Guidance Document Auditing the Cloud Controls Matrix · 2019-08-15 · CLOUD SECURITY ALLIANCE STAR Certification Guidance Document: Auditing the Cloud Controls Matrix 1. Introduction

Guidance Document

Auditing the Cloud Controls Matrix

Release 2: 05/16/2014

CLOUD SECURITY ALLIANCE STAR Certification Guidance Document: Auditing the Cloud Controls Matrix

© 2014 Cloud Security Alliance – All Rights Reserved. Valid at time of printing.

All rights reserved. You may download, store, display on your computer, view, print, and link to the “STAR Certification Guidance Document: Auditing the Cloud Controls Matrix” at http://www.cloudsecurityalliance.org/star, subject to the following: (a) the Guidance may be used solely for your personal, informational, non-commercial use; (b) the Guidance may not be modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Guidance as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the “STAR Certification Guidance Document: Auditing the Cloud Controls Matrix” (2014).

© 2014 Cloud Security Alliance - All Rights Reserved. Hard copies valid only at time of printing. 2

http://www.cloudsecurityalliance.org/star


Contents

1. Introduction ....................................................................................................................................................... 4

2. How does this process provide reassurance to a client of the certified organization? .................................... 4

3. Assigning a score to an organization ................................................................................................................. 4

4. The assessors’ grid ............................................................................................................................................. 6

5. How will an assessor use this grid? ................................................................................................................... 8

6. How would an assessor approach scoring a control area? ............................................................................... 8

7. What type of certificate will a client get? ......................................................................................................... 9

8. Example of how an assessor might audit a control area ................................................................................. 10



1. Introduction

The purpose of this document is to provide guidance to certified bodies and associated organizations that are performing audits or supporting certification activities related to STAR certification.

STAR certification and the associated management capability model:

1. Gives a prospective customer of the certified organization a greater understanding of the level of control that the organization has in place

2. Highlights areas where an organization might wish to improve 3. Ensures that the Cloud Controls Matrix (CCM) does not become the minimum requirement, but through

the model also characterizes best-in-class performance

Therefore, there are both internal (business improvement) and external (customer reassurance and transparency) reasons for auditing to a management capability model.

One of the key objectives of the scheme is to ensure that the scope of the cloud service provider meets the consumer’s needs and is service-level agreement (SLA) driven.

2. How does this process provide reassurance to a client of the certified organization?

• ISO 27001 requires the organization to evaluate their customers’ requirements and expectations, as well as contractual requirements. As a result, it requires that the organization has implemented a system to achieve this evaluation.

• ISO 27001 requires the organization to conduct a risk analysis that identifies the risks to meeting their customers’ expectations.

• The CCM requires the organization to address the specific issues that are critical to cloud security. • The Maturity Model assesses how well-managed activities in the control areas are.

No certification can ever guarantee information is 100% secure; however, ISO 27001 certification and STAR certification ensure that an organization has an appropriate system for the type of information it is dealing with, that it is well managed, and that it is focused on cloud-specific concerns.

3. Assigning a score to an organization

The maturity score is to help drive internal improvements within the organization and will not be listed on certificates.



An organization must demonstrate that it has all of the controls in place and is operating effectively before an assessment of the management capability around the controls can occur. If the organization has a major nonconformity against any of the controls in the control area, the maximum score achievable for that control area is 6.

When an organization is audited, a Management Capability Score will be assigned to each of the control areas in the CCM. This will indicate the capability of the management to ensure that the control is operating effectively in this area. The control areas in CCM version 3.X and version 1.4 are listed below.

CONTROL AREAS 3.0.1 CONTROL AREAS 1.4

1. Application & Interface Security 1. Compliance

2. Audit Assurance & Compliance 2. Data Governance

3. Business Continuity Management & Operational Resilience 3. Facility Security

4. Change Control & Configuration Management 4. Human Resources

5. Data Security & Information Lifecycle Management 5. Information Security

6. Datacenter Security 6. Legal

7. Encryption & Key Management 7. Operations Management

8. Governance and Risk Management 8. Release Management

9. Human Resources 9. Resiliency

10. Identity & Access Management 10. Risk Management

11. Infrastructure & Virtualization Security 11. Security Architecture

12. Interoperability & Portability

13. Mobile Security

14. Security Incident Management, E-Discovery & Cloud Forensics

15. Supply Chain Management, Transparency and Accountability

16. Threat and Vulnerability Management

The management capability of the controls will be scored on a scale of 1-15. These scores have been divided into five different categories that describe the type of approach characteristic of each group of scores.



SCORE DESCRIPTOR

1-3 No Formal Approach

4-6 Reactive Approach

7-9 Proactive Approach

10-12 Improvement-Based Approach

13-15 Optimizing Approach

In summary, there are a number of control areas on the CCM that will each be awarded a management capability score on a scale of 1-15.

