Of all the typical corporate departments or functions or teams, which have an assurance role?
- Internal Audit - audits are all about gaining and providing assurance;
- Quality Assurance plus related functions such as Product Assurance, Quality Control, Testing and Final Inspection, Statistical Process Control and others;
- Risk Management - because assurance reduces uncertainty and hence risk;
- IT, Information Management, Information Risk and Security Management etc. - for example, ensuring the integrity of information increases assurance, and software quality assurance is a big issue;
- Information Security Management - which is of course why this is an information security awareness topic;
- Business Continuity Management - who need assurance on everything business-critical;
- Health and Safety - who need assurance on everything safety-critical;
- Production/Operations - who use QA, SPC and many other techniques to ensure the quality and reliability of production methods, processes and products;
- Sales and Marketing who seek to assure and reassure prospects and customers that the organization is a quality outfit producing reliable, high-quality products, building trust in the brands and maintaining a strong reputation;
- Procurement - who need assurance about the raw materials, goods and services offered and provided to the organization, and about the suppliers in a more general way (e.g. will they deliver orders within specification, on time, reliably? Will the relationship and transactions be worry-free?);
- Finance - who absolutely need to ensure the integrity of financial information, and who perform numerous assurance measures to achieve and guarantee that;
- Human Resources - who seek to reassure management that the organization is finding and recruiting the best candidates and making the best of its people;
- Legal/Compliance - need to be sure that the organization complies sufficiently with external obligations to avoid penalties, and that internal obligations are sufficiently fulfilled to achieve business advantage;
- Every other department, function or team that depends on information, or that delivers important information to others ... in other words, everyone;
- Management as a whole - for instance governance and oversight are both strongly assurance-related, and most metrics are designed to assure recipients that everything is on-track, going to plan, working well etc.;
- The workforce as a whole - since everyone needs to know they can depend on their jobs and livelihoods.
Looking further afield, outside the organization, assurance is also of concern to third-parties such as:
- External Audit and similar external inspection functions such as certification auditors for ISO27k, PCI;
- Customers - who need to know the products they are buying will deliver the benefits promised and anticipated;
- Suppliers - who need to know they will be paid and would like to rely on future business;
- Owners of the organization, with an obvious interest in its health and prosperity;
- Various authorities, the tax man for instance;
- Society at large - since discovering something unexpected and untoward about any organization is generally shocking.
So it turns out that assurance is a widespread issue, stretching well beyond the obvious assurance-related functions such as Audit and QA ... which makes it a surprisingly strong candidate for security awareness purposes. Although we haven't produced an assurance awareness module before, we've covered integrity, audit, oversight and other things. This time around it's an opportunity to focus-in on and explore the assurance element in more depth, while once again reinforcing the core security awareness messages on integrity, trust, risk, control etc.
The lists of corporate functions and third-parties above will make its way into the train-the-trainer guide in April's awareness module, encouraging the security awareness people to figure out who they might contact within the organization for help with their awareness efforts, and for genuine examples, incidents or business situations where assurance is crucial. The external interested parties might also be of interest: just imagine the awareness impact of an important customer representative talking honestly about the value of being able to trust in and depend upon the organization, and the negative impact of quality or other issues.