Analysis: Business assurance scheme aims to minimise outsourcing risk

Idea is to provide a kind of due diligence one-stop shop

Outsourcing and the associated management of third-party suppliers have become an increasingly big part of the average IT manager's job.

Oxford Economics Research recently estimated that the outsourcing sector is worth eight per cent of the UK's GDP, with IT and related services valued at £36bn per year.

One of the big challenges faced by anyone managing third-party suppliers is quantifying the risk the contract poses to the company.

Where the third party manages or processes data, it is important to assess their security and ask questions about the type of security controls they have in place and the type of standards they adhere to. In short, how can you assure yourself that these third parties don't represent an unnecessary risk?

But this could end up being an arduous process. Raj Samani, chief technology officer Europe for security firm McAfee, and founder of the Common Assurance Maturity Model (CAMM), gives the example of a company that needs to manage 1,000 third parties.

"Let's say it takes me five days to assess a third party. That's 5,000 days if I want to assess them all. That's 25 years' worth of work!"

Samani also sees the problems faced by suppliers, who are bombarded with questions from potential customers around their security procedures.

"The third parties have hundreds of customers asking them questions about their security practices," he says.

In an effort to facilitate this assessment, CAMM has partnered with several other industry bodies including the Information Security Forum, Cloud Security Alliance and the Payment Card Industry board of advisers. They produced a white paper in July this year that sets out a new system aiming to help companies understand and assess the levels of risk their third parties expose them to.

The paper, Business Assurance for the 21st century, states: "There exists a business need to develop a mechanism that allows suppliers to respond once, and share with many. Such a development will provide significant efficiencies for the supplier, in that a single (or a small number of) assessments can be used by multiple customers.

"Equally, this would enable customers to quickly assess the large number of third parties in their supply chain without individually assessing each third party provider."

It proposes a global repository of information on suppliers. So if a business wanted to find a cloud provider in Germany that adheres to the PCI security framework, it would have only to consult this repository. A business wishing to assess its 1,000 third parties could use this repository to find details on the security arrangements at each of them.

"You're introducing transparency into the supply chain," comments Samani. "You're saying to your third parties, this is the level of security that I expect from you. Now when you get tenders for business coming through, you're assured that they're meeting your risk appetite."

Samani adds that this is being run by the industry for the industry, and is open to any organisation who wants to get involved. However, the Cloud Industry Forum (CIF), an industry body designed to provide clarity between customer and suppliers of cloud services, has voiced some concerns over what it sees as unclear boundaries around the aims of the business assurance proposals.

Andy Burton, chairman of the CIF, told Computing that he sees a problem with the proposals when they appear to expand their aim to helping companies choose suppliers from a commercial viewpoint, rather than simply sticking to business assurance.

"We need to be clear about the boundaries," says Burton. "To jump from data assurance to commercial selection is too broad a step without looking at other aspects that generate trust, for example data sovereignty, the financial standing of the organisation, or its capacity to deliver service levels, none of which has anything to do with data assurance."

Responding to Burton's concern Samani says:

"Business assurance should be critical to commercial selection but obviously not the sole component. What this repository is saying is that this can be used as a core (but not sole) component of commercial selection."

Burton also says that although the intentions of the paper are welcome, he has some doubts over its ambition, and how such a scheme could be implemented. He draws a parallel with the Public Key Infrastructure (PKI) project around the turn of the last millennium.

Despite its initial hype, the project suffered technical and operational problems, and never saw the implementation originally planned.

"With PKI, the government was trying to create unique credentials for everyone in the world in a generic format. We saw lots of investment but it's not easy to implement. This business assurance idea could suffer from similar complications."

Despite this, Burton has now approached the organisations behind the white paper to offer CIF's help. Samani told Computing that he would welcome its input.

The next phase of the project is to produce another white paper before beginning actual implementation.

"We'll produce a more detailed white paper with answers to questions over liability and governance, and then get the plan going," states Samani.