The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
CSA STAR Levels (3 Levels of Assurance)
CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers submit a completed Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices.
STAR Self-Assessments are bieng updated annually
A CSP that uses a CAIQ to achieve Self-Assessment, a point-in-time assessment, can use a Continuous Self-Assessment to demonstrate effectiveness of controls over a period of time by updating the self-assessment every 30 days as opposed to the annual requirement, to achieve STAR Continuous Level 1.
The Code Self-Assessment consist in the voluntary publication on the STAR Registry of two documents:
The Code Self-Assessment covers the compliance to GDPR of the service(s) offered by a CSP. A company after the publication of the relevant document on the Registry will receive a Compliance Mark valid for 1 year. The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment.
Level 2 of STAR allows organizations to build off of other industry certifications and standards to make them specific for the cloud.
CSA STAR Attestation
CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud providers. Attestation listings will expire after one year unless updated.
CSA STAR Certification
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix. Certification certificates follow normal ISO/IEC 27001 protocol and expire after three years unless updated.
Continuous Option
A CSP, who holds a third-party certification or attestation can achieve STAR Level 2 Continuous by adding a Continuous Self-Assessment as in STAR Level 1. The assessor will also ensure that the scope of the assessment includes STAR Continuous and assess the CSP’s submissions of the CAIQ over the term from the previous surveillance or re-certification visit. For STAR Attestation, a Limited Assurance Report will be conducted to bridge the period between 2 attestation reports and provide a narrative in the audit report regarding the activities performed by the assessor that confirms the CSP met the STAR Continuous requirements.
CSA C-STAR Assessment
The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012. Certification certificates expire after three years unless updated.
GDPR Code of Conduct Certification
The GDPR CoC Certification is a third-party certification assuring compliance of a CSP’s services to GDPR based off of the CSA Code of Conduct for GDPR.
After the publication of the relevant document on the Registry a company will receive a Compliance Mark valid for 1 year. The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment.
Full Cloud Assurance and Transparency "CSA STAR Level 3"
If your organization operates in high-risk environment, then we recommend pursuing STAR Level 3.
CSA STAR CONTINUOUS MONITORING - Coming Soon
A CSP is the most transparent through a continuous, automated process that ensures that security controls are monitored and validated at all times. Each control framework consists of multiple controls, which are designed to give assurance on the fulfillment of a requirement.
When preparing for continuous auditing, each one of those controls will be described via its characterizing objectives namely Service Level Objective (SLO) and Service Qualitative Objective (SQO).
Collection of data is driven by the metric that has been chosen to provide input about an attribute. Automated assessment is mostly driven by monitoring tools like log analytics, network statistics and monitoring, process statistics or resource utilization.
In the evaluation phase the compliance status with the certification goal is determined by evaluating the controls. The result of the evaluation will be published and affirmed according to the targeted level of assurance by a third party. It will result in the issuing of a certificate.
Securenass will help your organisation on assessing, planning and complying with CSA STAR Levels.