The Future of Information Assurance Accreditation
Ascentor’s Paddy Keatingattended the SUAC – Accreditors’ Professional Update and Development Event 2016 on 2-3 November 2016. One of the main topics regarded the future of accreditation within government centred on a recent consultation paper entitled Assuring Information Services for Government prepared by the Accreditation Specialism Advisor Group (ASAG).
The paper identified some drivers for change including efficiency, quality and speed but it also identified the underlying problem of accreditation and accreditors themselves having bad press.Here are Paddy’s reflections on the day.
Euston – we have a problem!
We may all believe that the days of Accreditors acting as blockers and saying ‘no’ to projects moving forward are behind us but the truth is that the perception remains and it is a problem that needs to be addressed head on. It isn’t a matter of simply changing a name; the whole process needs to be reviewed to bring it in line with changing business expectations for agility, affordability and most of all, benefit.
Do we really need accreditation anymore?
To answer that question we need to understand what accreditation is actually trying to achieve. I could look up definitions of accreditation in various publications including old copies of the Security Policy Framework and CESG (as was) Information Assurance Standards but that isn’t really going to help. The question is whether we need accreditation today.
For me, accreditation has always been about providing business leaders with confidence that information risks have been correctly identified and are being appropriately managed. This may be to meet a statutory requirement such as compliance with the Data Protection Act or to ensure intellectual property, which is the life-blood of any business, is handled with due care and consideration. Has that requirement gone away? I don’t think it has. Could you call it something else? Of course you could.
Management of information risk should be the same as managing any other form of risk. You need to have confidence in a solution based on evidence. Call it whatever you like.
Does it have to be done by an Accreditor?
What’s in a name? If the terms ‘accreditation’ and/or ‘Accreditor’ conjure up nightmares of failed projects, delays or internal bickering then clearly it would be a good idea to change. However, I suppose the question could be whether responsibility should be invested in a single named process or person, albeit one that should be representing a whole range of stakeholders.
It could be argued that those responsible for compliance with DPA or those conducting any form of internal audit could be seen as part of the accreditation process. They are independent assessors of compliance with a requirement. An organisation could legitimately decide to gain confidence from any number of people and processes but I believe this would complicate the picture and lead to things being missed or repeated. Surely it would be better to have a single champion for all things to do with information assurance that could speak on behalf of the business? An information assurance evangelist? Perhaps not!
So what does need to be done?
We need to take a long hard look at the requirement for a process that provides confidence to the business that information risks are being identified and addressed appropriately. This is not just during a project or at the point of change, but wherever the requirement for confidence exists. Once we can agree that there is indeed a requirement we then need to work out how it is best achieved and the skills needed to deliver it.
I believe this will point us in the direction of a process and position that looks and feels very much like the existing accreditation process with an Accreditor like position at the helm. It may well be a slimmer, healthier, more business friendly version with a nice new shiny name and that can’t be bad, after all, look what the word ‘cyber’ has done for the whole information security landscape!
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter .
If you’d like to discuss any aspect of IA and cyber security, please contact Dave James, MD at Ascentor.
Office: 01452 881712
Other posts you might like
For Further Information
If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.
Please use the contact details below - also found on our Contact Us page.