Information Security Assurance – The capital C in PDCA

In some organizations 2nd Line of Defense functions are kept in the ivory tower, far away from the machine room and the real security issues the company faces. These functions and their deliverables, e.g. the developed and maintained policy and framework, might be used to manage compliance and feed regulators. But are these outcomes valuable? Is their implementation design- and operationally effective? Do they support the security organization to thrive and prosper?
After Deutsche Börse Group revised their security organization, the 2nd LoD function IS Assurance was established. The function, its framework, the grading approach, the assessment plans, and the validation methods for evidences were developed from scratch – with the holistic target to further improve the security organization.
Within a short period of time the function was able to assess the first security process and generated an overview over the design- and operational effectiveness of the verified subject. Here IS Assurance became a trustworthy partner for the 1st and the 3rd Lines of Defense.
This talk introduces the implemented IS Assurance function of the Deutsche Börse Group, gives insights into lessons-learned and challenges, and demonstrates a model to grade the operational effectiveness with practical details.