Security groups team up to provide IT risk and information assurance assessments

Key international information assurance organisations plan to create a global repository of assessments for the assurance of the IT supply chain, including cloud services.

A group of IT security organisations are teaming up to create a set of tools to help companies assess IT risks and information assurance needs.

The international organisations plan to set up a global repository of assessments for the assurance of the IT supply chain, including cloud services. The plans are outlined in a white paper published by professional and industry bodies which provide assurance frameworks.

Contributors to the Business Assurance for the 21st Century white paper include the Information Security Forum (ISF), the Cloud Security Alliance (CSA), the Payment Card Industry (PCI); Common Assurance Maturity Model (CAMM) and ISACA.

The organisations support the need for a global approach and repository. They say such an initiative should be independent and not for profit, to provide transparency and secure wider endorsement.

Initially, the global repository or Third Party Assurance Centre will support a select number of assurance frameworks.

Support will be enabled in a modular way, which means users will be able to select the appropriate modules based on business requirements.

Businesses are relying more on third parties than ever before and the growth of cloud computing will only increase this dependency, said Raj Samani of CAMM.

This places new demands on the assurance requirements for businesses, with a more efficient method of assessing and managing risk when dealing with third parties, he said.

"It is therefore absolutely necessary for a global, collaborative approach to meet the evolving needs of businesses, and this major milestone represents the first step in providing assurance for the 21st century," Raj Samani added.

Michael de Crespigny, chief executive of the Information Security Forum, said ensuring the safety of information held by customers and suppliers is difficult and inefficient.

"The ISF is pleased to be able to contribute our members' insights to develop an international model for enterprises to assess risk and define security requirements in their own language, and for suppliers to readily understand, comply and prove it, thereby improving information security and securing the supply chain," Michael de Crespigny said.

Jim Reavis, executive director of the CSA, said the time had come for a third party assurance centre. "Developing this capability with the flexibility to address multiple assurance levels and supporting multiple frameworks will help accelerate trust in cloud computing and forestall the need for regulatory bodies to create heavy handed requirements that may stunt innovation and the adoption of the next generation of information technology," he said.

The Third Party Assurance Centre is aimed at meeting the business need for a mechanism that allows suppliers to respond once, and share with many.

Contributors to the white paper agree that this approach will provide significant efficiencies for the supplier be enabling a single or a small number of assessments to be used for multiple customers. This will also enable customers to assess the large number of third parties in their supply chain quickly without needing to assess each one individually.

Read more on IT risk management