Cloud Security Providers furnish unique services to their customers that require special attention to digital security. In an effort to address this, the Cloud Security Alliance has adopted a framework encompassing 11 control areas. There are several benefits that a CSP will realize once it has been certified according to these Cloud Security Assurance standards:
- Assures your customers that you take security seriously.
- Provides an accurate snapshot of the current risks that the information security team should continue to monitor and seek to mitigate.
- Assists with compliance efforts against standards such as ISO 9001, Iso/IEC 27001, ISO/IEC 20000, and ISO 22301.
- The nature of the third-party auditing body that performs the CSA STAR Certification gives more credibility to management, investors, and external stakeholders than does a self-assessment.
- A CSA-certified company is given an actionable path to improvement of any security areas that are weak or incomplete.
No digital protection measures are 100 percent effective against cyber attacks. However, the Cloud Security Assurance frameworks offer your organization a comprehensive and actionable way to ensure that the data you store, manage and the process is as safe as possible from a potential breach.
CSA STAR Services
The CSA assessment looks at both the effectiveness and maturity of a CSP’s security posture. Specifically, it evaluates the following areas:
- The protocols and procedures in place to communicate with stakeholders in the event of a security incident
- The thoroughness of your organization’s documentation of security-related policies and procedures
- The extent of your security staff’s expertise and skill
- The effectiveness of your management team regarding security issues
- The tools you have put in place to monitor and measure your digital security
The first step toward becoming a CSA certified organization is to conduct a self-assessment, after which your team works to fix any flaws that you identify. At that point, you are ready to conduct a full-scale audit. Once certified, an organization is expected to continue documenting its security improvements.
The STAR framework consists of three levels of assurance designed to evaluate an organization’s data security controls and procedures:
- Level One: Self-assessment. A company can submit assessments on security, privacy, or both.
- Level Two: Third-party audit. This level enables organizations to make their security measures cloud-specific by building off of industry standards and certifications.
- Level Three: Continuous auditing.
It is this final level that provides the optimal amount of security evaluation and monitoring. Thanks to the stringent set of Cloud Security Assurance criteria, both CSPs and the customers who rely on them can be assured that security controls are robust, up-to-date, and as protected from data breaches as possible.
CSA STAR Attestation
Organizations who conduct CSA-related assessments on any of the three levels are free to publish their findings in the Cloud Security Alliance’s Security, Trust, and Assurance Registry (STAR). Stakeholders and potential CSP customers can consult this registry to determine the level of risk its security controls and systems represent.
CSA STAR attestation requires a rigorous, third-party audit of a CSP’s security controls and systems that are built upon the SOC 2 Type 2 audit framework. It must be conducted by a Certified Public Accountant (CPA) with a CSA Certificate in Cloud Security Knowledge (CCSK). The attestation uses criteria from the AICPA’s Trust Services Principles of security, availability, confidentiality, processing integrity, and privacy as well as from the 16 security domains found in the CSA’s Cloud Control Matrix (CCM). After a review period that typically lasts for at least six months, the auditor will submit a detailed report including descriptions of the CSP’s system, applicable criteria, existing controls, the tests applied by the auditor and the results.
The report can be disseminated to potential customers to demonstrate an organization’s commitment to comprehensive information security. Unlike STAR certification, there are no required prerequisites such as ISO 27001 certification.
How Is CSA STAR Different from ISO 27001?
ISO 27001 and CSA STAR both assess the security of information systems, but there are several differences between the two. For one thing, ISO 27001, along with other standards in its class, covers organizational information security, often having to do with establishing an information security management system (ISMS).
By contrast, STAR standards relate specifically to the security practices and controls of organizations in the cloud computing industry. Structurally ISO 27001 contains 13 sections concerning how the ISMS should be structured as well as the security controls that protect it.
CSA STAR uses two documents, the Consensus Assessments Initiative Questionnaire (CAIQ) and the Cloud Controls Matrix (CCM) that cover the various types of security controls a cloud-based organization should put into place. To receive ISO 27001 certification, an ISMS must be reviewed by an accredited third-party provider. Similarly, a licensed outside auditor must grant certification of CSA standards. Despite their differences, both lead to greater transparency, visibility, and assurance regarding an organization’s security posture.