©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The CSA STAR Program: Certification & Attestation
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
01. Background and Overview 02. CCM Framework 03. Cloud Control Matrix 04. STAR Certification 05. STAR Attestation 06. Preparing 07. Q/A
Agenda
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Background & Overview 01
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The Cloud Concerns • Observed loss of control • Unknown responsibilities / accountability • Potential liabilities • Inconsistent legal /compliance framework • Lack of transparency • Varying SLA’s
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The Beginning
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Launched in 2011, the CSA STAR is the first step in improving transparency and assurance in the cloud.
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The Program
• Independent 3rd party validation • Publicly available registry • Assurance requirements • Maturity levels CSPs
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The Journey
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Prior to issuing the guidance for STAR Certification and STAR Attestation, a CSP could only perform a self-assessment, which meant completing the Consensus Assessments Initiative questionnaire (CAIQ) and making the responses publicly available on the CSA Register. The CAIQ was completed in several different ways and the content varied from short answers to full-page responses.
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Overview of Open Certification Framework 02
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Framework OPEN CERTIFICATION FRAMEWORK
LEVEL 3 Continuous Monitoring-Based Certification
LEVEL 2 Third-Party Assessment-based Certification
LEVEL 1 Self-Assessment
ASSU
RAN
CE
TRAN
SPAR
ENCY
CONTINUOUS
CERTIFICATION ATTESTATION
SELF-ASSESSMENT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Cloud Control Matrix 03
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CCM Domains
Application and Interface Security
Data Security & ILME and Key Management
Infrastructure and Virtualization Security
Audit, Assurance and Compliance
Governance and Risk Management Mobile Security
Business Continuity and Management Resilience Human Resources Security Security Incident Management
Change Control and Configuration Management
Identity and Access Management Supply Chain Management
Data Center Security Interoperability and Portability Threat and Vulnerability Management
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CSA STAR CERTIFICATION 04
CERTIFICATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Overview • Rigorous 3rd party independent assessment
• Technology-neutral
• Integration of ISO 27001:2013 and CSA CCM
• Designated an overall maturity score
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Uniform with ISMS
• The Assessors Grid
Scope and Process
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Scope and Process
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Management Approach • Nonconformities and Impact • Maturity Score and Award • Registration
Scope and Process
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Benefits • Complements ISO 27001 Certification • Increased market confidence • Base maturity level • Process improvement opportunities • Increase overall maturity
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Challenges • ISO 27001 Requirement • Focus on management principles • Extent of external deliverable • Subjective score
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Certificate
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CSA STAR ATTESTATION 05
ATTESTATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• 3rd Party independent security assessment • Integration with SOC 2 examination and CCM • Testing operational effectiveness of 16 security
domains
Overview
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Scope Application and Interface Security Datacenter Security Interoperability and Portability
Audit Assurance and Compliance Encryption and Key Management Mobile Security
Business Continuity Management and Operational Resilience Governance and Risk Management Security Incident Management,
e-Discovery, and Cloud Forensics
Change Control and Configuration Management Human Resources Supply Chain Management,
Transparency, and Accountability
Data Security and Information Identity and Access Management Threat and Vulnerability Management
Lifecycle Management Infrastructure and Virtualization
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• No prerequisites • Design / operating effectiveness • Review period of 6+ months • Standalone / detailed report • Integration with CCM • Easy comparability
Benefits
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Full disclosure of exceptions • Regressive looking report • No relevance after end of review period
Challenges
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Report
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Preparing 06 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Define scope and boundaries • Perform a risk assessment • Include CCM in risk treatment • Assess project timeline
RISK ASSESSMENT & SCOPE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Internally • Service auditors
READINESS ASSESSMENT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Policies and procedures • Segregation of duties • Monitoring
REMEDIATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Licensed CPA firm • Auditor Certification • STAR Certification Registrar • Independent • Single Vendor Approach • Audit Team
AUDIT FIRM SELECTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Baseline in dynamic environment • Authoritative source • Market need • Trust and assurance with customers • Leverage current compliance initiatives
It is just the beginning…
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
JOIN US NEXT TIME: HITRUST for Covered Entities and Business Associates
August 14th
brightline.com/webinars
Top Related