A lot is said about “trust” in our industry, but trust is really a means to an end. For an organization, that “end” is the accomplishment of its mission. To achieve its mission, an organization must have healthy interactions with internal and external actors. Therefore, in this context, trust means establishing trustworthiness and building confidence that any transaction/relationship is safe and worth having.

Trustworthiness and confidence evoke assurance, which is a meter to measure how much we can trust someone/thing. You perceive a certain amount of assurance that a claim that has been made will unfold according to what is stated.

Trust, Assurance, Governance, and Risk

If assurance is a proxy for trust, then the question becomes how do we define and measure assurance? How do we define, quantify, and qualify the probability that an event will go as stated?

This is where governance and risk management come into play. By setting the principles, policies, procedures, and controls, governance and risk management ensure that an organization is set to:

• Achieve its mission goals
• Keep risk within the organization's appetite
• Remain compliant with laws, regulations, standards, and policies in an uncertain and changing environment

An organization governance and risk management framework is meant to be the system used to design, implement, enforce, and monitor policies and controls. It’s also meant to collect, label, analyze, evaluate, and act upon data, ensuring that the right direction is set and maintained over time in a changing environment.

So, back to the question: How do we define assurance? And how do we measure it? Assurance is a component and a vehicle for trust. The more assurance someone or something can offer, the more trustworthy they can be. Cyber assurance should be data-driven, evidence-based, and follow Zero Trust principles. Cyber assurance is the result of evaluating, measuring, and communicating/reporting how well an organization identifies, designs, builds, implements, monitors, changes, and improves governance, as well as manages the risks associated with its operations.

Measuring Cyber Assurance

Measuring cyber assurance means qualifying/quantifying how well the appropriate governance actions perform in a given context. As mentioned above, the main tools/actions of governance are policies and controls. Policies are the rules that lead the organization's operation. Controls are the measures put in place to ensure that the environment behaves as expected in interactions with the internal and external world.

If we bring this back to trust, we use “cyber assurance” to indicate the level of trustworthiness of an entity (organization, service, etc.), and we use the “policies and controls performance” to measure its level.

Controls Performance

Control performance indicates how a control performs in the context in which it applies and operates. Individual control performance should be aggregated in a system (domains) and subsystems to indicate the performance of a system of controls. A system of controls is the result of the implementation of a governance and risk management strategy.

The parameters to determine “good control” and “good performance” are subjective to the users, depending on their risk profile. These parameters are guided by standards, best practices, benchmarks, and legal and regulatory requirements.

No matter what the parameters for goodness are, control performance needs to be monitored to ensure that:

• What is monitored is relevant (scope)
• The data generated during the logging and monitoring is reliable, accurate, complete, and confidential
• The performances are within the target parameters (typically expressed as policies, metrics, and benchmarks)

Which Controls Do I Need?

The system of controls that each organization must put in place to generate good/sufficient assurance varies, depending on many factors. These factors may include business needs, risk profile, the market of reference, target audience, legal and regulatory requirements, etc.

Regulations, standards, and best practices are primary sources for controls; they provide a consolidated and standardized definition of a specific control. For instance, the CSA Cloud Controls Matrix is a standardized control framework for cloud security.

In general, someone could argue that the more controls you apply, and/or the more stringent the controls within the spectrum of applicability, the more your organization/service/transaction/interaction provides (or claims) assurance and is (potentially) trustworthy. In other words, the higher the control coverage (the number of controls that someone applies), the higher the level of assurance offered (claimed).

For instance, a cloud service can use CCM v4 Lite, CCM v4, or CCM v4 plus sector-specific addenda as a foundation for its control system. CCM v4 plus addenda includes the highest number of controls and the higher coverage in terms of requirements. Therefore, CCM v4 plus addenda provides a higher level of claimed assurance.

How to Evaluate the Controls: Control Monitoring and Auditing

To determine that the controls are obtaining the desired effect, we need to collect, monitor, analyze, evaluate, test, and audit evidence data. This is typically done via monitoring, evaluation, and auditing functions.

Control monitoring ensures that someone or something has visibility over interactions, transactions, and controls that the organization has decided to deploy as a result of its governance and risk management strategy.

Control auditing ensures that the data/information collected during monitoring is relevant, reliable, timely, complete, and accurate, and that the performance is within the expected targets.

Ideally, control monitoring and auditing should be continuous, where measurements occur at a regular frequency that's appropriate to the context of the control to which they apply.

The goal of control monitoring and auditing is to oversee, evaluate, and report on the effectiveness of internal controls. The goal is also to provide assurance of their reliability and compliance with established standards, frameworks, or applicable laws and regulations.

The higher the sophistication, frequency, rigor, accuracy, and completeness of monitoring and auditing, the higher the level of assurance offered. Self-assessments/attestations, third party audits, and continuous auditing are examples of the different levels of sophistication, frequency, rigor, accuracy, and completeness of the controls evaluation.

Compliance and its Relationship with Assurance

The concept of compliance is directly related to the concept of assurance. Compliance is the adherence to requirements stemming from internal policies, applicable laws and regulations, sector-specific codes of conduct, standards, and best practices.

