SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR



Similar documents
A Flexible and Comprehensive Approach to a Cloud Compliance Program

Hans Bos Microsoft Nederland.

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Building an Effective

Compliance, Audits and Fire Drills: In the Way of Real Security?

GRC Stack Research Sponsorship

ADRIAN DAVIS INFORMATION SECURITY FORUM

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Open Certification Framework. Vision Statement

Information Security Management System for Microsoft s Cloud Infrastructure

Microsoft s Compliance Framework for Online Services

PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

Securing external suppliers and supply chains: the ISF approach

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak

VENDOR MANAGEMENT An Update & Discussion

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

Cloud Security Certification

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

CLOUD SECURITY THROUGH COBIT, ISO ISMS CONTROLS, ASSURANCE AND COMPLIANCE

Consolidated Audit Program (CAP) A multi-compliance approach

Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012

Compliance & information security A (bit of a) rant. Jodie Siganto

IT Audit in the Cloud

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015

Third Party Risk Management 12 April 2012

TOOLS and BEST PRACTICES

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

Achieve ISO Certification

Auditing Cloud Computing and Outsourced Operations

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Impact of New Internal Control Frameworks

Service Organization Control (SOC) Reports

SAS No. 70, Service Organizations

Is it Time to Look at an Ektron Managed Cloud Strategy? Copyright 2014 Ektron, Inc.

LEVEL 5. Advanced Diploma in Purchasing and Supply. Senior Assessor s Report. July Risk Management and Supply Chain Vulnerability L5-02

The Cloud Security Alliance

Anypoint Platform Cloud Security and Compliance. Whitepaper

The 2011 Standard of Good Practice for Information Security. June 2011

Cloud Computing Risk Assessment

BECOME A SMARTER CLOUD CONSUMER

Security Risk Management Strategy in a Mobile and Consumerised World

Agenda 4/21/2015. Evelyn de Souza Chair Cloud Security Alliance Data Governance Chair/ Data Privacy and Compliance Leader Cisco Systems

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

Third-Party Risk Management for Life Sciences Companies

A view from the Cloud Security Alliance peephole

COBIT Helps Organizations Meet Performance and Compliance Requirements

How to ensure control and security when moving to SaaS/cloud applications

Why & How Cloud computing is enabling the digital transformation of financial services institutions

OC Chapter. Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes.

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

IT Governance: framework and case study. 22 September 2010

How To Improve Your Business

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

14 October 2015 ISACA Curaçao Conference By: Paul Helmich

Italy. EY s Global Information Security Survey 2013

Secure your cloud applications by building solid foundations with enterprise (security ) architecture

Data Risk Management: ISM Ground to Cloud Summit. accelerate your ambition 1

European Cloud Computing. Strategy. Cloud standards. Ken Ducatel DG CONNECT

Embrace the G-Cloud. Ultra Secure Colocation Services for the Public Sector. thebunker.net Phone: Fax:

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

Logically Securing a Public Cloud Service

Pharma CloudAdoption. and Qualification Trends

When The Cloud Goes Bust: Data Breaches In The Cloud

Cloud Computing Security Audit

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

INFORMATION TECHNOLOGY FLASH REPORT

StratusLIVE for Fundraisers Cloud Operations

EXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources

Who s Got Your Data? Managing Vendor Risk. Chris Clymer, Advisory Services

White Paper How Noah Mobile uses Microsoft Azure Core Services

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

SECURITY RISK MANAGEMENT

Governance, Risk, and Compliance (GRC) White Paper

NSW Government. Data Centre & Cloud Readiness Assessment Services Standard. v1.0. June 2015

Strategies for Secure Cloud Computing

A Guide to the Cyber Essentials Scheme

The Cadence Partnership Service Definition

ICT and Information Security Resources

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Project organisation and establishing a programme management office

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Third party assurance services

CONTENT OUTLINE. Background... 3 Cloud Security Instance Isolation: SecureGRC Application Security... 5

CSA Position Paper on AICPA Service Organization Control Reports

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Cloud Security. DLT Solutions LLC June #DLTCloud

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Name: Lynda Cooper Date: November 24th. Revising ISO/IEC to fit the future of service management

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Vendor Management Panel Discussion. Managing 3 rd Party Risk

The silver lining: Getting value and mitigating risk in cloud computing

Master Data Management Architecture

Transcription:

