SlideShare a Scribd company logo

CSA STAR Program

Schellman & Company
Schellman & Company

Cloud security providers are in an ever changing world. Traditionally the CCM was pointed to as an authoritative guidance. Now organizations have the opportunity to undergo third party assessments, through the STAR Programs, to validate maturity level or control activities. This deck will provide: • A background and overview of the programs • The CSA Attestation/Certification methodology and testing • A side by side comparison • The benefits and challenges

Technology
1 of 32
Download to read offline
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The CSA STAR Program: Certification & Attestation
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved 01. Background and Overview 02. CCM Framework 03. Cloud Control Matrix 04. STAR Certification 05. STAR Attestation 06. Preparing 07. Q/A Agenda
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Background & Overview 01 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Cloud Concerns • Observed loss of control • Unknown responsibilities / accountability • Potential liabilities • Inconsistent legal /compliance framework • Lack of transparency • Varying SLA’s
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Beginning ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Launched in 2011, the CSA STAR is the first step in improving transparency and assurance in the cloud.
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Program • Independent 3rd party validation • Publicly available registry • Assurance requirements • Maturity levels CSPs
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Journey ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Prior to issuing the guidance for STAR Certification and STAR Attestation, a CSP could only perform a self-assessment, which meant completing the Consensus Assessments Initiative questionnaire (CAIQ) and making the responses publicly available on the CSA Register. The CAIQ was completed in several different ways and the content varied from short answers to full-page responses.
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Overview of Open Certification Framework02 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Framework OPEN CERTIFICATION FRAMEWORK LEVEL 3 Continuous Monitoring-Based Certification LEVEL 2 Third-Party Assessment-based Certification LEVEL 1 Self-Assessment ASSURANCE TRANSPARENCY CONTINUOUS CERTIFICATION ATTESTATION SELF-ASSESSMENT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Cloud Control Matrix 03 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CCM Domains Application and Interface Security Data Security & ILME and Key Management Infrastructure and Virtualization Security Audit, Assurance and Compliance Governance and Risk Management Mobile Security Business Continuity and Management Resilience Human Resources Security Security Incident Management Change Control and Configuration Management Identity and Access Management Supply Chain Management Data Center Security Interoperability and Portability Threat and Vulnerability Management
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CSA STAR CERTIFICATION 04 CERTIFICATION ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Overview • Rigorous 3rd party independent assessment • Technology-neutral • Integration of ISO 27001:2013 and CSA CCM • Designated an overall maturity score
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Uniform with ISMS • The Assessors Grid Scope and Process
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Scope and Process
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Management Approach • Nonconformities and Impact • Maturity Score and Award • Registration Scope and Process
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Benefits • Complements ISO 27001 Certification • Increased market confidence • Base maturity level • Process improvement opportunities • Increase overall maturity
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Challenges • ISO 27001 Requirement • Focus on management principles • Extent of external deliverable • Subjective score
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Certificate
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CSA STAR ATTESTATION 05 ATTESTATION ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • 3rd Party independent security assessment • Integration with SOC 2 examination and CCM • Testing operational effectiveness of 16 security domains Overview
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Scope Application and Interface Security Datacenter Security Interoperability and Portability Audit Assurance and Compliance Encryption and Key Management Mobile Security Business Continuity Management and Operational Resilience Governance and Risk Management Security Incident Management, e-Discovery, and Cloud Forensics Change Control and Configuration Management Human Resources Supply Chain Management, Transparency, and Accountability Data Security and Information Identity and Access Management Threat and Vulnerability Management Lifecycle Management Infrastructure and Virtualization
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • No prerequisites • Design / operating effectiveness • Review period of 6+ months • Standalone / detailed report • Integration with CCM • Easy comparability Benefits
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Full disclosure of exceptions • Regressive looking report • No relevance after end of review period Challenges
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Report
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Preparing 06 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Define scope and boundaries • Perform a risk assessment • Include CCM in risk treatment • Assess project timeline RISK ASSESSMENT & SCOPE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Internally • Service auditors READINESS ASSESSMENT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Policies and procedures • Segregation of duties • Monitoring REMEDIATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Licensed CPA firm • Auditor Certification • STAR Certification Registrar • Independent • Single Vendor Approach • Audit Team AUDIT FIRM SELECTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Baseline in dynamic environment • Authoritative source • Market need • Trust and assurance with customers • Leverage current compliance initiatives It is just the beginning…
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved JOIN US NEXT TIME: HITRUST for Covered Entities and Business Associates August 14th brightline.com/webinars