4. The assessors’ grid

In order to make it possible for an assessor to consistently apply a score to the control area, the grid below outlines what would be required of an organization to achieve each score.



5. How will an assessor use this grid?

This grid should be used to assign an overall score to each of the control areas in the CCM (e.g., data governance or facilities security). The maturity model aims to assess the maturity of the management processes in place around the controls. In most cases, an organization will apply a common management approach across all of the controls in a control area. Therefore, one maturity score will be applicable to the whole control area. In cases where multiple management approaches are taken, different controls in the same control area could be awarded different scores. In this circumstance, the lowest score should be taken. When a maturity score is applied to the whole control area it is easier to justify the maturity level.

6. How would an assessor approach scoring a control area?

1. The assessor would look at all of the controls in the control area to ensure that, based on the risk assessment, the organization had implemented the appropriate controls. If a control was not directly addressed, the client would need to demonstrate why it was not covered through their risk assessment/statement of applicability, or through compensating controls.

2. The assessor would look for evidence of the organization’s capability to manage the control area. a. It is expected that similar management structures will span all of the individual controls within a

control area. However, if there is a significantly different management approach, the organization will be awarded the score for the weakest management approach in the control area.

3. In order to achieve a certain score, all of the lower levels must be achieved first. For example, if an organization misses a vital element at the lower levels of the model, they will receive a low score even if they have some of the higher level attributes in place.

4. If a client has a major NCR1 in the area, the maximum possible score will be 6. 5. The assessor would then move onto the next control area. 6. Once the assessor has assessed all of the control areas, there will be 11 scores if assessed using v1.4 of

the CCM, or 16 scores if using CCM v3.X. 7. The average score will be used to assign the overall level for the client. 8. The organization’s report will highlight what level of maturity their system has achieved.

Notes – Due to the way the controls are structured, an organization that has all of the controls properly in place in the control area will score fairly highly on the controls matrix. For example, in the risk management control area, RI-01 states – “Organizations shall develop and maintain an enterprise risk management framework to manage risk to an acceptable level.” This can be assessed against most of the factors of the maturity model and could be a sophisticated (high-scoring) implementation, or it could be poorly managed, achieving a low score. However, as you look at the other controls in this control area, they are more specific and more detailed about

1 NCR – Non-Conformance Report



what is required. Consider, for example, “Risks shall be mitigated to an acceptable level. Acceptance levels based on risk criteria shall be established and documented in accordance with reasonable resolution time frames and executive approval.” This is characteristic of the higher management capability levels of the model. Therefore, it would be difficult for a client to have all of the CCM controls in place and not score relatively well. Depending on the capability level the client achieves their audit report will categories there performance against the maturity model as either:

• No Award • Bronze Award • Silver Award • Gold Award

The award is based on the average score received across the control areas.

• If the organization has an average score of less than 3, it will receive a certificate with no award • If the organization has an average score between 3 and 6, it will receive a bronze award • If the organization has an average score between 6 and 9, it will receive a silver award • If the organization has an average score greater than 9, it will receive a gold award

If the organization has an average score between 3 and 6, they will get a bronze level. If the organization has an average score between 6 and 9 they will get a silver level. If the organization has an average score greater than 9 they will get a gold level. ISO 27001 is a management systems standard and by definition requires a systematic approach to managing an organization. Therefore if an organization is certified to ISO 27001 it is very unlikely that they would not achieve at least a bronze award.

7. What type of certificate will a client get?

A client will be awarded a certificate following the assessment.2 However, the certificate will not list the maturity level. The maturity level will only be detailed in the report.

2 In jurisdictions where the issuing of additional certificates is difficult, STAR certification may be included in the scope of the ISO 27001 certificate and it can be endorsed appropriately.



8. Example of how an assessor might audit a control area

The facilities security control area is used here as an illustration because it is a relatively tangible example (there are actually eight controls in this area in v1.4. Only the first four are examined here).

The description below is a simplified example of how an assessor might audit the control. It is not supposed to describe in detail what an assessor would do. The approach would vary considerably depending on the type of organization being audited. The approach would be framed by the organization’s analysis of its customers’ expectations and contractual requirements that comes from ISO 27001, and the organization’s overall information security risk analysis that comes from ISO 27001.

Control ID Description

Facility Security - User Access FS-01 Policies and procedures shall be established for maintaining a safe and secure

working environment in offices, rooms, facilities and secure areas.

Facility Security - User Access FS-02 Physical access to information assets and functions by users and support

personnel shall be restricted.

Facility Security - Controlled Access Points

FS-03

Physical security perimeters (fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) shall be implemented to safeguard sensitive data and information systems.

Facility Security - Secure Area Authorization

FS-04 Ingress and egress to secure areas shall be constrained and monitored by physical access control mechanisms to ensure that only authorized personnel are allowed access.

1. The assessor would establish if the same management structure covered all the controls within the control area. If there is only one management structure covering the control area, only one maturity score will be required for all the individual controls in the control area.