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR Michael de Crespigny, CEO Information Security Forum Session ID: GRC R02B Session Classification: General Interest

KEY ISSUE Our Members tell us there is: Confusion and / or frustration amongst acquirers and suppliers Dealing with differing and inconsistent InfoSec requirements Inefficiency as a result of suppliers being asked by acquirers to provide assurance against varying standards and / or specifically defined requirements / policies Eroded value of suppliers assurances and / or certification Because acquirers can t compare the suppliers arrangements with their requirements And we ve validated this externally

SUPPLY CHAIN ASSURANCE FRAMEWORK ISF initiative with industry stakeholders to address these problems Develop solution to improve understanding of requirements and acceptability of assurances Stakeholders involved to: Input to and validate design Launch and promote to their constituency Outcomes: Improved supply chain risk management Reusability of certifications and audit reports (eg SOC2) Lower costs

SOME OF THE STAKEHOLDERS INVOLVED IN SCAF

COMPONENTS Enablers: ISO 27036 People & experience: ISACA, (ISC) 2 AICPA attest standards SSAE16 / ISAE3402 & Trust Services principles Recognised maturity model to underpin assurance Audit firms Procurement professionals Contract term templates Supply chain / vendor management organisations Common standards used to identify key information security requirements <------- >50 Info Sec Standards ------- > Selection from ISO 27001, 2 ISF Standard of Good Practice US Government NIST 800.53 etc UK Government Cabinet Office re SPF German Government BSI CSA Cloud Controls Matrix Payment Card Industry PCI DSS BITS / Santa Fe Shared Assessments Other Governments AU, CA, etc Other Industry Groups eg AIA (Aerospace) etc ALL BASED ON A FOUNDATION OF AICPA TRUST SERVICES Comparison mappings WHAT IS CURRENTLY MISSING Outcomes: Effective risk management Acquirer requirements defined (risk driven) Providers able to translate requirements to own / existing approach gap identification Clear audit / assurance requirements Audit reports / SOC2 / Certificates acceptable to multiple acquirers Acquirers translate assurances and identify gaps / remedial action Process simplified, costs reduced, risks managed

SUPPLIER REQUIREMENTS DEFINITION A framework to define the information security arrangements required of suppliers Product / service being acquired Information category being shared Assurance requirements 1. Identify information and procurement categories Novelty and uniqueness of product or service Political / legal / regulatory environment Media / public profile Supply chain complexity Legal / regulatory environment Export controls Standards required (eg PCIDSS) Assurance requirements 2. Determine supply chain issues 3. Recognise sector compliance obligations 4. Generate information security supplier requirements template(s) Arrangements required Compliance required Assurance required

STANDARDS COMPARISON SAAS Acquirer Information security supplier requirements Supplier security in place Standards comparison tool website Control gaps summaries reports To be used by both suppliers and acquirers

INFORMATION SECURITY STANDARDS COMPARISON Used by suppliers to compare acquirer information security requirements to their existing information security arrangements. Relevant during the bidding process and when requirements change or assertions are sought Used by acquirers to compare submissions and identify any requirements not met by suppliers Used by information security professionals to compare arrangements and requirements Only they can assess the significance of gaps in the context of information risk

BENEFITS 1. Provides a risk model that can be used by procurement and legal staff for predictable and lower risk transactions 2. Builds information risk and control into procurement 3. Assists acquirers to identify areas of greater risk for more detailed assurance from a supplier 4. Suggests appropriate controls to mitigate common information risks within the supply chain 5. Allows suppliers to identify and cite controls specified in different standards as being equivalent

DELIVERABLES Supplier requirements definition Standards comparison tool website Supporting collateral Launch & public availability Public domain not just for ISF Members Free to use to optimise acceptability Will have its own LinkedIn group Material and links will be downloadable from its own website Launch timed around ISO/IEC 27036: Q1 2014 Follow the development on www.securityforum.org

WHAT YOU CAN DO 1. Join our stakeholder group to help refine and test SCAF Contact me: michael@securityforum.org 2. Deploy SCAF in your organisation on launch

Thank you! Michael de Crespigny Information Security Forum michael@securityforum.org Telephone: +44 20 7212 1796 Mobile: +44 7837 352 661 www.securityforum.org

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information