Security

How To Achieve The Csa Star Compliance

How to achieve the CSA STAR Compliance

Let us first understand what is CSA STAR?

The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires. Any organization wanting to achieve the CSA STAR needs to onboard a CSP who will fill out the CAIQ (Consensus Assessments Initiative Questionnaire) and submit to CSA STAR.

What is CCM?

The CAIQ is aligned to the CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing. It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing and is considered a de-facto standard for cloud security assurance and compliance. The CCM v4 Implementation Guidelines provides structured guidance on how to use the CCM and provides support to users on how to implement the CCM controls. For each control it includes more detailed instructions around what the cloud provider should do. In certain cases, the guidelines also provide assistance to the cloud customer.

What does a CSP do?

As mentioned above, the organizations will onboard a Cloud Service Provider (CSP) who will help them complete the following two documents and steps to earn their CSA STAR Level 1 or 2 Certification.

·         The CAIQ is the questionnaire associated with the Cloud Controls Matrix (CCM). The CAIQ provides CAIQ STAR Level 1 and STAR Level 2 intake forms to CSA. It is a set of questions to determine if the CCM controls have been implemented required self-assessment to attain STAR Level 1.

·         ISO 27001 + CCM or SOC 2 + CCM are the are the audits/assessments methodologies that will be used to confirm your compliance to achieve STAR Level 2.

What is CAIQ?

Version 4 of the CCM now includes the Consensus Assessment Initiative Questionnaire (CAIQ) in the same document. CAIQ provides a set of “yes or no” questions that can be used to assess a cloud service provider and eliminates the need for multiple questionnaires from individual cloud consumers.

CAIQ –Consensus Assessments InitiativeQuestionnaire v4.0.2 is a set of “yes or no” questions to be filled in by the Cloud Service Provider (CSP). This questionnaire provides assurance to the Cloud Service Consumer(CSC) to decide whether CSP can provide a secured SaaS (Software as a Service) environment to CSC and their end customers.

To earn a marketing advantage, CSP needs to be careful in providing the right information in CAIQ. Information provided must provide the necessary assurance to CSC and their customers that CSP has implemented the right kind of Cloud Control Matrix (CCM) Controls to protect the environment and data.

The CAIQ questionnaire is curated in such a way as to support organizations when they interact with cloud providers during the cloud providers assessment process by giving organizations specific questions to ask about the providers operations and processes.

CAIQ outlines security capabilities and security posture of organizations to their customers, publicly or privately, in a standardized way using the terms and descriptions considered to be best practices by the CSA.

Points to be considered while filling the columns in the CAIQ Questionnaire

Question ID

This column should not be updated as it is protected.

Assessment Question

This column should not be updated as it is protected.

CSP CAIQ Answer (Selection Column)

·         Yes

o    The CCM control in question is implemented and meets the requirement.

o    An appropriate Shared Security Responsibility Model (SSRM) ownership indicates the responsible and accountable party for implementation.

·         No

o    The CCM control in question is not implemented and not met the requirements. 

o    To implement and meet the requirement,

§  what needs to be implemented,

§  how to be implemented needs to be documented

o    An appropriate Shared Security Responsibility Model (SSRM) ownership indicates the responsible and accountable party for implementation.

·         NA

o    The CCM control in question is not in scope and not applicable to the cloud assessment.

o    Shared Security Responsibility Model (SSRM) ownership column should be left blank as no one is responsible for implementation.

o    Justification for non-applicability needs to be documented inthe CSP Implementation description. 

 

Shared Security Model Responsibility (SSRM) Control Ownership (Selection Column)

This column is prepared based on CCMv4’s Supply Chain Management, Transparency, and Accountability (STA) domain controls (1-6) and their implementation guidelines.

·         CSP-Owned

o    The CCM Control in question needs to be implemented by CSP.

o    CSP is responsible and accountable. 

·         CSC-Owned

o    The CCM Control in question needs to be implemented by CSC.

o    CSC is responsible and accountable.

·         Third-party outsourced

o    The CCM Control in question needs to be implemented by a third-party CSP.

o     CSP is accountable.

·         Shared CSP and CSC

o    The CCM Control in question needs to be implemented by CSP and CSC.

o    CSP and CSC are responsible and accountable.

·         Shared CSP and third-party

o    The CCM Control in question needs to be implemented by CSP and third-party.

o    CSP is accountable.

 

CSP Implementation Description (Optional/Recommended) (Text Column)

·         CSP Implementation description should be documented on how the control is implemented.

·         Description should be documented relevant to question in focus and not in general nature.

·         Description relevant for the CCM control implementation must cover (Refer to CCM4 Implementation guidelines)

o    Policies

o    Procedures

o    Tool used

o    Metrics collected (Refer to ContinuousAuditMetricsCatalog10_19_21)

o    Analysis performed, and

o    Monitoring activities

 

CSC Implementation Description (Optional/Recommended)

·         CSC Implementation description should be documented on how the control is implemented.

·         Description should be documented relevant to question in focus and not in general nature.

·         Description relevant for the CCM control implementation must cover

o    Policies

o    Procedures

o    Tool used

o    Metrics collected

o    Analysis performed, and

o    Monitoring activities

Providing the right information in the CAIQ questionnaire is the key for the CSP to increase and improve

·         Client base

·         Market share

·         Revenue

·         Profitability

 

Achieving the STAR Level 2

The CSA STAR Attestation leverages the requirements of the AICPA governed SOC 2 Type 2 Attestation along with the CSA Cloud Controls Matrix. Assessment review periods are determined by the client but should be no less than 6 months. For STAR Attestation, the renewal period is every 12 months. You must have a SOC 2 Type 2 Attest report to apply for STAR Attestation, or you can get the SOC 2 Type 2 and STAR together. Alternatively, you may go with the ISO/IEC 27001 certification route along with the CCM controls to achieve the same objective.

 

About Accedere Inc.?

Accedere Inc. is a global provider of Assurance services for cybersecurity compliance. Accedere Inc. is a Colorado CPA firm registered with PCAOB with a focus on Cloud Security and Privacy and empaneled Cloud Security Alliance (CSA) auditors for conducting assessments for CSA STAR Level attestation and certification requirements. As an ISO/IEC certification body, Accedere Inc has the relevant expertise in supporting ISO /IEC 27001 + STAR certification process also.

Ashwin Chaudhary is the CEO of Accedere. He is a CPA from Colorado, MBA, CITP, CISA, CISM, CGEIT, CRISC, CISSP, CDPSE, CCSK, PMP, ISO27001 LA, ITILv3 certified cybersecurity professional with about 20 years of cybersecurity/privacy and 40 years of industry experience. He has managed many cybersecurity projects covering SOC reporting, Privacy, IoT, Governance Risk, and Compliance.