Freely subscribe to our NEWSLETTER

According to Des Ward, the current focus on complying with the myriad of assurance frameworks is taking focus away from the obligations placed on organisations to identify and manage the risks to their information assets; which, in turn, places an inordinate and inappropriate burden on external service providers to satisfy the concerns of organisations with no common terms of reference.

“The discussion following my presentation was very interesting as it highlighted that, whilst security in the Cloud Services environment is clearly a concern for many IT Security professionals, there is still a lack of assurance within the external supply chain as whole,” said Des Ward, President, CSA UK & Ireland.

“What this tells me is that, whilst the message on security is getting through to businesses, there is no consistent language to determine whether the service provider will operate the controls to a level that assures the client that their risks are managed appropriately. This proves to me that the current security mindset is little more than managing risks to achieving compliance rather than empowering organisations to understand the controls required to manage the risks to their information.” he added.

The good news, Ward went on to say, is that, as Head of framework development for the Common Assurance Maturity Model (CAMM), he was able to explain how the framework can assist organisations, and what the Third Party Assurance Centre (TPAC) – a business assurance initiative formed to assist with providing transparency and reuse of audit results relating to the supply chain – can bring to the table.

TPAC, he told his audience, seeks to develop an environment where external service providers can share their independent audit results conducted against their service(s) with their current and/or prospective clients; the sharing is to conducted in a manner that protects the confidential information contained within the results, and provides the ability to provide evidence of the assurance provided throughout the supply chain within the regulatory frameworks and standards now required of modern business.

The CSA UK & Ireland President noted that several leading industry bodies are partnering with TPAC – including the Information Security Forum (ISF), Cloud Security Alliance (CSA), CAMM, Cloud Industry Forum (CIF) and the Payment Card Industry board of advisors.

The assistance of these industry bodies – especially the PCI board of advisors – he explained, reflects the importance of TPAC in assisting those organisations that wish to outsource some of their IT functions, but who are concerned about the regulatory ramifications of doing so and are looking for transparency in the supply chain.

“It is important”, says Ward, “to understand that all organisations in the UK and Ireland, on both sides of the public/private sector divide, have an explicit obligation under law to ensure that personal and corporate information is managed in a safe manner.

“The current compliance overload over the past four or five years has led to an inordinate focus on managing risks to compliance rather than understanding the risks to information – and this focus has meant that we look to overuse of technical controls to show due diligence to ensure that when a breach occurs, that penalties will not be levied; it is not designed to reduce the likelihood of breaches themselves,” he adds.

“This approach is, in my humble opinion, unsustainable, as it does not look to the implementation of the controls and fails to address the business risk management issue that exists in most organisations. This is turn has no more benefit to the business than placing money in the shredder.” he explained.

“A classic case of these issues”, he says, “was the ICO’s recent engagement with Lush after the cosmetics retailer suffered a payment card breach; although the outcome was favourable for all concerned, the key lesson to be learnt is that the current compliance boundaries can now be crossed by another interested party. What stops the ICO from looking beyond the compliance scope of PCI and entering its own jurisdiction which is the entire business?

“The current lack of corporate information governance in today’s businesses will soon result in increased penalties and I feel that this case will be a tipping point; despite the clamour for more prescription from assurance frameworks, my own experience is that many implementations of the PCI DSS are tightly scoped and shows there is little appetite for additional level of prescription that comes with little more benefit than a licence to undertake business on the internet. This proves to me that the current focus on compliance risk management as we know it is nearing an end, and something else is required to assist organisations to understand and manage the risks to their information going forward.

“But it’s not all doom and gloom. As I told my audience at the Holyrood event, CAMM has been designed to look at the maturity of controls implemented to manage risks to information, and is designed for both client and supplier, irrespective of size or industry.” he said. It’s hybrid quantitative and qualitative control model ensures that controls are only detailed where necessary and that the governance undertaken by the organisation is viewed as being with at least being on a par with, if not more important than, the technical implementation of controls.

“The combination of not only the assessing quality of the control, but it’s operation within the organisation presents a picture that will allow client organisations to simplify the process of assessing their supply chain through comparison of the CAMM scores of both client and supplier; highlighting what controls the supplier operates at a higher and lower level of maturity” he added.

“This will be achieved through the Third Party Assurance Centre (TPAC) in time, but also has the benefit of allowing organisation to submit anonymised scores to understand where they sit within their vertical sectors. This will also help to ensure that service providers and clients alike who maintain their controls will always fare better than those who adopt a ’tick box’

The CAMM Objective:

To provide a framework to in support of necessary transparency attesting the information assurance maturity of third party providers and suppliers (e.g. cloud service providers).

To publish results in an open and transparent manner, without the mandatory need for third party audit functions, or due diligence engagements.

Allow for data processors to demonstratively publicise their attention to information assurance in comparison to other supplier’s levels of compliance, and security profiles.

To assist in the negation of the operational requirement for time consuming, expensive, subjective, and resource intensive bespoke arrangements to attest security and compliance.