A leading figure with the Common Assurance Maturity Model (CAMM) has called on IT security professionals to use October 17 as a jumping-off point to raise awareness of the need for security and assurance at boardroom - or equivalent level – in their organisation.
According to Professor John Walker FBCS CISM CITP MFSSoc, the director of TPAC (third party assurance centre) with CAMM – and also a visiting professor with Nottingham-Trent university's school of computing – the 17th is a very important day in the calendar of security professionals, as well as those organisations who are fortunate enough to be focused on IT security.
“This is one of those special days when security jumps up a place or two on the corporate menu of topical events of interest – or at least it should. This is not only a key Security Day, but is also an opportunity to plug into the business user base, partners, and other organisations located within the same sector of operations,” he said.
“The 17th of October is day one of National Identity Fraud Prevention Week - a nationwide UK effort to help in the battle against identity fraud. The campaign, which is in its seventh year, seeks to help prevent identity fraud by providing practical help, tips and guidance to safeguard your identity,” he added.
Professor Walker went on to say that the campaign is the result of co-operation between a number of public and private sector partners, including the Metropolitan Police, the City of London Police, the National Fraud Authority, IFCAG and CIFAS - The UK’s Fraud Prevention Service – to mention but a few.
And, he explained, the month of October is National Cyber Security Awareness Month, a second and lengthier campaign that seeks to raise awareness of IT security amongst all users of the computers, and not just IT professionals.
Now in its sixth year, the NCSA programme is a co-ordinated effort between the National Cyber Security Alliance, The US Department of Homeland Security and MSISAC, The Multi-State Information Sharing and Analysis Centre.
Professor Walker – who is also CTO of Secure Bastion – went on to say that this is what makes the 17th of October a pivotal opportunity for IT security professionals of all levels to reach out their clients and help educate them on the importance of keeping their security defences patched and fully up-to-date - and so reduce their security risk profile.
Reducing the security risk profile of your computer – and your organisation's IT resource – is central, he explained, to lowering the risk of a successful attack, and so helping to ensure the integrity of your organisation's resources and digital data assets, which is all part of the GRC (governance, risk management and compliance) equation that is so central to the efficient operation of any business, no matter how large or small.
And it's against this backdrop, says Professor Walker, that the 17th of October presents everyone in the IT security profession with an opportunity to truly reach out to their clients – no matter what their level of understanding of technology – to offer assistance, as well as listening to their worries and concerns about security.
“Our job in the profession that is IT security is actually more about listening to people's concerns, and then formulating solutions and strategies to those concerns. Only by taking this approach can we hope to reduce the number of fire-fighting security scenarios that we inevitably encounter. Effective security management – like the management process generally – is about ensuring the smooth running of your department,” he said.
Professor Walker says that the irony – which should not be lost on any GRC security professional – is that truly effective management of the security function eventually leads to a transparent layer of security in an organisation.
This, he noted, is actually the Holy Grail of IT security and something we should also aspire to. It's worth noting that - with RIM/BlackBerry having just fallen victim to what may be a GRC security incident of unknown origin - the 17th of October could be a good time to `talk security' to your clients.
“And with the ongoing migration of IT assets into the cloud in a growing number of organisations causing worries on several fronts, there is now a very good reason to `talk security' with your clients and users, and so assist them to get things right. The TPAC function of CAMM can help here, as it has a clear objective of assisting any business of any size looking to engage with a cloud provider,” he said.
“The goal of TPAC is provide a level of intelligence, data, and transparency about a particular provider's capabilities to supplying specific elements of their service, and so placing the contracting organisation in an informed position upon which they can decide in which direction to progress - and more importantly, with which partner”, he added.
The CAMM Objective:
To provide a framework to in support of necessary transparency attesting the information assurance maturity of third party providers and suppliers (e.g. cloud service providers).
To publish results in an open and transparent manner, without the mandatory need for third party audit functions, or due diligence engagements.
Allow for data processors to demonstratively publicise their attention to information assurance in comparison to other supplier’s levels of compliance, and security profiles.
To assist in the negation of the operational requirement for time consuming, expensive, subjective, and resource intensive bespoke arrangements to attest security and compliance.