![Page 1: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/1.jpg)
Information Security Exchange
![Page 2: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/2.jpg)
The CSA-STAR Certification
The CSP Differentiator
Mike Edwards
29 April 2014
![Page 3: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/3.jpg)
Copyright © 2013 BSI. All rights reserved. 3
Content
• Who is BSI?
• Who is the CSA?
• What is CSA-STAR?
• The Open Certification Framework (OCF)
• The Cloud Controls Matrix (CCM)
• Management Capability Model
• CSA-STAR Certification process
• Why certify?
![Page 4: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/4.jpg)
Copyright © 2013 BSI. All rights reserved. 4
Who is BSI – 10 fast facts
![Page 5: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/5.jpg)
Copyright © 2013 BSI. All rights reserved. 5
Who is the CSA?
• Founded in 2008 as a not-for-profit organization
• Undertake numerous research and lobbying activities on the importance of secure cloud infrastructure
• Global network of regional chapters members from corporate – individual level
![Page 6: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/6.jpg)
Copyright © 2013 BSI. All rights reserved. 6
CSA Corporate Members
![Page 7: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/7.jpg)
Copyright © 2013 BSI. All rights reserved. 7
What is the CSA-STAR?
• Launched November 2011
• Encourage transparency of security practices
• Free publicly available registry
• Open to all Cloud Service Providers
• Makes security capabilities a market differentiator
![Page 8: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/8.jpg)
Copyright © 2013 BSI. All rights reserved. 8
Open Certification Framework (OCF)
• Publicly available:
• Open Certification Framework
• Self Assessment
• Certification
• Attestation
• Continuous
![Page 9: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/9.jpg)
Copyright © 2013 BSI. All rights reserved. 9
The Cloud Controls Matrix (CCM)
• Technology-neutral framework of controls
• Aligns to multiple IS frameworks and methodologies
• V1.4 98 Controls in 11 domains
• V3.0 136 controls in 16 domains
• V3.0.1 to include ISO/IEC 27001:2013 alignment – at peer review
• Provides structured security tailored to the cloud industry
![Page 10: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/10.jpg)
Copyright © 2013 BSI. All rights reserved. 10
The Management Capability Score
Score Descriptor
1 – 3 No Formal Approach
4 – 6 Reactive Approach
7 – 9 Proactive Approach
10 – 12 Improvement Based Approach
13 - 15 Optimizing Approach
![Page 11: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/11.jpg)
Copyright © 2013 BSI. All rights reserved. 11
Management Capability Model
![Page 12: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/12.jpg)
Copyright © 2013 BSI. All rights reserved. 12
The CSA-STAR Certification process
• Controls decided upon
• Score out of 15
• All preceding levels must be achieved
• Assess over 16 domains
• Lowest score for each of the domains represented in final scoring
• Average over the 16 domain scores provides maturity score
![Page 13: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/13.jpg)
Copyright © 2013 BSI. All rights reserved. 13
Award structure
![Page 14: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/14.jpg)
Copyright © 2013 BSI. All rights reserved. 14
CSA-STAR Certification process
• Certificate issued to successful client
• Certificate valid for three years and subject to same auditing process as ISO/IEC 27001 certificate
![Page 15: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/15.jpg)
Copyright © 2013 BSI. All rights reserved. 15
CSA-STAR Certification requirements
• Must have a valid ISO/IEC 27001 certificate with an accredited certification body
• Scope for CSA-STAR can differ from ISO/IEC 27001 – but must be subset of it
• Auditing requirements for CSA-STAR the same as for ISO/IEC 27001. If you need 5 days for ISO/IEC 27001 an additional 5 days required to certify to CSA-STAR
• Certificates can run on different cycles – ISO/IEC 27001 certificate must remain in date
![Page 16: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/16.jpg)
Copyright © 2013 BSI. All rights reserved. 16
Initial Certification Audit: Stages 1 & 2
![Page 17: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/17.jpg)
Copyright © 2013 BSI. All rights reserved. 17
Why certify?
• It gives a prospective customer of the certified organization a greater understanding of the level of control the organization they are buying from has in place
• Highlights areas where an organization might wish to improve
• Ensures the CCM does not become the minimum requirement, but through the model also highlights what best in class performance is like
• Internal (business improvement) and external (customer reassurance and transparency) reasons for auditing to a management capability model
• One of the key objectives of the scheme is to ensure the scope of the Cloud Service Provider is fit for purpose and SLA driven (Customer Focused)
![Page 18: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/18.jpg)
Copyright © 2013 BSI. All rights reserved. 18
ISO/IEC 27001, CCM & maturity – A match made in heaven (or at least the clouds!)
• ISO/IEC 27001 requires the organization to evaluate their customers’ requirements and expectation, and contractual requirements. It requires that they have implemented a system to achieve this.
• ISO/IEC 27001 requires the organization to have conducted a risk analysis that identifies the risks to meeting their customer’s expectations.
• The Cloud Controls Matrix requires the organization to address the specific issues that are critical to cloud security.
• The maturity model assesses how well managed activities in the control areas are.
• No Certification can ever guarantee information is 100% secure however ISO/IEC 27001 certification and CSA - STAR certification ensures an organization has an appropriate system for the type of information it is dealing with and that it is well managed and focused on cloud specific concerns.
![Page 19: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/19.jpg)
Copyright © 2013 BSI. All rights reserved. 19
Any questions?
![Page 20: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/20.jpg)
Copyright © 2013 BSI. All rights reserved. 20
Contact us
Address: BSI Group Kitemark Court Davy Avenue, Knowlhill Milton Keynes, MK5 8PP United Kingdom
Telephone: +44 845 086 9000
Email: [email protected]
Links: www.bsigroup.co.uk/training
![Page 21: Information Security Exchange · The Cloud Controls Matrix (CCM) •Technology-neutral framework of controls •Aligns to multiple IS frameworks and methodologies •V1.4 98 Controls](https://reader034.vdocuments.us/reader034/viewer/2022042409/5f268275e5bb2d68334ed15a/html5/thumbnails/21.jpg)