1. The new business assurance barometer Common Assurance Maturity Model (CAMM) R Samani
2.
3. The 5 big Challenges More challenging with less resources 1. Measure the inherent security of a third party wishing to access the business in a scalable manner 2. Be able to objectively and reliably measure the risk management maturity of third parties 3. Ensure that all risk management requirements are reflected in contracts (and will be applicable in future) 4. Perform the due diligence required within current resourcing constraints 1. Find an approach that allows Information Risk management to be incorporated objectively into tender process 2. Find a way to compare risk management maturity between different suppliers 3. Achieve the level of transparency when self-audit is not an option 4. Find a solution that satisfies changing regulatory requirements Third Party Access Service Procurement 5. Find an approach that leverages existing investment AND will be adopted by suppliers 5. Find an approach that will be adopted by suppliers
4. A new approach… CAMM – New business assurance barometer Business Assurance Leverage existing expenditure Transaparent risk management Genuine USP for providers Provides a genuine USP to organisations that have higher levels of information risk maturity Risk management maturity is open for stakeholders to view, using appropriate language and detail. CAMM is built on existing standards, leveraging existing compliance expenditure. Objective Measures maturity against defined controls areas, with particular focus on key controls. Meaningful A business benefit that creates consumer trust that is meaningful, understandable and creates a clear strategy to achieve greater maturity.
5. How it works… (a simplified view) Achieving transparency... Third Party Assurance Centre Maturity Maturity Maturity Third party requesting access Third party service provider Internal hosting provider Risk Appetite 1. Business sets level of risk they are willing to tolerate (number of levels depending on the data). Maturity will include CAMM plus possible bespoke modules. 2.Level of risk management maturity is communicated to business partners (and possible partners) 3. Evidence of compliance may be uploaded to central repository that can be used by numerous customers. 4. Leverage existing expenditure and remove need for duplicate verification (e.g. many customers wishing to audit third party service provider).
6.
7.
8. Who is involved? A global collaborative effort End User Organisations Security Associations Cloud Providers Consultancies Independent consultants Over 40 organisations already involved, including…. IISP ISACA ISSA UK ENISA ISF Website on its way……….