Previous article in series – Audit: Planning
Traditional methods of assurance of services and controls management in an on-premises data center or even with colocation services are no longer sufficient given the complexity of virtualization and cloud services. To gain greater assurance of expected services, we can review information available from publicly accessible registries.
Cloud Controls Matrix (CCM)
The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a helpful tool that allows consumers and providers to think in terms of specific controls in the cloud being mapped to specific regulations and frameworks (e.g., NIST, HIPPA, FIPS ENISA). It provides a common set of expectations between provider and consumer. In the CCM excel spreadsheet there are 16 control domains, each represented by a different color, with multiple subcategories within them. Moving across the columns, the user can see the various frameworks and regulations to which an organization may need to conform. The user can map controls to specific frameworks.
CSA Security, Trust Assurance and Risk (STAR) Registry
Cloud Security Alliance’s Security Trust Assurance and Risk (STAR) registry provides a way to evaluate cloud service providers. A given provider will have assessments and certifications that provide differing levels of assurance about the cloud controls they maintain. For instance, some providers have only completed a self-assessment, which is basically answering questions with a yes/no response concerning 16 cloud controls either being in place or not. Some providers have completed a certification of their cloud controls by a third party based upon Information Security Management System ISO 27001. Other organizations have completed a third-party attestation of their cloud controls based upon Service Organization’s System in a SOC 2 Report.
CSA STAR Level 1: Self-Assessment
CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers either submit a completed Consensus Assessments Initiative Questionnaire (CAIQ), or submit a report documenting compliance with the Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices. The current iterations of the documents are:
- Consensus Assessments Initiative Questionnaire v3.0.1
- Cloud Controls Matrix v3.0.1
- GDPR Code of Conduct Self-Assessment
The Code of Conduct Self-Assessment consists of the voluntary publication of two documents on the STAR Registry:
- Code of Conduct Statement of Adherence
- Self-assessment results from the PLA Code of Practice (CoP) Template – Annex 1
The Code of Conduct Self-Assessment covers the compliance to GDPR of the service(s) offered by a CSP. After publication of the relevant document on the registry, a company will receive a compliance mark valid for one year. The self-assessment should be revised every time there is a change to the company policies or practices related to the service under assessment.
CSA STAR Level 2: Third-Party Certification
Level 2 of STAR allows organizations to build off other industry certifications and standards to make them specific for the cloud.
CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third-party independent assessments of cloud providers.
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix.
The CSA C-STAR Assessment is a robust third-party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012.
The GDPR CoC Certification is a third-party certification assuring compliance of a CSP’s services to GDPR based off the CSA Code of Conduct for GDPR.
CSA STAR Level 3: Full Cloud Assurance and Transparency
If your organization operates in a high-risk environment, then it is recommend pursuing STAR Level 3.
CSA STAR Continuous Monitoring enables cloud providers to employ an automated process of reporting on monitoring monthly, from self-assessments extending up and through third-party attestations and certifications. Continuous monitoring would provide the highest and most comprehensive assurance for consumers.
EuroCloud StarAudit is a global program—provided by EuroCloud Europe, an independent nonprofit organization —with an international network of accredited partners and professionals. StarAudit facilitates the growth of cloud-based services and innovations worldwide. StarAudit’s areas of activity are: Trust in Cloud, Awareness Programs, Data Privacy Compliance, Knowledge Transfer, Start Up Encouragement, Standards and Interoperability, and Legal Framework Harmonization.
StarAudit offers a certification scheme to establish trust in cloud services both on the customer and the user side. The purpose of the StarAudit scheme is to provide accountable quality assessment of cloud services through a transparent and reliable certification process. StarAudit’s other focus is to enable knowledge transfer to IT, legal, and procurement professionals. An accreditation process featuring high-value training services is available to individuals who need these new skills to be successful in their professional career. StarAudit’s vision is:
- To deliver a framework, assessments, and a certificate as meaningful selection tools for customers who want to use trustworthy cloud services
- To reduce the need for costly individual assessments
- To provide a valuable instrument with a high level of transparency and guidance for customers and providers alike
- To enable an efficient process of knowledge transfer and accreditation
Resource: https://staraudit.org/home/about/
Next article in series – Audit: Types of Audit Reports