Recommended

The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & Attestation
Schellman & Company
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
PECB
 
[이찬우 강사] Security plus saas security assessment_2021.04
[이찬우 강사] Security plus saas security assessment_2021.04[이찬우 강사] Security plus saas security assessment_2021.04
[이찬우 강사] Security plus saas security assessment_2021.04
Lee Chanwoo
 

Recommended

The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & Attestation
Schellman & Company
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
PECB
 
[이찬우 강사] Security plus saas security assessment_2021.04
[이찬우 강사] Security plus saas security assessment_2021.04[이찬우 강사] Security plus saas security assessment_2021.04
[이찬우 강사] Security plus saas security assessment_2021.04
Lee Chanwoo
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
Shantanu Rai
 
Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls Matrix
John Yeoh
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Foundations of cloud security monitoring
Foundations of cloud security monitoringFoundations of cloud security monitoring
Foundations of cloud security monitoring
Moshe Ferber
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
E-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture ApproachE-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture Approach
Femi Ashaye
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
Security architecture proposal template
Security architecture proposal templateSecurity architecture proposal template
Security architecture proposal template
Moti Sagey מוטי שגיא
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Greenway Health
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
Vladimir Jirasek
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
Priyanka Aash
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Cloud Migration Strategy - IT Transformation with Cloud
Cloud Migration Strategy - IT Transformation with CloudCloud Migration Strategy - IT Transformation with Cloud
Cloud Migration Strategy - IT Transformation with Cloud
Blazeclan Technologies Private Limited
 
History of IT Service Management Practices and Standards
History of IT Service Management Practices and StandardsHistory of IT Service Management Practices and Standards
History of IT Service Management Practices and Standards
Rob Akershoek
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
Tharindunuwan9
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Schellman & Company
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
Schellman & Company
 

More Related Content

What's hot

Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 

What's hot (20)

Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls Matrix
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Foundations of cloud security monitoring
Foundations of cloud security monitoringFoundations of cloud security monitoring
Foundations of cloud security monitoring
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
E-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture ApproachE-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture Approach
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Security architecture proposal template
Security architecture proposal templateSecurity architecture proposal template
Security architecture proposal template
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Cloud Migration Strategy - IT Transformation with Cloud
Cloud Migration Strategy - IT Transformation with CloudCloud Migration Strategy - IT Transformation with Cloud
Cloud Migration Strategy - IT Transformation with Cloud
 
History of IT Service Management Practices and Standards
History of IT Service Management Practices and StandardsHistory of IT Service Management Practices and Standards
History of IT Service Management Practices and Standards
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
 

Similar to CSA STAR Program

SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
Schellman & Company
 
ConnectTheGrid Overview Webinar - June 10, 2015
ConnectTheGrid Overview Webinar - June 10, 2015ConnectTheGrid Overview Webinar - June 10, 2015
ConnectTheGrid Overview Webinar - June 10, 2015
West Monroe Partners
 
Agile Capitalization For Greater Business Value
Agile Capitalization For Greater Business ValueAgile Capitalization For Greater Business Value
Agile Capitalization For Greater Business Value
CA Technologies
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
IBM Security
 
