the csa star program: certification & attestation
TRANSCRIPT
![Page 1: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/1.jpg)
The CSA STAR Program | 1
The CSA STAR Program: Certification & Attestation
![Page 2: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/2.jpg)
The CSA STAR Program | 2
01. Background and Overview 02. CSA STAR Framework 03. Cloud Control Matrix 04. STAR Certification 05. STAR Attestation 06. Preparing 07. Wrap-up / Q/A
Agenda
![Page 3: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/3.jpg)
The CSA STAR Program | 3
Background & Overview 01
![Page 4: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/4.jpg)
The CSA STAR Program | 4
The Cloud Concerns • Observed loss of control • Unknown responsibilities / accountability • Potential liabilities • Inconsistent legal /compliance framework • Lack of transparency • Varying SLA’s
![Page 5: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/5.jpg)
The CSA STAR Program | 5
The Beginning Launched in 2011, the CSA STAR is the first step in improving transparency and assurance in the cloud.
![Page 6: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/6.jpg)
The CSA STAR Program | 6
The Program
• Independent 3rd party validation • Publicly available registry • Assurance requirements • Maturity levels CSPs
![Page 7: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/7.jpg)
The CSA STAR Program | 7
The Journey Prior to issuing the guidance for STAR Certification and STAR Attestation, a CSP could only perform a self-assessment, which meant completing the Consensus Assessments Initiative questionnaire (CAIQ) and making the responses publicly available on the CSA Register. The CAIQ was completed in several different ways and the content varied from short answers to full-page responses.
![Page 8: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/8.jpg)
The CSA STAR Program | 8
Overview of CSA STAR Framework 02
![Page 9: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/9.jpg)
The CSA STAR Program | 9
Framework OPEN CERTIFICATION FRAMEWORK
LEVEL 3 Continuous Monitoring-Based Certification
LEVEL 2 Third-Party Assessment-based Certification
LEVEL 1 Self-Assessment
ASSU
RAN
CE
TRAN
SPAR
ENCY
CONTINUOUS
CERTIFICATION ATTESTATION
SELF-ASSESSMENT
ASSESSMENT
![Page 10: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/10.jpg)
The CSA STAR Program | 10
Cloud Control Matrix 03
![Page 11: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/11.jpg)
The CSA STAR Program | 11
CCM Domains
Application and Interface Security
Data Security & ILME and Key Management
Infrastructure and Virtualization Security
Audit, Assurance and Compliance
Governance and Risk Management Mobile Security
Business Continuity and Management Resilience Human Resources Security Security Incident Management
Change Control and Configuration Management
Identity and Access Management Supply Chain Management
Data Center Security Interoperability and Portability Threat and Vulnerability Management
![Page 12: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/12.jpg)
The CSA STAR Program | 12
CSA STAR CERTIFICATION 04
CERTIFICATION
![Page 13: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/13.jpg)
The CSA STAR Program | 13
Overview • Rigorous 3rd party independent assessment
• Technology-neutral
• Integration of ISO 27001:2013 and CSA CCM
• Designated an overall maturity score
![Page 14: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/14.jpg)
The CSA STAR Program | 14
• Uniform with ISMS
• The Assessors Grid
Scope and Process
![Page 15: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/15.jpg)
The CSA STAR Program | 15
Scope and Process
![Page 16: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/16.jpg)
The CSA STAR Program | 16
• Management Approach • Nonconformities and Impact • Maturity Score and Award • Registration
Scope and Process
![Page 17: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/17.jpg)
The CSA STAR Program | 17
Benefits • Complements ISO 27001 Certification • Increased market confidence • Base maturity level • Process improvement opportunities • Increase overall maturity
![Page 18: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/18.jpg)
The CSA STAR Program | 18
Challenges • ISO 27001 Requirement • Focus on management principles • Extent of external deliverable • Subjective score
![Page 19: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/19.jpg)
The CSA STAR Program | 19
Certificate
![Page 20: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/20.jpg)
The CSA STAR Program | 20
CSA STAR ATTESTATION 05
CERTIFICATION
![Page 21: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/21.jpg)
The CSA STAR Program | 21
• 3rd Party independent security assessment • Integration with SOC 2 examination and CCM • Testing operational effectiveness of 16 security
domains
Overview
![Page 22: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/22.jpg)
The CSA STAR Program | 22
Scope Application and Interface Security Datacenter Security Interoperability and Portability
Audit Assurance and Compliance Encryption and Key Management Mobile Security
Business Continuity Management and Operational Resilience Governance and Risk Management Security Incident Management,
e-Discovery, and Cloud Forensics
Change Control and Configuration Management Human Resources Supply Chain Management,
Transparency, and Accountability
Data Security and Information Identity and Access Management Threat and Vulnerability Management
Lifecycle Management Infrastructure and Virtualization
![Page 23: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/23.jpg)
The CSA STAR Program | 23
• No prerequisites • Design / operating effectiveness • Review period of 6+ months • Standalone / detailed report • Integration with CCM • Easy comparability
Benefits
![Page 24: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/24.jpg)
The CSA STAR Program | 24
• Full disclosure of exceptions • Regressive looking report • No relevance after end of review period
Challenges
![Page 25: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/25.jpg)
The CSA STAR Program | 25
Report
![Page 26: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/26.jpg)
The CSA STAR Program | 26
Preparing 06
![Page 27: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/27.jpg)
The CSA STAR Program | 27
• Define scope and boundaries • Perform a risk assessment • Include CCM in risk treatment • Assess project timeline
Risk Assessment & Scope
![Page 28: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/28.jpg)
The CSA STAR Program | 28
• Internally • Service auditors
Readiness Assessment
![Page 29: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/29.jpg)
The CSA STAR Program | 29
• Policies and procedures • Segregation of duties • Monitoring
Remediation
![Page 30: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/30.jpg)
The CSA STAR Program | 30
• Licensed CPA firm • Auditor Certification • STAR Certification Registrar • Independent • Single Vendor Approach • Audit Team
Audit Firm Selection
![Page 31: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/31.jpg)
The CSA STAR Program | 31
Wrap-Up 07
![Page 32: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/32.jpg)
The CSA STAR Program | 32
• Baseline in dynamic environment • Authoritative source • Market need • Trust and assurance with customers • Leverage current compliance initiatives
It is just the beginning…
![Page 33: The CSA STAR Program: Certification & Attestation](https://reader031.vdocuments.us/reader031/viewer/2022021813/58aea30c1a28abd43a8b5bcb/html5/thumbnails/33.jpg)
The CSA STAR Program | 33
JOIN US NEXT TIME:
HITRUST for Covered Entities and Business Associates August 14th | schellmanco.com/resources