1 of 1 Items
1 of 1 Items
Assurance Is The Logical Output of GRC Practices
The National Institute of Standards and Technology (NIST) defines assurance as, "grounds for justified confidence that a [security or privacy] claim has been or will be achieved." Assurance is a measure of confidence.
Assurance Is Something You Can Prove
Assurance is the output of security, compliance and resilience practices. There are several levels of assurance:
- No Assurance is where there are no reasonable grounds to conclude controls are applicable, properly scoped, implemented correctly and/or operating as intended. No assurance is at best an assumption.
- Low Assurance is where there is reasonable confidence that applicable controls are properly scoped, implemented and free of obvious errors.
- Moderate Assurance is where there are increased grounds for confidence that applicable controls are implemented correctly and operating as intended.
- High Assurance is where there is overwhelming evidence of due diligence and due care that applicable controls are implemented correctly and operating as intended.
The more robust the rigor of an assessment, the more reasonable it is to demonstrate higher assurance. Low rigor is low assurance at best, unless scoping or evidence has been gamed and then it is No Assurance. Therefore, the concept of obtaining a "SOC 2 audit in 2 weeks for $5,000 " that is presented as something to be trusted is simply marketing dishonesty and is intellectually reprehensible. In their race to the bottom, the audit/certification mills promoting this nonsense do not sell trust or security. In reality, they just tarnish the concept of third-party audits/assessments and should be ashamed of passing off a minimally-scoped and low rigor assessment as a genuine assurance process that is worthy of trust.
If that sounds harsh, let's look at an authoritative source for guidance on the meaning of these key terms. The NIST Glossary is a great place to start:
- TRUST is defined as "A belief that an entity meets certain expectations and therefore, can be relied upon."
- SECURITY is defined as "A condition that results from the establishment and maintenance of protective measures that enable an organization to perform its mission or critical functions despite risks posed by threats to its use of systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the organization’s risk management approach."
- ASSURANCE is defined as "Grounds for justified confidence that a [security or privacy] claim has been or will be achieved."
The idea of trust as being something that can be relied upon is crucial. Stakeholders being presented with a SOC 2 audit report that is the result of gaming the scope of applicable controls or the evidence relied upon to demonstrate conformity with those controls is not trust. That SOC 2 audit report provides essentially no value and is the antithesis of trust since it does not accurately belay the actual security practices that exist within the organization. At best, it is security theater and at worst it is fraud.
We want GRC processes to be awesome and that means organizations need to implement security, compliance and resilience practices that can provide assurance to both internal and external stakeholders. That is how you build trust. Weakly scoped certifications that mean nothing are just a parasite feeding on the cybersecurity industry.
Why Is Assurance A Term GRC Professionals Should Be Familiar With?
Fundamentally, assurance establishes a reasonable level of confidence that a stakeholder can trust security, compliance and/or resilience objectives will be achieved. This takes into consideration the risks associated with non-conformity (e.g., non-compliance) and the anticipated costs necessary to demonstrate conformity with the specified controls.
Assurance is more than just the control set, but the level of rigor that controls are evaluated. Either through internal resources or third-parties, the level of rigor performed in assessing an organization's controls impacts assurance, since defects in those controls affect the underlying confidence in the ability of those controls to operate as intended to produce the stated results.
Assurance Is More Than Compliance
When done right, assurance should address three key areas of stakeholder concern:
- Security - Are the appropriate controls in place to protect the system/initiative/organization from reasonable risks and threats?
- Compliance - Do we have reasonable evidence of due diligence and due care to demonstrate compliance with applicable laws, regulations and contractual obligations?
- Resilience - Are we capable of withstanding and recovering from reasonable cybersecurity incidents?
Are Certifications A Form of Assurance?
Yes. When organizations go through some form of certification process, it undergoes a conformity assessment (e.g., ISO 27001, CMMC, SCF CAP, SOC 2, PCI DSS, RMF, etc.). Conformity assessments are designed to assure that a particular product, service, or system meets a given level of quality or safety. Instead of a 100% pass criteria, conformity assessments rely on the concept of assurance to establish a risk-based threshold to determine if the intent of the objective(s) has been achieved.
The degree of assurance a stakeholder gains from a third-party cybersecurity certification is limited by:
- The scope of the assessed controls; and
- The level of rigor used to perform the assessment.
This means some audits/certifications are not worth the paper they are written on, while others can provide a reasonable degree of assurance.