April’s security awareness topic: assurance
Outline and scope
The word ‘assurance’ may not be heard every day but assurance activities are
commonplace. This is a broad topic, stretching well beyond the obvious assurance-related activities and functions such as Audit and Quality Assurance ... which makes it a surprisingly strong subject for security awareness purposes.
Although we haven't produced an assurance module as such before, we've covered
integrity, trust, audit, oversight and other related matters. This month we are seizing the opportunity to focus-in on and explore assurance in more depth … while at the
same time reinforcing core awareness messages on the integrity, trust and control value of assurance for business, compliance, management (including risk management) and governance reasons.
In uncertain situations or circumstances, assurance can be extremely valuable, particularly where uncertainties concern information that is important to the organization. Assurance reduces the uncertainty element of risk.
Assurance closes the gaps between
perception and reality
Assurance is a relative, not an absolute state: there are levels or degrees of assurance depending on factors such as:
The competence and integrity of those providing assurance (e.g. whereas professional penetration testers may seem more likely to find network
security issues than amateurs, amateurs may be more numerous, more motivated, more competent and more inclined to try risky forms of testing);
The nature of the assurance measures (e.g. audits, tests, reviews and simple claims or assertion affect the amount of assurance provided);
The record or experience (e.g. if an IT system passes all its pre-release tests but subsequently fails in service, that naturally calls into question
the testing performed and the way it was managed; if a test laboratory is found to have been faking or manipulating tests or testing
incompetently, current and prior results are less credible, perhaps untrustworthy).
Assurance is relevant to business relationships, and to the organization as a whole in the sense of being perceived by others as a trustworthy
organization, reliable and safe to do business with. Assurance measures such as certification of organizations by accredited certification bodies not only
demonstrate their competence in various fields, but also drive up standards through the adoption of good practises.
Looking further afield, outside the organization, assurance is also of concern to third-parties such as:
External Audit and similar external inspection functions such as certification auditors for ISO27k
Customers - who need to know the products they are buying will deliver the benefits promised and anticipated;
Suppliers - who need to know they will be paid and would like to rely on future business;
Owners of the organization, with an obvious interest in its health and prosperity;
Various authorities, the tax man for instance and industry regulators concerned about compliance;
Society at large - since discovering something unexpected and untoward about any organization is generally shocking.
The learning objectives for this awareness module are to:
Introduce assurance concepts and practices in the context of information risk and security;
Explain the value of assurance, particularly to the organization but also to individuals;
Discuss various methods of assurance, explaining their pros and cons;
Encourage workers to behave in ways that support or enable greater assurance, while avoiding activities that prevent or reduce assurance;
Draw out related concepts such as integrity, dependability and trust.
Think about your learning objectives for this topic. Are there particular functions, teams or people who spring to mind? Are there specific business situations where assurance is vital? Look for genuine examples that you can inject into the awareness materials and bring up in your awareness
activities. Collaborate with relevant colleagues if they can help formulate, deliver and reinforce the awareness messages.
The new module is full to the brim with fresh creative content: annotated PowerPoint slide decks, briefing papers, leaflets, posters, diagrams, mind maps,
tests and more. Assurance is highly relevant to all three audience groups (staff, managers and professionals), hence there is plenty to talk about and lots
of interesting angles to catch their eyes, ears, imaginations and attention.
Get the new module
Subscribe to the NoticeBored service to receive the new module, plus further batches of fresh awareness goodies every month. We offer a wealth of creative materials on a market-leading range of topics making it easy and economic for you to run a world-class security awareness and training program.
Email us to set the ball rolling. Find out exactly what is provided in the latest pack, and speak to us about getting your security awareness and training
program quickly up to speed, for a lot less than you might think. We’re a small company with a big reputation for quality and innovation. You can be assured of that.