The CSA STAR Program: Certification & Attestation

The CSA STAR Program | 1

The CSA STAR Program: Certification & Attestation


01. Background and Overview 02. CSA STAR Framework 03. Cloud Control Matrix 04. STAR Certification 05. STAR Attestation 06. Preparing 07. Wrap-up / Q/A

Agenda


Background & Overview 01


The Cloud Concerns • Observed loss of control • Unknown responsibilities / accountability • Potential liabilities • Inconsistent legal /compliance framework • Lack of transparency • Varying SLA’s


The Beginning Launched in 2011, the CSA STAR is the first step in improving transparency and assurance in the cloud.


The Program

• Independent 3rd party validation • Publicly available registry • Assurance requirements • Maturity levels CSPs


The Journey Prior to issuing the guidance for STAR Certification and STAR Attestation, a CSP could only perform a self-assessment, which meant completing the Consensus Assessments Initiative questionnaire (CAIQ) and making the responses publicly available on the CSA Register. The CAIQ was completed in several different ways and the content varied from short answers to full-page responses.


Overview of CSA STAR Framework 02


Framework OPEN CERTIFICATION FRAMEWORK

LEVEL 3 Continuous Monitoring-Based Certification

LEVEL 2 Third-Party Assessment-based Certification

LEVEL 1 Self-Assessment

ASSU

RAN

CE

TRAN

SPAR

ENCY

CONTINUOUS

CERTIFICATION ATTESTATION

SELF-ASSESSMENT

ASSESSMENT


Cloud Control Matrix 03


CCM Domains

Application and Interface Security

Data Security & ILME and Key Management

Infrastructure and Virtualization Security

Audit, Assurance and Compliance

Governance and Risk Management Mobile Security

Business Continuity and Management Resilience Human Resources Security Security Incident Management

Change Control and Configuration Management

Identity and Access Management Supply Chain Management

Data Center Security Interoperability and Portability Threat and Vulnerability Management


CSA STAR CERTIFICATION 04

CERTIFICATION


Overview • Rigorous 3rd party independent assessment

• Technology-neutral

• Integration of ISO 27001:2013 and CSA CCM

• Designated an overall maturity score


• Uniform with ISMS

• The Assessors Grid

Scope and Process


Scope and Process


• Management Approach • Nonconformities and Impact • Maturity Score and Award • Registration

Scope and Process


Benefits • Complements ISO 27001 Certification • Increased market confidence • Base maturity level • Process improvement opportunities • Increase overall maturity


Challenges • ISO 27001 Requirement • Focus on management principles • Extent of external deliverable • Subjective score


Certificate


CSA STAR ATTESTATION 05

CERTIFICATION


• 3rd Party independent security assessment • Integration with SOC 2 examination and CCM • Testing operational effectiveness of 16 security

domains

Overview


Scope Application and Interface Security Datacenter Security Interoperability and Portability

Audit Assurance and Compliance Encryption and Key Management Mobile Security

Business Continuity Management and Operational Resilience Governance and Risk Management Security Incident Management,

e-Discovery, and Cloud Forensics

Change Control and Configuration Management Human Resources Supply Chain Management,

Transparency, and Accountability

Data Security and Information Identity and Access Management Threat and Vulnerability Management

Lifecycle Management Infrastructure and Virtualization


• No prerequisites • Design / operating effectiveness • Review period of 6+ months • Standalone / detailed report • Integration with CCM • Easy comparability

Benefits


• Full disclosure of exceptions • Regressive looking report • No relevance after end of review period

Challenges


Report


Preparing 06


• Define scope and boundaries • Perform a risk assessment • Include CCM in risk treatment • Assess project timeline

Risk Assessment & Scope


• Internally • Service auditors

Readiness Assessment


• Policies and procedures • Segregation of duties • Monitoring

Remediation


• Licensed CPA firm • Auditor Certification • STAR Certification Registrar • Independent • Single Vendor Approach • Audit Team

Audit Firm Selection


Wrap-Up 07


• Baseline in dynamic environment • Authoritative source • Market need • Trust and assurance with customers • Leverage current compliance initiatives

It is just the beginning…


JOIN US NEXT TIME:

HITRUST for Covered Entities and Business Associates August 14th | schellmanco.com/resources