Securing third parties? Yes we CAMM!

First things first, I say to Samani and Davis: What is CAMM? “It’s the true business barometer for organisations in the 21st Century”, says Samani, after a moment of thought. “It gives you assurance around your third parties, and allows you to measure their information security maturity in a scalable manner. It also gives you assurance against your service provisioning, whether that’s internally or external, in a cloud, or a true outsourced approach.”

This is where Davis and the ISF come in. “The ISF third-party security management work is going to lay out the baseline – the mandatory and additional controls and processes for managing third parties in a secure manner. We’re providing the nuts and bolts through our third-party standard, and CAMM provides you with the way of looking at the maturity of the nuts and bolts, how well the third parties do things, and how they could improve”, Davis explains.

So the two really fit tightly together, which Davis says is the intention. “Rather than try and do an overarching, all-in-one piece, by doing it as two separate bits, it allows you to introduce some of these concepts into the market much more cleanly, and also allows organisations to take one bite, and when they realise they need to take the bigger bite, they can take the whole menu.”

In what will not be the last analogy to come out of the meeting, Samani describes the ISF as “providing you with the bricks and mortar”, and CAMM as “the surveyors at the end of the day”.

Tell me more

So, how did this all come about? In 2009, ISF members requested a project to create a third-party security management standard, in light of their work on outsourcing and third-party security. “We wanted a document that could go up to ISO”, Davis remembers. “We announced this to our members, which Samani got wind of”. In December 2009, Davis and Samani started to build their collaboration.

But this was a case of chicken and egg, as Samani’s thoughts around CAMM began well before 2009. “It was an idea I had based on real-life practice. There’s an issue, a gap [around third-party assurance]. I started to engage with Dougie Rowlinson of the IAMM – the information assurance maturity model. He, too, had been thinking about it, as had Kerry Davies from KPMG. My seed of an idea was validated with the rest of the industry, who said, ‘yeah, that’s a great idea – let’s get the ball rolling’”.

Get the ball rolling they did. They spent nine months speaking to the industry to express the vision and get support and ‘buy-in’ from people. “The snowball effect is becoming bigger and bigger”, says Samani, who verifies that the press launch occurred in March 2010.

The framework

Digging a little deeper into the actual skeleton of the initiative, I finally get the guys to use a word that I think defines their vision: Framework. “Yes, it is a framework, and it will help in a number of ways”, Samani confirms.

The framework will give third-party services the opportunity to be measured and assessed, “from a security and business viewpoint”, says Davis. “They can demonstrate that they are a good service provider, working in a transparent manner. They can look regulators and customers in the eye and say, ‘we follow this. It’s in black and white and you can be assured that I do what I say’. They can demonstrate that they meet a range of requirements through independent assessments and audits. Suddenly you answer a lot of questions, and you’ve got that magic word in the relationship – trust.”

“Both CAMM and the ISF third-party standard are built around processes, they fit into the business and show that security is moving away from boxes that go ping, into proper business processes”, Davis continues. “It will help you deal with your privacy regulator, and it will help you deal with your industry regulator, because you can show you’re putting security at the heart of what you do, and you’re measuring it. That’s good for the regulators, that’s good for your board, and that’s good for information security as a profession”.

Therefore, Davis can see absolutely no reason why service providers would not want to adopt CAMM and the ISF third-party security management standard.

You get what you pay for

What is significant about this framework is that it is open to both self-assessment and third-party audit. “Firstly, the organisation can ask exactly how much security they actually need for their data. If the data is not that important, they might choose a third-party that uses self-certification, and that’s OK because the third party has been transparent about its offerings. If the data is highly sensitive, they’ll go with a service provider who gets an external provider to audit their data centre, so they’ll have a higher level of assurance”, Samani says.

With CAMM, organisations will be able to assess themselves – or be audited – against a common scale of one to five and set of core modules. “There will be the six core modules consisting of HR, governance, IT services, physical security, incident management and business continuity”, explains Samani. “For example, you’ll be rated as a one, two, three, four, five, etc, in each of the core modules. Everybody will have a rating in the core modules, and you can then just select additional modules that apply to you. So, for example, if you need the PCI module, you can say to your provider, ‘I need you to be a level three, plus you need the PCI module’. Or you can say, ‘Actually I don’t need the PCI module, but I need a HIPPA module, or a SOX’. The key here is to make that modular approach available to all.”

