1 / 9

Common Assurance Metric

Restricted Circulation. Common Assurance Metric. Develop a framework capable of providing a quantifiable objective metric to attest the Information Assurance Maturity of a given organisation or (range of) asset(s). OBJECTIVES. Purpose.

tamra
Télécharger la présentation

Common Assurance Metric

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Restricted Circulation Common Assurance Metric

  2. Develop a framework capable of providing a quantifiable objective metric to attest the Information Assurance Maturity of a given organisation or (range of) asset(s). OBJECTIVES

  3. Purpose • Provide a framework to provide the necessary transparency in attesting the Information Assurance Maturity of a third party (e.g. Cloud provider). • Allow the publication of results to be performed in an open and transparent manner, without the mandatory need for third party audit functions. • Allow for data processors to demonstratively publicise their attention to Information Assurance over other suppliers that may not take it as seriously. • Avoid the subjective and bespoke arrangements that customers of such services are currently faced with.

  4. Method • Utilise existing standards such as ISO 27001, BS 25999, NIST SP 800-53, etc to develop a series of control questions specific to the organisation. • Responses to such questions (and the subsequent detail) to be published and available. • Output to also include a score that details the providers Common Assurance Metric. • Scope • Outputs will be aimed at a restricted circulation and distributed on a need to know basis only until the public release (14.02.2010) • An framework for approved audit firms

  5. Scope • Outputs will be aimed at a restricted circulation and distributed on a need to know basis only until the public release (14.02.2010) • An framework for approved audit firms

  6. BENEFITS • Outsourcer • Demonstrate a genuine USP compared to other outsourcers that may not take Information Assurance as seriously. • Avoid the need for multiple auditors from various customers. One single (trusted) audit will satisfy all customers. • Provide outsourcing facilities to customers based on risk appetite and not sector or geography. E.g. one for government, finance, etc.

  7. BENEFITS 2 • Customer • Be able to distinguish providers based on their IA maturity. • Having a trusted IA framework removes the need to spend considerable sums in monitoring suppliers throughout the year. • Apply different levels of controls to information, for example HR data can have LOW controls, and Finance HIGH. This means that cost savings can be made based on data classification (as opposed to everything HIGH).

  8. BENEFITS 3 • Senior Management • Be able to quantify risk appetite. • Quantify Return on Investment, e.g. if x number of incidents are experienced with outsourcers scored LOW, and y with MED then is the cost differential justified? • Achieve transparency in controls, and locations. • Single trusted framework across industry and geography.

  9. Involved Stakeholders • Note: Additional Stakeholders are being consulted and the above list is not finalised

More Related