10 April 2023 Common Assurance Maturity Model Common-Assurance.com

1

Managing risks in the supply chain

Vladimir JirasekCAMM Steering Group

Twitter @vjirasek

People say that they are concerned that their information is not secure in The Cloud

People do not fully trust The Cloud

10 April 2023 Common Assurance Maturity Model Common-Assurance.com

3

Is the Cloud Secure?

• Can be as secure as any other IT system

• Depends on the model chosen

• Understand the responsibilities

• All eggs in one basket is the real question

• Implicit trust on provider• Exit and lock-in

10 April 2023 Common Assurance Maturity Model Common-Assurance.com

4

Problem to be solved – trust in the supply chain

Your business

Your cloud provider

Suppliers for the cloud

provider

End to end assurance

10 April 2023 Common Assurance Maturity Model Common-Assurance.com

5

CAMM MISSIONProvide an objective framework to transparently rate and benchmark the capability of a selected solution to deliver information assurance maturity across the

supply chain

CAMM MISSIONProvide an objective framework to transparently rate and benchmark the capability of a selected solution to deliver information assurance maturity across the

supply chain

Achieving Transparency & layers of CAMM

2. CIO 1. Consumer3. Architects

IT Services3 3

Continutity5 4

Incident

mgmt4 4

Physical4 5

HR3 3

Governance4 3

CAMM allows different levels of confidentiality - e.g. only auditor sees full set of results or public disclosure via web site

A.Average

3.8

C.Average

3.3

E.Average

4.6

Selfassessment

A.Average

3.4

C.Average

3.4

E.Average

4.4

Audited on17.03.2012

”Public How To atwww.wikipedia.org”

”Company specificHow we did it”

Self

asse

ss

Au

dite

d

4. Experts

Secret NDA Public

10 April 2023 Common Assurance Maturity Model Common-Assurance.com

7

Overall structure of CAMM components

Controls framework

WorkBenchApp

Weightingframework

Scoring model

Auditors

Final maturity scores

Audited controls

Maturityscores

Non CAMM audit results

Mapping to other standardsTPAC

Please see next slide for details about importing CAMM audit results

Free GRC app

10 April 2023 Common Assurance Maturity Model Common-Assurance.com

8

Utilize your current investmentto an another standard e.g. ISO

• The Statement Of Applicability (SOA) of source standard is used as a baseline for translation

• CAMM Guidance documents will help auditors with ”yellow” area intepretations

e.g. ISO 2700x SOA CAMM

1=1 applicable, no need of intepretation

Auditor intepretation of applicability

Not implemented > to be CAMM audited

Translate

Souce standard Target standard

Stakeholders1. Consumers – Can form trust relationship

based on understantable facts2. Companies – Can form trustworthy

supply chains to provide real trustworthiness to consumers & other customers

3. Governents – Can have more confidence in corporate governance to remove barriers from global single e-markets

4. Service Providers & Consultancies – Can build competences to achieve the target

5. Industry Associations – can excel in defining harmonized model implementations

CAM Commitee

GovernmentConsumer

ProgressIt is anticipated for the initial set of COMMON controls and associated guidance to be completed by Q4 2011. The following details the key

milestones:

Major client, standards and service provider organisations engagedDevelopment of framework and appropriate weighting mechanism underway

Development of the framework Control framework created and reviewed Scoring model created

Development of the guidance Guidance material to be completed by end of October 2011

Pilot Pilot with major organisation planned for summer 2011 Development of Free GRC tool Major GRC vendor engaged to ad CAMM module