The long-term aim is that people can create their own modules, and really empower the sense of community within the industry.

“There’ll be tangible levels, and there’ll be a clear split between self-certification and independent audit”, explains Samani.

The responsibility of providing the assurance is thus taken away from the end customer and passed on to the supplier. “You [the end customer] can simply say, ‘If you want to come and talk to us about a particular area, you have to be a level four, which requires third-party auditing’, for example. It sets a transparent bar”.

The framework allows third-party services to publish their scores and be transparent about their security and offerings. As Samani describes, “It finally allows a customer to compare apples for apples”. Or in other words, “they can add information security risk management into the decision-making process when considering service provisioning”.

The gap

Earlier in the meeting, Samani described the CAMM idea as answering a current ‘issue gap’. So, what exactly, is this gap? Outsourcing, he says, and the lack of transparency over where data is stored, who is accessing what, and how it is looked after.

“We need to satisfy the assurance requirements of businesses in the 21st century. You’ve got to make sure you cover all the bases, because if you make one mistake, you introduce one bad business partner to your business – that could be the death knell of your business. So you need to do it quickly, but you need to still do your due diligence.”

“It only takes one bad business partner in your network to lose your customers’ details”, says Davis, “And guess who gets the blame? You do”. The old adage ‘you can outsource the activity, but not the risk’ comes into the conversation, with both Davis and Samani claiming it as their own motto!

“Everyone has outsourcers, and everyone has the same problem. It’s not going to go away; in fact, it’s going to get much, much worse. Over in India, the Indians are really worried about outsourcing. Indian companies are finding that using Indian service providers is now too expensive, so they’re outsourcing to China. Everyone is searching for solutions, and there is nothing out there currently that meets what people need. There are huge assurance gaps”, says Davis. Organisations don’t know what to do, how to check up on what they’ve outsourced, and don’t know who to trust, he continues.

Third parties that require access to your business – suppliers, vendors, etc – represent a risk, says Samani. “How do you know they have the appropriate governance in place not to represent a risk to you? Security is only as strong as the weakest link, and if someone has access to your network, they can get in through the back door”.

The current methodology for assessing third-party services “isn’t scalable”, says Samani. “Large enterprises have thousands and thousands of third parties connecting, and sending around a team to review them all isn’t possible.”

Davis cites a real-world example of a major financial provider who has 120 000 third-party suppliers. “Their key questions are who they need to audit, who they need to check up on. An outsourced supplier over in Europe spend 16 000 hours answering the same audit questions from their clients. Who pays for that?” he asks. Yes, the client, because their rates go up. “If the provider can show they work to one standard, everyone benefits, not least because the same questions have been answered”.

The lack of transparency in the cloud, as cited by Jay Heiser in the beginning of his Gartner paper, is the biggest barrier to cloud services. “Well, both initiatives add transparency into the cloud, and to your third parties in a scalable, and repeatable manner”.

Friends of CAMM

Since the early days when ISF joined forces with CAMM, the movement has attracted more and more ‘ambassadors’ as it gains momentum. While Samani modestly admits that he has been managing the effort, he does insist that he is “relinquishing control on a minute-by-minute basis. I’m doing the typical manager thing of delegating responsibility, and everybody is working hard and delivering.”

How big the project has become has taken both Davis and Samani by surprise. “It was feasible three to six months ago for me to do this in my ‘spare time’, but it’s not now, because it has become too big”, Samani admits.

“There is so much interest in this”, exclaims Davis. “People are coming on board because there is the understanding and realisation that the two bits fit together, and that they give you that hope, that assurance model, which has never happened before”. The unification of the industry is not just happening in the UK though, it’s “absolutely global”.

