Levels of assurance
To gain confidence that security measures are genuine and effective we will seek assurance in three areas:
- assertion from the third party, and an evaluation of relevant security measures that support that assertion
- evidence of independent validation of security measures
- commitment to meeting minimum standards via contract or other formal agreement
The method of processing by third parties will normally define the level and type of assurance required. Methods of processing include:
- on demand over the internet, for example cloud-based:
- the use of cloud-based services to process our information will require a specific form of security assurance. This is due to the types of threat these services face.
- limited to third party premises and network environment:
- this may involve both electronic and hard-copy information. We will require assurances around the third party’s local security controls.
- limited to our own premises and network
The Information Assurance team will ensure that staff are provided with support relevant to:
- the type of processing
- level of assurance required
- any associated risks