be aimed at a restricted circulation and distributed on a need to know basis only until the public release (14.02.2010)An framework for approved audit firms

BENEFITS

Outsourcer– Demonstrate a genuine USP compared to other

outsourcers that may not take Information Assurance as seriously.

– Avoid the need for multiple auditors from various customers. One single (trusted) audit will satisfy all customers.

– Provide outsourcing facilities to customers based on risk appetite and not sector or geography. E.g. one for government, finance, etc.

Customer– Be able to distinguish providers based on their IA maturity. – Having a trusted IA framework removes the need to spend

considerable sums in monitoring suppliers throughout the year.

– Apply different levels of controls to information, for example HR data can have LOW controls, and Finance HIGH. This means that cost savings can be made based on data classification (as opposed to everything HIGH).

BENEFITS 2

Senior Management– Be able to quantify risk appetite.– Quantify Return on Investment, e.g. if x number of

incidents are experienced with outsourcers scored LOW, and y with MED then is the cost differential justified?

– Achieve transparency in controls, and locations.– Single trusted framework across industry and geography.

BENEFITS 3

Involved Stakeholders Name Affiliation

Daniele Catteddu & Giles Hogben ENISA

Dougie Rawlinson & Peter Hooper CESG

Ron Hale ISACA

Kerry Davies & Malcolm Marshall KPMG

Jim Reavis Cloud Security Alliance

Des Ward ISSA

Andrew Powell CPNI

Lord Erroll n/a

Professor Fred Piper Tbc

Carl Matthews Amazon Web Services

Dr David King ISAF

Rt Hon David Blunkett n/a

Emma Tommony Reed Exhibitions

David Clancy ICO

John Colley ISC2

Diane Wailing Cabinet Office

Adrian Davis ISF

Jay Heiser Gartner

Neil Stinchcombe Eskenzi PR

•Note: Additional Stakeholders are being consulted and the above list is not finalised