Welcome to the SecAware blog

I spy with my beady eye ...

2 Apr 2011

Shared Assessments

Some managers claim to be wilting under compliance pressures, which is not surprising given the plethora of applicable laws and regulations, plus the contractual committments they and their colleagues have made. 

Going back a stage or two, most of the laws, regulations and contractual clauses arose because self-regulation failed: some organizations and individuals did not behave responsibly, ethically and fairly, leading to the introduction of formal rules to bring them in line.  Unfortunately, the rules apply to all, including those who have performed responsibly, ethically and fairly.  Which is of course unfair.

Going back another stage, organizations, individuals and industries had the chance to get their own act in gear without involving governments and regulators.  "The professions" have done exactly that for generations, with a range of self-regulation schemes that have, in the main, worked well in protecting the interests of the professionals, if not always the interests of their customers and clients (which is another matter!).  As we stand today, however, even the professions are heavily regulated.  It seems even professionals can no longer be trusted to do a good job well.

Overall, self-governance has patently failed, leading to the astronomic rise of enforced governance and independent assurance and compliance activities.

Compliance activities include all manner of self-assessments (which again are fine for responsible, ethical and fair organizations and individuals but worthless for the remainder), inspections, reviews and audits.  Compliance activties have become onerous because of the volume and depth of assessments needed to bottom-out information security, governance, risk management and control issues that often lurk deep in the bowels of the organization.  A major organization with lots of suppliers, partners and/or customers faces being audited by them or having to audit them, repeatedly.  This can be a significant overhead, especially in any of the most heavily regulated (read: untrusted) industries .

One response has been to introduce third party certification and audit schemes, the idea being that possession of a pass slip from a trustworthy third party will reduce if not eliminate the demand for audits by each dependent or concerned organization.  In relation to information security, governance and risk management, examples are ISO27k, SAS70, PCI-DSS and Shared Assessments. These in turn have spawned a global cottage industry for accrediting the assessor/auditors, conducting the assessments and offering related commercial services.  It's rampant commercialism.  Snouts are firmly in troughs.

Despite its five year history, I've only just come across Shared Assessments from BITS - a US financial services industry body.  The scheme claims to be aligned with ISO/IEC 27002, PCI-DSS, COBIT, NIST (presumably the SP800 and/or FIPS standards), FFIEC Guidance, the AICPA/CICA Privacy Framework, and other privacy/regulatory guidance.  It presumably hopes to integrate all these separate requirements and so eliminate duplication.  How it handles any conflicts between them is unclear (e.g. PCI DSS is quite prescriptive but narrowly scoped, whereas ISO/IEC 27002 is very open-ended and flexible).

Shared Assessments involve:
  •  The curiously-named "Agreed Upon Procedures" which is basically a 91-page information security standard, worded as a series of information security control objectives, controls and compliance assessment/audit procedures;
  • A set of compliance questionnaires, which are (mostly) worded as simple questions anticipating a yes/no answer (it's not entirely clear how "maybe" or "partially"-type answers should be recorded, which of course is the classic conundrum arising from the obvious conflict of interest between auditors/concerned stakeholders and auditees/subjects).
Going forward, it's hard to see where we're headed as a global society.  The commercial overheads and constraints imposed on trustworthy, ethical and fair organizations and individuals by all this compliance stuff are both unjustified and enormous, but at the same time selfish criminals, fraudsters and cheats are still getting away with the loot, despite the checks and balances.  One intriguing option would be to align the standards, laws, regulations and requirements more systematically, if not to combine them and cut out the duplication.  Reducing the compliance burden would I'm sure have enormous support from all those who are expected to comply, yet so far there is very limited evidence of any real impetus to do so on a trans-national basis (one notable exception being the EU privacy directives, designed to align privacy laws across Europe).  The cynic in me suspects active resistance from the global cottage compliance industry and the lawyers who are so busy making hay while the sun shines. 

Gary (Gary@isect.com)

No comments:

Post a Comment