Topics about Security Assurance
Read more about Assurance at ISACA.
“The lowest level of assurance is realized by performing self-assessments. The second level of assurance is realized by third-party statements and the third level of assurance is realized by continuous auditing.
There are several measures that can be used to assess a suppliers’ environment:
Certification of global standards and frameworks such as ISO 27001, Uptime TIER, TIA-942, and the Payment Card Industry Data Security Standard (PCI DSS)
Self-assessment questionnaires for the supplier, based on standards and frameworks such as ISO 27001, Trust Service Principles and CSA
Type II third-party reports that test the operation of measures periodically using robust standards or frameworks such as ISAE 3402/SSAE16 and SOC reports
Continuous monitoring of measures where there is continuous insight into the functioning of an organization’s control environment and security measures”
There are a few steps to assurance:
Understand the legislative framework in which the business exists (eg does the Mandatory Data Breach legislation apply to you, are you a financial organisation and need to follow APRA regulations).
Understand the risk appetite of your business (this will probably evolve over the course of doing the assurance process).
Conduct a risk assessment (either formally or just as you are going through the assurance process).
Understand or create a cybersecurity strategy - it could be as simple as “we need to be better at cybersecurity” or a full document that states goals, objectives, steps, and priorities).
Understand the controls required - you may need some help with this. Like what exactly is Application Control?
Understand the scope of the controls within the business - eg is it just the Administrative side of the business to tackle first, or is there Manufacturing, or other areas of the business that needs to be addressed later.
Implement the controls as outlined in the Assurance level you are wanting to achieve.
Document the controls put in place.
Monitor, measure, and audit the controls regularly.
Rinse and Repeat.
0 Comments