2. The assessor would then establish that all the controls are in place or are excluded for justifiable reason through the risk analysis and statement of applicability or are covered by a compensating control. This would be done in a very similar way to controls that would be assessed in an ISO 27001 assessment.

3. The assessor would then look at the management capability covering the controls against the matrix. The first 3 factors are: 1) There is no evidence of a system in place to manage the control area.

a. The assessor would simply need to identify a system of some form to manage the control. This could be as little as finding some recognized processes.

2) There is some evidence of either a documented system or an accepted way of working is in place. a. To achieve a 2, the control area owner should be able to show either some documentation

indicating processes, procedures or systems in place or be able to show evidence that processes, procedures or systems are followed even if they are not documented.



3) There is some evidence of an accepted way of working that is broadly understood and followed. a. To achieve a 3, the assessor would be able to establish that there is a wider awareness of

how the system operates amongst key staff and that it is generally followed.

Note – It is very unlikely that a client with an ISO 27001 compliant system would achieve less than a 3.

4) There is evidence of a system in place to cover key operations in the control area. Where required, the system is documented.

a. To achieve a 4, the assessor would expect to see a system that covered all important aspects of the control area. The client would be expected to be able to identify the key processes and explain how they are controlled within a system.

5) There is a clearly identified owner for the control area who understands the full scope of responsibility for the control area.

a. The key to getting a 5 is to be able to demonstrate clear ownership and accountability for the control area by a person who understands the system in place.

6) There is evidence the system is understood and routinely followed. a. To achieve a 6, the assessor should be able to find evidence that the control system is

followed and understood by the people involved in operating the system on a day to day basis.

Note – A client with a basic ISO 27001 system in place (with opportunities for improvement) should fall somewhere between 4 and 6.

7) There is evidence of a robust system in place that covers all routine operations in the control area a. To achieve a 7, the assessor should be able to establish the system is “robust” and covers all

routine operations in the control area. The client should be expected to show some evidence that any weaknesses in the system have been evaluated and where possible eliminated and that they have considered the range of process and procedures that might be required for the control area.

8) There is evidence that the control area is actively monitored and measured and action evaluated based on the evidence.

a. For an 8, the assessor must be able clearly identify that there is monitoring and measuring of the control area and that this information is reviewed or evaluated, and that action is taken if an issue was evaluated.

9) There is evidence that critical people operating in the control area are appropriately trained/skilled to manage routine operations in the control area.

a. For an organization to achieve a 9, the assessor must be able to find evidence that the people operating in the control areas do have the skills required to follow the system effectively for routine operations.

Note – An organization with a strong ISO 27001 compliant management system would probably fall in this category.



10) There is evidence the system for managing the control area is capable of managing contingency events as well as routine activity.

a. To get a 10, the assessor must be able to find evidence that an analysis to identify key contingencies has taken place and that the systems in place have to put in place to manage these contingencies.

11) Input from a variety of sources is considered to decide how to manage risk and improve operations in this control area.

a. To get an 11, the assessor must find evidence that the organization has taken a wide-ranging approach to risk in the control area and may have considered approaches such as PESTLE analysis and looked outside its immediate control area to understand how to manage risks.

12) There is evidence that inputs from a range of stakeholders and monitoring and measure systems has been taken into account when improving operations in the control area.

a. To achieve a 12, the assessor must find a credible stakeholder analysis has taken place and that stakeholders are appropriately engaged and improvements are made to a control area. There must also be evidence that monitoring and measuring information not only helps identify weaknesses but is also used to inform improvements.

Note – An organization that scores in this bracket not only has a strong system in place but is constantly seeking to drive the system forward. Organizations in this category would have gone beyond the compliance requirements of ISO 27001.

13) Control area owners actively share best practices to support development in other areas of the organization based on their experience in this control area.

a. To achieve a 13, the assessor must be able to find evidence that the organization has gathered observations from this control area and considered if they could be applied to improving other areas of the organization’s performance.

14) Control area owners can demonstrate that they actively review best practices from their industry and across their organization and apply it to the control area.

a. The key to achieving a 14 is for the assessor to find evidence that the organization actively looks outside the organization to incorporate best practices from across the industry. This might include active participation in industry-wide initiatives and benchmarking initiatives.

15) Changes in the control area are evaluated against the strategic objectives of the organization. a. To achieve a 15, the organization must be able to demonstrate how the overall strategy of

the organization shapes the operation and continual improvement of the system in this control area. This must be understood by those operating in the control area.

Note – An organization that scores between 13 and 15 would be expected to have fully embedded the information security management system into the culture of the organization and be playing a leading role in the industry.


Documents

Guidance Document Auditing the Cloud Controls Matrix · 2019-08-15 · CLOUD SECURITY ALLIANCE STAR Certification Guidance Document: Auditing the Cloud Controls Matrix 1. Introduction