Upload
schellman-company
View
167
Download
1
Embed Size (px)
Citation preview
The CSA STAR Program | 1
The CSA STAR Program: Certification & Attestation
The CSA STAR Program | 2
01. Background and Overview 02. CSA STAR Framework 03. Cloud Control Matrix 04. STAR Certification 05. STAR Attestation 06. Preparing 07. Wrap-up / Q/A
Agenda
The CSA STAR Program | 3
Background & Overview 01
The CSA STAR Program | 4
The Cloud Concerns • Observed loss of control • Unknown responsibilities / accountability • Potential liabilities • Inconsistent legal /compliance framework • Lack of transparency • Varying SLA’s
The CSA STAR Program | 5
The Beginning Launched in 2011, the CSA STAR is the first step in improving transparency and assurance in the cloud.
The CSA STAR Program | 6
The Program
• Independent 3rd party validation • Publicly available registry • Assurance requirements • Maturity levels CSPs
The CSA STAR Program | 7
The Journey Prior to issuing the guidance for STAR Certification and STAR Attestation, a CSP could only perform a self-assessment, which meant completing the Consensus Assessments Initiative questionnaire (CAIQ) and making the responses publicly available on the CSA Register. The CAIQ was completed in several different ways and the content varied from short answers to full-page responses.
The CSA STAR Program | 8
Overview of CSA STAR Framework 02
The CSA STAR Program | 9
Framework OPEN CERTIFICATION FRAMEWORK
LEVEL 3 Continuous Monitoring-Based Certification
LEVEL 2 Third-Party Assessment-based Certification
LEVEL 1 Self-Assessment
ASSU
RAN
CE
TRAN
SPAR
ENCY
CONTINUOUS
CERTIFICATION ATTESTATION
SELF-ASSESSMENT
ASSESSMENT
The CSA STAR Program | 10
Cloud Control Matrix 03
The CSA STAR Program | 11
CCM Domains
Application and Interface Security
Data Security & ILME and Key Management
Infrastructure and Virtualization Security
Audit, Assurance and Compliance
Governance and Risk Management Mobile Security
Business Continuity and Management Resilience Human Resources Security Security Incident Management
Change Control and Configuration Management
Identity and Access Management Supply Chain Management
Data Center Security Interoperability and Portability Threat and Vulnerability Management
The CSA STAR Program | 12
CSA STAR CERTIFICATION 04
CERTIFICATION
The CSA STAR Program | 13
Overview • Rigorous 3rd party independent assessment
• Technology-neutral
• Integration of ISO 27001:2013 and CSA CCM
• Designated an overall maturity score
The CSA STAR Program | 14
• Uniform with ISMS
• The Assessors Grid
Scope and Process
The CSA STAR Program | 15
Scope and Process
The CSA STAR Program | 16
• Management Approach • Nonconformities and Impact • Maturity Score and Award • Registration
Scope and Process
The CSA STAR Program | 17
Benefits • Complements ISO 27001 Certification • Increased market confidence • Base maturity level • Process improvement opportunities • Increase overall maturity
The CSA STAR Program | 18
Challenges • ISO 27001 Requirement • Focus on management principles • Extent of external deliverable • Subjective score
The CSA STAR Program | 19
Certificate
The CSA STAR Program | 20
CSA STAR ATTESTATION 05
CERTIFICATION
The CSA STAR Program | 21
• 3rd Party independent security assessment • Integration with SOC 2 examination and CCM • Testing operational effectiveness of 16 security
domains
Overview
The CSA STAR Program | 22
Scope Application and Interface Security Datacenter Security Interoperability and Portability
Audit Assurance and Compliance Encryption and Key Management Mobile Security
Business Continuity Management and Operational Resilience Governance and Risk Management Security Incident Management,
e-Discovery, and Cloud Forensics
Change Control and Configuration Management Human Resources Supply Chain Management,
Transparency, and Accountability
Data Security and Information Identity and Access Management Threat and Vulnerability Management
Lifecycle Management Infrastructure and Virtualization
The CSA STAR Program | 23
• No prerequisites • Design / operating effectiveness • Review period of 6+ months • Standalone / detailed report • Integration with CCM • Easy comparability
Benefits
The CSA STAR Program | 24
• Full disclosure of exceptions • Regressive looking report • No relevance after end of review period
Challenges
The CSA STAR Program | 25
Report
The CSA STAR Program | 26
Preparing 06
The CSA STAR Program | 27
• Define scope and boundaries • Perform a risk assessment • Include CCM in risk treatment • Assess project timeline
Risk Assessment & Scope
The CSA STAR Program | 28
• Internally • Service auditors
Readiness Assessment
The CSA STAR Program | 29
• Policies and procedures • Segregation of duties • Monitoring
Remediation
The CSA STAR Program | 30
• Licensed CPA firm • Auditor Certification • STAR Certification Registrar • Independent • Single Vendor Approach • Audit Team
Audit Firm Selection
The CSA STAR Program | 31
Wrap-Up 07
The CSA STAR Program | 32
• Baseline in dynamic environment • Authoritative source • Market need • Trust and assurance with customers • Leverage current compliance initiatives
It is just the beginning…
The CSA STAR Program | 33
JOIN US NEXT TIME:
HITRUST for Covered Entities and Business Associates August 14th | schellmanco.com/resources