Key Organizations Publish Their Views on Business Assurance for the 21st Century

Call for Global Repository of Assessments for Assurance of the IT Supply Chain

Key international information assurance organizations have published a paper on Business Assurance for the 21st Century outlining their plans to create a global repository of assessments for assurance of the IT supply chain (including cloud services).  The paper defines the combined vision of leading professional and industry bodies providing assurance frameworks to deliver greater efficiencies for all organizations regardless of geography, industry or size. 

Organizations that have contributed to the white paper are The Shared Assessments Program; Information Security Forum (ISF); Cloud Security Alliance (CSA); Payment Card Industry (PCI); Common Assurance Maturity Model (CAMM); and ISACA.  The authors of the paper and organizations they represent fully support the need for a global approach and repository.  Moreover, it is agreed that such an initiative and repository should be independent and ‘not for profit’ to ensure its focus, provide transparency and secure wider endorsement. 

The global repository, or ‘Third Party Assurance Centre’ will support in the first instance a select number of assurance frameworks.  Support will be enabled in a modular fashion, whereby a user will be able to select the appropriate modules based on business requirements.

“Our industry is changing.  Businesses are relying more on third parties than ever before, and the growth of cloud computing will only increase the dependency.  This places new demands on the assurance requirements for businesses, with a more efficient method of assessing and managing risk when dealing with third parties.  It is therefore absolutely necessary for a global collaborative approach to meet the evolving needs of businesses, and this major milestone represents the first step in providing assurance for the 21st century.”  Raj Samani, Founder CAMM

Michael de Crespigny, CEO, Information Security Forum, adds: “Ensuring your information held by customers and suppliers today is fraught with misunderstanding, duplication, cost and delay – it is so difficult and inefficient that it does not work well, except in the most sensitive industries, and even then at considerable cost.  The ISF is pleased to be able to contribute our Members’ insights to develop an international model for enterprises to assess risk and define security requirements in their own language, and for suppliers to readily understand, comply and prove it, thereby improving information security and securing the supply chain.  Managing risk is what we focus on helping our Members to achieve and this initiative will address one of the biggest challenges of the last five years.”

“A Third Party Assurance Centre is a concept whose time has come, and I salute my industry colleagues for their efforts in articulating this need.  Developing this capability with the flexibility to address multiple assurance levels and supporting multiple frameworks will help accelerate trust in cloud computing and forestall the need for regulatory bodies to create heavy handed requirements that may stunt innovation and the adoption of the next generation of information technology.”  Jim Reavis, Executive Director, Cloud Security Alliance.

“Gaining assurance is often the responsibility of the end customer to ensure that the primary contractor, and in many cases subcontractors, do not represent an unacceptable risk to the business.  This cost is usually borne by the end customer. The primary contractor is often faced with multiple end customers demanding assurance in differing ways, which can consume considerable resources and potentially erode the very assurance they sought. This initiative can help keep costs in line and increase assurance.”  Professor John Walker, London Chapter ISACA Security Advisory Group.

"Rapid innovation and an escalating threat landscape combine to challenge organizational resources from architects to auditors.  The unified view of assurance standards provided by CAMM targets the imperative for holistic information management and leads to superior governance." Kurt Roemer, Chair of the PCI Security Standards Council, Virtualization Special Interest Group.

There exists a business need to develop a mechanism that allows suppliers to respond once, and share with many.  Such a development will provide significant efficiencies for the supplier, in that a single (or a small number of) assessment(s) can be used by multiple customers.  Equally, this would enable customers to quickly assess the large number of third parties in their supply chain without individually assessing each third party provider. 

The full version of the Business Assurance for the 21st Century white paper can be downloaded from www.common-assurance.com