Cloud-Based Innovation and Information Security - Choose Both
Cloud-Based Innovation and Information Security - Choose Both Cloud-Based Innovation and Information Security - Choose Both
Cloud-Based Innovation and Information Security - Choose Both
Amazon Web Services
 

Similar to CSA STAR Program (20)

Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
 
SOC 1 Overview
SOC 1 OverviewSOC 1 Overview
SOC 1 Overview
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
It42015 slides
It42015 slidesIt42015 slides
It42015 slides
 
Integrating IBM PureApplication System and IBM UrbanCode Deploy: A GE Capital...
Integrating IBM PureApplication System and IBM UrbanCode Deploy: A GE Capital...Integrating IBM PureApplication System and IBM UrbanCode Deploy: A GE Capital...
Integrating IBM PureApplication System and IBM UrbanCode Deploy: A GE Capital...
 
ConnectTheGrid Overview Webinar - June 10, 2015
ConnectTheGrid Overview Webinar - June 10, 2015ConnectTheGrid Overview Webinar - June 10, 2015
ConnectTheGrid Overview Webinar - June 10, 2015
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t Enough
 
Cigniti joint webinar with Soasta - Agile DevOps: Test-driven IT Environment ...
Cigniti joint webinar with Soasta - Agile DevOps: Test-driven IT Environment ...Cigniti joint webinar with Soasta - Agile DevOps: Test-driven IT Environment ...
Cigniti joint webinar with Soasta - Agile DevOps: Test-driven IT Environment ...
 
Cyber Priority - Judson Walker
Cyber Priority - Judson WalkerCyber Priority - Judson Walker
Cyber Priority - Judson Walker
 
Agile Capitalization For Greater Business Value
Agile Capitalization For Greater Business ValueAgile Capitalization For Greater Business Value
Agile Capitalization For Greater Business Value
 
Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2Insight into Security Leader Success Part 2
Insight into Security Leader Success Part 2
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
 
Cisco Advanced Services
Cisco Advanced ServicesCisco Advanced Services
Cisco Advanced Services
 
2019 Fiscal Year Close
2019 Fiscal Year Close 2019 Fiscal Year Close
2019 Fiscal Year Close
 
Cloud-Based Innovation and Information Security - Choose Both
Cloud-Based Innovation and Information Security - Choose Both Cloud-Based Innovation and Information Security - Choose Both
Cloud-Based Innovation and Information Security - Choose Both
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
 
It12015
It12015It12015
It12015
 

More from Schellman & Company

Demystifying the Cyber NISTs
Demystifying the Cyber NISTsDemystifying the Cyber NISTs
Demystifying the Cyber NISTs
Schellman & Company
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
Schellman & Company
 

More from Schellman & Company (16)

Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018Privacy in the Cloud- Introduction to ISO 27018
Privacy in the Cloud- Introduction to ISO 27018
 
Demystifying the Cyber NISTs
Demystifying the Cyber NISTsDemystifying the Cyber NISTs
Demystifying the Cyber NISTs
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU Data
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration Testing
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
 
STAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSTAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 Certified
 
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
12 Steps to Preparing for a QAR
12 Steps to Preparing for a QAR12 Steps to Preparing for a QAR
12 Steps to Preparing for a QAR
 
EPCS Overview
EPCS OverviewEPCS Overview
EPCS Overview
 
PCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key UpdatesPCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key Updates
 
