© Cloud Security Alliance, 2015
CCM & CAIQ Working Group Meeting RSA
2015
Sean Cordero, Chair CCMLaura Posey, Chair CAIQ
© Cloud Security Alliance, 2015
Agenda
• Overview of the CCM
• Overview of the CAIQ
• CSA STAR & The CCM
• Industry Adoption and the CCM
• CSA STAR Watch
• Looking Ahead: CCM 2015-2016
© Cloud Security Alliance, 2014.
Overview of the CCM
• Industry standard for Cloud supply chain security & risk management:
• Delineates control ownership (Provider, Customer)• An anchor for security and compliance posture measurement• Provides a framework of 16 control domains• Controls map to global regulations and security standards
• Industry Driven Effort: 120+ Peer Review Participants
• Participants: AICPA, Microsoft, McKesson, ISACA, Oracle
• Backbone of the Open Certification Framework and STAR
© Cloud Security Alliance, 2014.
Overview of the CAIQ
• Consensus Assessment Initiative Questionnaire• A series of yes/no control assertion questions that a cloud consumer or
cloud auditor may ask of a cloud provider.• Based directly off of the CCM security controls• Broken out by SaaS, PaaS, and IaaS layers• Companion to the CSA Guidance and CSA Cloud Controls Matrix (CCM) • Helps organizations build the necessary assessment processes for
engaging with cloud providers• Helps cloud providers assess their own security posture
• Industry Driven Effort: 120+ Peer Review Participants
• Participants: AICPA, Microsoft, McKesson, ISACA, Oracle
© Cloud Security Alliance, 2014.
• Launched in 2011, the CSA STAR is the first step in improving transparency and assurance in the cloud.
• The STAR is a publicly accessible registry that documents the security controls provided by cloud computing offerings
• Based on a multilayered structure defined by Open Certification Framework Working Group
• Searchable registry to allow cloud customers to asses the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences.
CSA STAR: SECURITY, TRUST & ASSURANCE REGISTRY
© Cloud Security Alliance, 2014.
Industry Adoption of the CCM
• CSA STAR Certification• Based on ISO/IEC 27001:2013 and CCM 3.x• Provides enhanced assessment to provide full visibility.• Flexible assessment that can be tailored through the Statement of
Applicability.
• CSA and AICPA Cloud Attestation • Third party assessment program of cloud providers officially known
as CSA Security Trust & Assurance Registry (STAR) Attestation. • Enables enhanced, cloud-specific AICIPA SOC 2 Reporting.• Illustrative SOC2 with CCM provided on AICPA site.
© Cloud Security Alliance, 2014.
SaaS CSA STAR Watch
• CSA STAR Watch: • Subscription based, SaaS tool to manage CCM compliance.• Delivers CCM/CAIQ Delivered in a multi-user database.• Enables control delegation for assessors.
• Open Beta started announced at CSA Summit (4/20) • Envision integration with STAR and GRC consoles• Visit the CSA booth in the South Hall (to the right of the main entrance) # 2621
• Demos at 4pm (Tuesday and Wednesday)• Interested? Contact [email protected] w/ Subject Line “CSA STAR Watch BETA”.
Looking Ahead: CCM 2015-2016
• Next CCM Release: Planned for 2016 • 3.0.1 to remain stable throughout 2015
• New Candidate Mappings (2015) • FEDRAMP• ISO 27018• NIST Cyber Security Framework
• Standing Control Reviews Established• Improve auditability & measurement • Clarify intent and language • Get involved! Contact
© Cloud Security Alliance, 2014.
Contact Information
Sean Corderoemail: [email protected]
Twitter: @sean_cordero
Laura Posey email: [email protected]
??? ?© Cloud Security Alliance, 2015