CAMM presentation during eCrime congress June 2011

1. Managing risks in the supply chain 14 June, 2011 Common Assurance Maturity Model Common-Assurance.com 1 Vladimir Jirasek CAMM Steering Group Twitter @vjirasek

2. People do not fully trust The Cloud People say that they are concerned that their information is not secure in The Cloud

3. Is the Cloud Secure? 14 June, 2011 Common Assurance Maturity Model Common-Assurance.com 3 Can be as secure as any other IT system Depends on the model chosen Understand the responsibilities All eggs in one basket is the real question Implicit trust on provider Exit and lock-in

4. Problem to be solved – trust in the supply chain 14 June, 2011 Common Assurance Maturity Model Common-Assurance.com 4 Suppliers for the cloud provider Your business Your cloud provider End to end assurance

5. 14 June, 2011 Common Assurance Maturity Model Common-Assurance.com 5 CAMM MISSIONProvide an objective framework to transparently rate and benchmark the capability of a selected solution to deliver information assurance maturity across the supply chain

6. Achieving Transparency & layers of CAMM 1. Consumer 3. Architects 2. CIO 4. Experts Selfassess Audited Selfassessment Audited on17.03.2012 Governance 4 3 A.Average3.8 A.Average3.4 HR 3 3 ”Public How To atwww.wikipedia.org” IT Services 3 3 C.Average3.3 C.Average3.4 Physical 4 5 SecretNDA Public E.Average4.6 E.Average4.4 Continutity 5 4 Incident mgmt ”Company specificHow we did it” 4 4 CAMM allows different levels of confidentiality - e.g. only auditor sees full set of results or public disclosure via web site

7. Overall structure of CAMM components 14 June, 2011 Common Assurance Maturity Model Common-Assurance.com 7 TPAC Final maturity scores Mapping to other standards Free GRC app Scoring model Non CAMM audit results Maturityscores Weightingframework Please see next slide for details about importing CAMM audit results WorkBench App Audited controls Controls framework Auditors

8. Utilize your current investmentto an another standard e.g. ISO The Statement Of Applicability (SOA) of source standard is used as a baseline for translation CAMM Guidance documents will help auditors with ”yellow” area intepretations 14 June, 2011 Common Assurance Maturity Model Common-Assurance.com 8 Souce standard Target standard e.g. ISO 2700x SOA CAMM Translate Not implemented > to be CAMM audited Auditor intepretation of applicability 1=1 applicable, no need of intepretation

9. Stakeholders Consumers – Can form trust relationship based on understantable facts Companies – Can form trustworthy supply chains to provide real trustworthiness to consumers & other customers Governents – Canhavemore confidence in corporategovernance to remove barriers from global single e-markets Service Providers & Consultancies – Can buildcompetences to achieve the target Industry Associations – can excel in defining harmonized model implementations Consumer Government CAM Commitee

10. Progress It is anticipated for the initial set of COMMON controls and associated guidance to be completed by Q4 2011. The following details the key milestones: Major client, standards and service provider organisations engaged Development of framework and appropriate weighting mechanism underway Development of the framework Control framework created and reviewed Scoring model created Development of the guidance Guidance material to be completed by end of October 2011 Pilot Pilot with major organisation planned for summer 2011 Development of Free GRC tool Major GRC vendor engaged to ad CAMM module