Post on 30-Jan-2015
description
10 April 2023 Common Assurance Maturity Model Common-Assurance.com
1
Managing risks in the supply chain
Vladimir JirasekCAMM Steering Group
Twitter @vjirasek
People say that they are concerned that their information is not secure in The Cloud
People do not fully trust The Cloud
10 April 2023 Common Assurance Maturity Model Common-Assurance.com
3
Is the Cloud Secure?
• Can be as secure as any other IT system
• Depends on the model chosen
• Understand the responsibilities
• All eggs in one basket is the real question
• Implicit trust on provider• Exit and lock-in
10 April 2023 Common Assurance Maturity Model Common-Assurance.com
4
Problem to be solved – trust in the supply chain
Your business
Your cloud provider
Suppliers for the cloud
provider
End to end assurance
10 April 2023 Common Assurance Maturity Model Common-Assurance.com
5
CAMM MISSIONProvide an objective framework to transparently rate and benchmark the capability of a selected solution to deliver information assurance maturity across the
supply chain
CAMM MISSIONProvide an objective framework to transparently rate and benchmark the capability of a selected solution to deliver information assurance maturity across the
supply chain
Achieving Transparency & layers of CAMM
2. CIO 1. Consumer3. Architects
IT Services3 3
Continutity5 4
Incident
mgmt4 4
Physical4 5
HR3 3
Governance4 3
CAMM allows different levels of confidentiality - e.g. only auditor sees full set of results or public disclosure via web site
A.Average
3.8
C.Average
3.3
E.Average
4.6
Selfassessment
A.Average
3.4
C.Average
3.4
E.Average
4.4
Audited on17.03.2012
”Public How To atwww.wikipedia.org”
”Company specificHow we did it”
Self
asse
ss
Au
dite
d
4. Experts
Secret NDA Public
10 April 2023 Common Assurance Maturity Model Common-Assurance.com
7
Overall structure of CAMM components
Controls framework
WorkBenchApp
Weightingframework
Scoring model
Auditors
Final maturity scores
Audited controls
Maturityscores
Non CAMM audit results
Mapping to other standardsTPAC
Please see next slide for details about importing CAMM audit results
Free GRC app
10 April 2023 Common Assurance Maturity Model Common-Assurance.com
8
Utilize your current investmentto an another standard e.g. ISO
• The Statement Of Applicability (SOA) of source standard is used as a baseline for translation
• CAMM Guidance documents will help auditors with ”yellow” area intepretations
e.g. ISO 2700x SOA CAMM
1=1 applicable, no need of intepretation
Auditor intepretation of applicability
Not implemented > to be CAMM audited
Translate
Souce standard Target standard
Stakeholders1. Consumers – Can form trust relationship
based on understantable facts2. Companies – Can form trustworthy
supply chains to provide real trustworthiness to consumers & other customers
3. Governents – Can have more confidence in corporate governance to remove barriers from global single e-markets
4. Service Providers & Consultancies – Can build competences to achieve the target
5. Industry Associations – can excel in defining harmonized model implementations
CAM Commitee
GovernmentConsumer
ProgressIt is anticipated for the initial set of COMMON controls and associated guidance to be completed by Q4 2011. The following details the key
milestones:
Major client, standards and service provider organisations engagedDevelopment of framework and appropriate weighting mechanism underway
Development of the framework Control framework created and reviewed Scoring model created
Development of the guidance Guidance material to be completed by end of October 2011
Pilot Pilot with major organisation planned for summer 2011 Development of Free GRC tool Major GRC vendor engaged to ad CAMM module