Part I - Have you identified “Federated Controls?
Outsourcing has significantly changed the way the enterprises used to operate their businesses and today its an accepted fact that they no longer can have a complete control over their business & operating environment.
In other words, enterprises have to trust their service providers to protect their sensitive data or comply with regulatory requirements and most of them are getting this assurance by adopting a reactive approach i.e. thru third party assessments or leveraging SAS70 / SSAE 16 reports rather than thru a proactive collaborative approach. Moreover, the ground reality is that most of these enterprises do not even have a repository of controls that are mapped to the controls being implemented and operated in their service provider’s environment to protect against the compromise of sensitive data or meet regulatory requirements.
As the world is fast moving from outsourcing to cloud computing, there is an increased need for the enterprises to move from a reactive approach to proactive approach (i.e. collaborative in nature) to facilitate each other in protecting themselves against the compromise of sensitive data or meeting their regulatory requirements i.e. the Service Providers and Service Users should trust with each other to form a Federation, map their common controls and collaborate with each other to effectively implement and operate these controls.
To enable this, let me coin the new concept and name it as “Federated Controls”. The concept of Federation is relatively old in Information Security world (Federated Identify is the well known concept) but relatively new Risk & Control world.
“Federated controls are the set of controls that an enterprise relies on their service provider (third party) to implement and operate in the service provider’s environment in order to protect against the compromise of their sensitive data or meeting regulatory requirements”
Enterprises should start categorizing the controls against which they trust their service providers to implement and operate effectively as “Federated Controls” and consolidate them to develop a Federated Controls Matrix (FCM).
FCM will help the enterprise to have a holistic view of set of controls that are implemented and operated by their service providers and in obtaining the assurance on their design and operating effectiveness. ,
Part II – Developing a Federated Control Framework follows…