10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance
 
Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

CSA STAR Program

  • 1. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The CSA STAR Program: Certification & Attestation
  • 2. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved 01. Background and Overview 02. CCM Framework 03. Cloud Control Matrix 04. STAR Certification 05. STAR Attestation 06. Preparing 07. Q/A Agenda
  • 3. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Background & Overview 01 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 4. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Cloud Concerns • Observed loss of control • Unknown responsibilities / accountability • Potential liabilities • Inconsistent legal /compliance framework • Lack of transparency • Varying SLA’s
  • 5. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Beginning ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Launched in 2011, the CSA STAR is the first step in improving transparency and assurance in the cloud.
  • 6. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Program • Independent 3rd party validation • Publicly available registry • Assurance requirements • Maturity levels CSPs
  • 7. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Journey ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Prior to issuing the guidance for STAR Certification and STAR Attestation, a CSP could only perform a self-assessment, which meant completing the Consensus Assessments Initiative questionnaire (CAIQ) and making the responses publicly available on the CSA Register. The CAIQ was completed in several different ways and the content varied from short answers to full-page responses.
  • 8. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Overview of Open Certification Framework02 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 9. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Framework OPEN CERTIFICATION FRAMEWORK LEVEL 3 Continuous Monitoring-Based Certification LEVEL 2 Third-Party Assessment-based Certification LEVEL 1 Self-Assessment ASSURANCE TRANSPARENCY CONTINUOUS CERTIFICATION ATTESTATION SELF-ASSESSMENT
  • 10. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Cloud Control Matrix 03 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 11. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CCM Domains Application and Interface Security Data Security & ILME and Key Management Infrastructure and Virtualization Security Audit, Assurance and Compliance Governance and Risk Management Mobile Security Business Continuity and Management Resilience Human Resources Security Security Incident Management Change Control and Configuration Management Identity and Access Management Supply Chain Management Data Center Security Interoperability and Portability Threat and Vulnerability Management
  • 12. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CSA STAR CERTIFICATION 04 CERTIFICATION ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 13. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Overview • Rigorous 3rd party independent assessment • Technology-neutral • Integration of ISO 27001:2013 and CSA CCM • Designated an overall maturity score
  • 14. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Uniform with ISMS • The Assessors Grid Scope and Process
  • 15. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Scope and Process
  • 16. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Management Approach • Nonconformities and Impact • Maturity Score and Award • Registration Scope and Process
  • 17. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Benefits • Complements ISO 27001 Certification • Increased market confidence • Base maturity level • Process improvement opportunities • Increase overall maturity
  • 18. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Challenges • ISO 27001 Requirement • Focus on management principles • Extent of external deliverable • Subjective score
  • 19. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Certificate
  • 20. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CSA STAR ATTESTATION 05 ATTESTATION ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 21. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • 3rd Party independent security assessment • Integration with SOC 2 examination and CCM • Testing operational effectiveness of 16 security domains Overview
  • 22. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Scope Application and Interface Security Datacenter Security Interoperability and Portability Audit Assurance and Compliance Encryption and Key Management Mobile Security Business Continuity Management and Operational Resilience Governance and Risk Management Security Incident Management, e-Discovery, and Cloud Forensics Change Control and Configuration Management Human Resources Supply Chain Management, Transparency, and Accountability Data Security and Information Identity and Access Management Threat and Vulnerability Management Lifecycle Management Infrastructure and Virtualization
  • 23. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • No prerequisites • Design / operating effectiveness • Review period of 6+ months • Standalone / detailed report • Integration with CCM • Easy comparability Benefits
  • 24. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Full disclosure of exceptions • Regressive looking report • No relevance after end of review period Challenges
  • 25. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Report
  • 26. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Preparing 06 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 27. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Define scope and boundaries • Perform a risk assessment • Include CCM in risk treatment • Assess project timeline RISK ASSESSMENT & SCOPE
  • 28. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Internally • Service auditors READINESS ASSESSMENT
  • 29. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Policies and procedures • Segregation of duties • Monitoring REMEDIATION
  • 30. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Licensed CPA firm • Auditor Certification • STAR Certification Registrar • Independent • Single Vendor Approach • Audit Team AUDIT FIRM SELECTION
  • 31. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Baseline in dynamic environment • Authoritative source • Market need • Trust and assurance with customers • Leverage current compliance initiatives It is just the beginning…
  • 32. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved JOIN US NEXT TIME: HITRUST for Covered Entities and Business Associates August 14th brightline.com/webinars