Assurance is a broad topic, stretching well beyond the obvious assurance-related functions such as Audit and Quality Assurance ... which makes it a surprisingly strong subject for security awareness purposes - our 64th topic in fact.
Although we haven't produced an assurance module as such before, we've certainly touched on it in subjects such as integrity, trust, audit and oversight. We have seized the opportunity to focus-in on and explore assurance in more depth … while at the same time reinforcing core awareness messages on the integrity, trust and control value of assurance, for business, compliance, management (including risk management) and governance reasons.
In uncertain situations or circumstances, assurance can be extremely valuable, particularly where uncertainties concern information that is important to the organization. Assurance reduces the uncertainty element of risk. It closes the gaps between
perception and reality
Assurance is a relative, not an absolute state: there are levels or degrees of assurance depending on factors such as:
- The competence and integrity of those providing assurance (e.g. whereas professional penetration testers may seem more likely to find network security issues than amateurs, amateurs may be more numerous, more motivated, more competent and more inclined to try risky forms of testing);
- The nature of the assurance measures (e.g. audits, tests, reviews and simple claims or assertions affect the amount of assurance gained);
- The record or experience (e.g. if an IT system passes all its pre-release tests but subsequently fails in service, that naturally calls into question the testing performed and the way it was managed; if a test laboratory is found to have been faking or manipulating tests, current and prior results are less credible, perhaps untrustworthy).
Assurance is relevant to business relationships, and to the organization as a whole in the sense of being perceived by others as a trustworthy organization, reliable and safe to do business with. Assurance measures such as certification of organizations by accredited certification bodies not only demonstrate their competence in various fields, but also drive up standards through the adoption of widely-acknowledged good practises.
Looking further afield, outside the organization, assurance is also of concern to third-parties such as:
- External Audit and similar external inspection functions such as certification auditors for ISO27k and PCI-DSS;
- Customers - who need to know the products they are buying will deliver the benefits promised and anticipated;
- Suppliers - who need to know they will be paid and would like to rely on future business;
- Owners of the organization, with an obvious interest in its health and prosperity;
- Various authorities, the tax man for instance and industry regulators concerned about compliance;
- Society at large - since discovering something unexpected and untoward about any organization is generally shocking.
Get in touch to purchase this module and take your security awareness and training program to a higher level of assurance.