Complying with applicable requirements allows organizations to:

• Satisfy internal policies and codes of ethics
• Safely operate in the market
• Gain a competitive advantage

If an organization does not comply with applicable laws and regulations, it may be subject to:

• Fines
• Penalties
• Loss of reputation
• Loss of operation in certain markets (see the new EU AI Act and many others)

We use controls to ensure that the governance policies are correctly implemented and that the environmental rules (laws, regulations, code of practices, standards) are satisfied.

Assurance and Compliance Challenges

The current regulatory landscape is expanding exponentially, with an ever-growing number of frameworks that are increasingly regionalized, privacy focused, and vertically focused (encompassing financial services, healthcare, public sector, etc.). This growing set of regulatory demands creates a considerable burden on regulated entities.

Compliance frameworks and the supporting audit and assessment activities that regulators and third-party auditors engage in are largely manual, prone to human judgment errors, and difficult to automate due to a lack of standardization. According to recent research, regulatory costs account for, on average, 1.34% of a firm's total wage bill.

With this proliferation of laws and regulations, it becomes increasingly difficult for organizations to:

• Translate principles-based laws and requirements into defined controls that satisfy compliance requirements
• Normalize the plethora of requirements and define a governance and risk framework that is scalable, agile, and manageable
• Maintain compliance and assurance over complex supply chains with several parties involved
• Establish what is good evidence to support the assurance and compliance claims
• Maintain the cost of assurance and compliance within acceptable levels
• Maintain the risk of lack of compliance or trust to an acceptable level
• Offer a level of assurance that is adequate to the criticality of the service that is offered/requested

Addressing the Challenges with Continuous Assurance and Compliance Automation

There is a need for open standards and tooling that can enable the automation of compliance activities so that regulated entities can comply with global regulations efficiently and accurately, while also scaling their efforts. Additionally, there is a need for standards and tooling that can enable a more mature approach to assurance based on the idea that the level of assurance offered needs to be proportional to the criticality of the service provided. This has to be aligned with the customers' risk appetite.

The necessary ingredients to modernize the industry’s approach to assurance are:

• Common Control Languages: A catalog of controls expressed in common and standardized language that can satisfy internal and external requirements
• Mapping Across Frameworks: A system to map and understand the relationships between controls from different frameworks and how they satisfy requirements
• Machine-Readable Controls: Controls expressed in machine-readable language to enable automation
• Metrics: Control design, implementation effectiveness, and efficiency measured with standardized metrics and described using a standardized approach

The necessary ingredients to modernize the industry’s approach to compliance (explained in more detail below) are:

• Interpretation of Regulatory Frameworks
• Measurement of Compliance to Those Frameworks
• Standardized Assessment and Audit Activities

Interpret

By leveraging ML models and industry standard control catalogs (e.g., CSA CCM and NIST 800-53), analysis can be done in an automated manner to produce machine readable formats of global regulations. Precedence for machine readable formats exists with both NIST 800-53 and FedRAMP control catalogs. These machine readable formats save considerable time in analyzing and interpreting regulatory requirements.

Regulated entities can ingest these machine readable formats into their existing governance and risk systems to map to their own control catalog or view their compliance to new regulations.

The tooling needed to perform this exists in some form within various organizations and can be expected to improve rapidly. By opening this type of tooling to the broader community, a centralized repository of machine readable formats for regulations and frameworks can be made available.

Measure

With regulations interpreted clearly and aligned to industry standard control matrices, metrics can be developed to determine control effectiveness. Existing work from CSA and the EU’s Medina on creating metrics catalogs can help to seed the effort.

As more regulations are analyzed and converted into machine readable formats, we can expand our catalogs of controls and develop metrics to support each new control.

Assess

Aligning the entire framework to an open, extensible, and machine-readable data format will allow for the free exchange of the above data between regulators/certifying bodies and regulated entities.

The NIST OSCAL Framework offers a promising way forward. Significant industry efforts are being made to define metrics and prototype assessment packages in the OSCAL format. This work can be expanded upon to address other critical regulations and frameworks.

Business Driver for Continuous Assurance and Compliance Automation

The business case for continuous assurance and compliance automation revolves around risk quantification and management. If the assurance/compliance approach is well codified (assets and identities are known, risks identified, controls implemented, monitored and audited, etc.), then an organization is able to collect qualified data for risk quantification.

Cyber risk represents a significant portion of the total risk for an organization. The preciseness achieved when measuring and quantifying risk with continuous assurance and compliance automation will impact an organization's mission and vision directly and indirectly.

From a governance perspective, precise risk quantification allows an organization to:

• Allocate resources effectively and efficiently
• Mature its risk management approach and culture
• Develop and enforce policies effectively and efficiently
• Mature its accountability strategy and structure
• Mature its baselines, standards, processes, and procedures
• Mature its control framework
• Manage innovation effectively and efficiently
• Manage compliance effectively and efficiently

From an operational perspective, precise risk quantification allows an organization to:

• Allocate resources effectively and efficiently
• Develop and implement continuous risk management using a design approach (in dev, op, distribution, etc.)
• Mature its standards, baselines, processes, and procedures
• Mature its control framework
• Mature its change management system
• Mature its accountability management system
• Implement a Zero Trust approach

Stay tuned for much more information on this important topic.

Discover CSA’s Security, Trust, Assurance, and Risk Program - the industry’s most powerful program for security assurance in the cloud.