Assurance is a valuable, generally-applicable form of information security control. Assurance measures increase confidence in things, generating trust by checking, reviewing, testing, auditing and generally poking into situations. Although this is an unusual topic, assurance is a widespread issue, stretching well beyond the obvious assurance-related functions such as Audit and QA ... which makes it a surprisingly strong candidate for security awareness and training purposes.
Assurance is about knowing – being sure or certain of something – not just the confident state of mind but the activities that achieve it … or fail to do so.
In uncertain situations or circumstances, assurance can be an extremely valuable quality, particularly where uncertainties concern information that is important to the organization. Assurance reduces the uncertainty element of risk.
Assurance is a relative, not an absolute state: there are levels or degrees of assurance depending on factors such as:
- The competence and integrity of those providing assurance (e.g. professional penetration testers may seem more likely to find network security issues than amateurs, amateurs may be more numerous, more motivated, more competent and more inclined to try risky forms of testing);
- The nature of the assurance measures (e.g. audits, tests, reviews and self-assertions affect the amount of assurance gained);
- The record or experience (e.g. if an IT system passes all its pre-release tests but subsequently fails in service, that naturally calls into question the testing performed and the way it was managed; if a test laboratory is found to have been faking or manipulating tests, current and prior results are less credible, perhaps untrustworthy).
Assurance is relevant to business relationships, and to the organization as a whole in the sense of being perceived by others (including customers, suppliers, owners, authorities and employees) as a trustworthy and reliable organization, good to do business with. Assurance measures such as certification of organizations by accredited certification bodies not only demonstrate their competence in various fields, but also drive up standards through the adoption of widely-acknowledged good practices.
Looking further afield, outside the organization, assurance is also of concern to third-parties such as:
- External Audit and similar external inspection functions such as certification auditors for ISO27k and PCI-DSS;
- Customers - who need to know the products they are buying will deliver the benefits promised and anticipated;
- Suppliers - who need to know they will be paid and would like to rely on future business;
- Owners of the organization, with an obvious interest in its health and prosperity;
- Various authorities, the tax man for instance and industry regulators concerned about compliance;
- Society at large - since discovering something unexpected and untoward about any organization is generally shocking.
- Introduce assurance concepts and practices in the context of information risk and security;
- Explain the value of assurance, particularly to the organization but also to individuals;
- Encourage workers to behave in ways that support or enable greater assurance, while avoiding activities that prevent or reduce assurance;
- Draw out related concepts such as integrity, dependability and trust.
Awareness and training materials about a wide variety of assurance measures.