“One of the great things that this whole work shows is how many people and organisations are willing to volunteer and help”, says Davis. “We’re just absolutely staggered with how both initiatives have been embraced by the community”, Samani adds. “You can say the idea started with me, but in all honesty, what we have and the output that we have is really based on the hard work of every single person involved”.

So, who exactly is on board? While Samani and Davis are careful about who they can and can’t reveal, even their edited list is impressive. “The biggest cloud providers are on board, as are security associations such as ISACA, ENISA, consultancies, major telecommunications manufacturers, and governments from around the world. Gerry O’Neill is leading the review committee and is doing an incredible job for CAMM, as is Des Ward and his team building the framework. To be fair, everyone is doing an incredible job.”

The movement is a true open-source volunteer movement, with no ‘entry requirements’ for those that want to get involved. “We’ve got a student based out of the University of Auckland doing stuff, and we’ve got major CISOs from big global companies. Everybody’s got something to give and to contribute.”

Within CAMM, there are three levels of participation: the contributors (comprising the steering committee, and the two workstreams – one for guidance, one for the framework); the reviewers (who review the material); and the consulted group (who get the monthly updates and effectively are ‘friends of CAMM’).

CAMM wasn’t built in a day

The first module – the core module – of CAMM is currently in review, which Samani hopes will be ready this month (September). “The cloud providers and end customers will take it for a pilot and we’re hoping to have a workshop in London to analyse the output. Both CAMM and ISF hold ISO liaison status, and are due to present in Berlin at the ISO SC27 meeting in October. We are hoping to do some tweaks and have it published Q4 this year. Then, there’s the third-party assurance centre – like a clearing house – where you can upload your scores, and people can log in and have a look. You can look for a level-five provider, for example, and it will list all of the companies that are appropriate. It’s like Amazon for security”. This ‘Amazon for Security’ is expected to see some sort of movement in 2011.

“For the ISF’s third-party security management work, we’re already working towards the next SC27 committee meeting in Berlin”, reveals Davis. “It is the ISF’s intention to submit it to ISO in Berlin in October, not to keep this work in the ISF membership. This is a really big deal here, because we’re going to share the ISF’s intellectual property globally, not just within the membership. We’re ploughing a new furrow here – but building on our highly successful liaison status with ISO and our work on the 27001 update.”

The ISF work will be submitted to ISO at the same time as CAMM. “We will then formally launch the third-party standard to ISF members at our annual world congress in Monaco in early November. It makes a lot of sense to put both of these in to ISO together. One of the reasons for my CAMM work”, explains Davis, “is that I’m making sure that CAMM and the ISF work fit together”.

The new framework, adds Samani “leverages existing investments. It’s built from existing standards – the usual suspects, including ISO, COBIT, CSA and the ISF Standard of Good Practice. It’s all the things people have used and are comfortable with”.

Big hopes

Businesses, says Davis, will use the framework’s transparency as a marketing tool. “Organisations can say ‘we will look after your data because we do all of these things, and these guys don’t’”. This isn’t a new business idea, he says, arguing that banks are already using the security of their internet banking as a sales offering and differentiator.

Both Davis and Samani are fairly confident that the frameworks will be popular, with Davis drawing on an ISF poll. “Ninety percent [of ISF members] have said they are likely to take up the third-party security management standard, which gives you an indication of the interest. Many of them are also involved with CAMM”.

Despite all of the positive feedback, however, CAMM has received a small amount of criticism. “Not about the principle, or the vision and idea, but about whether we can actually do it. There is scepticism about whether it will take off and work – that it is just another initiative, another committee that won’t deliver anything. Security professionals are paranoid”, jokes Samani.

One of the reasons why CAMM and the ISF agreed to submit a standard to ISO, “is because it’s a clear aim that you can’t back out of”, says Davis. “This isn’t a pet project or a toy that we won’t share – it’s for everyone”.

The collaboration, concludes Davis, is particularly exciting “because you can see how we are building something pretty good for the industry, and for security and business in general”.

Samani acknowledges that the speed at which the framework is developing, and the size of the movement, can be daunting. “We’ve taken on a lot, you know? I sometimes sit there and think – what have we done?”