More Related Content Similar to CSA STAR Program (20) More from Schellman & Company (16) CSA STAR Program1. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The CSA STAR Program:
Certification & Attestation
2. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
01. Background and Overview
02. CCM Framework
03. Cloud Control Matrix
04. STAR Certification
05. STAR Attestation
06. Preparing
07. Q/A
Agenda
3. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Background
& Overview
01
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
4. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The Cloud Concerns
• Observed loss of control
• Unknown responsibilities / accountability
• Potential liabilities
• Inconsistent legal /compliance framework
• Lack of transparency
• Varying SLA’s
5. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The Beginning
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Launched in 2011, the CSA STAR is the first step in improving
transparency and assurance in the cloud.
6. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The Program
• Independent 3rd party validation
• Publicly available registry
• Assurance requirements
• Maturity levels CSPs
7. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
The Journey
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Prior to issuing the guidance for STAR Certification and STAR Attestation,
a CSP could only perform a self-assessment, which meant completing
the Consensus Assessments Initiative questionnaire (CAIQ) and making
the responses publicly available on the CSA Register. The CAIQ was
completed in several different ways and the content varied from short
answers to full-page responses.
8. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Overview of Open
Certification
Framework02
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
9. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Framework
OPEN CERTIFICATION FRAMEWORK
LEVEL 3
Continuous Monitoring-Based
Certification
LEVEL 2
Third-Party
Assessment-based
Certification
LEVEL 1
Self-Assessment
ASSURANCE
TRANSPARENCY
CONTINUOUS
CERTIFICATION ATTESTATION
SELF-ASSESSMENT
10. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Cloud Control
Matrix
03
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
11. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CCM Domains
Application and Interface
Security
Data Security & ILME and Key
Management
Infrastructure and
Virtualization Security
Audit, Assurance and
Compliance
Governance and Risk
Management
Mobile Security
Business Continuity and
Management Resilience
Human Resources Security Security Incident Management
Change Control and
Configuration Management
Identity and Access
Management
Supply Chain Management
Data Center Security Interoperability and Portability
Threat and Vulnerability
Management
12. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CSA STAR
CERTIFICATION
04
CERTIFICATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
13. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Overview
• Rigorous 3rd party independent assessment
• Technology-neutral
• Integration of ISO 27001:2013 and CSA CCM
• Designated an overall maturity score
14. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Uniform with ISMS
• The Assessors Grid
Scope and Process
16. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Management Approach
• Nonconformities and Impact
• Maturity Score and Award
• Registration
Scope and Process
17. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Benefits
• Complements ISO 27001 Certification
• Increased market confidence
• Base maturity level
• Process improvement opportunities
• Increase overall maturity
18. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Challenges
• ISO 27001 Requirement
• Focus on management principles
• Extent of external deliverable
• Subjective score
20. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
CSA STAR
ATTESTATION
05
ATTESTATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
21. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• 3rd Party independent security assessment
• Integration with SOC 2 examination and CCM
• Testing operational effectiveness of 16 security
domains
Overview
22. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Scope
Application and Interface Security Datacenter Security Interoperability and Portability
Audit Assurance and Compliance Encryption and Key Management Mobile Security
Business Continuity Management
and Operational Resilience
Governance and Risk Management
Security Incident Management,
e-Discovery, and Cloud Forensics
Change Control and Configuration
Management
Human Resources
Supply Chain Management,
Transparency, and Accountability
Data Security and Information Identity and Access Management Threat and Vulnerability Management
Lifecycle Management Infrastructure and Virtualization
23. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• No prerequisites
• Design / operating effectiveness
• Review period of 6+ months
• Standalone / detailed report
• Integration with CCM
• Easy comparability
Benefits
24. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Full disclosure of exceptions
• Regressive looking report
• No relevance after end of review period
Challenges
26. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
Preparing
06
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
27. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Define scope and boundaries
• Perform a risk assessment
• Include CCM in risk treatment
• Assess project timeline
RISK ASSESSMENT & SCOPE
28. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Internally
• Service auditors
READINESS ASSESSMENT
29. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Policies and procedures
• Segregation of duties
• Monitoring
REMEDIATION
30. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Licensed CPA firm
• Auditor Certification
• STAR Certification Registrar
• Independent
• Single Vendor Approach
• Audit Team
AUDIT FIRM SELECTION
31. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
• Baseline in dynamic environment
• Authoritative source
• Market need
• Trust and assurance with customers
• Leverage current compliance initiatives
It is just the beginning…
32. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
JOIN US NEXT TIME:
HITRUST for Covered Entities and Business Associates
August 14th
brightline.com/webinars