IT Governance is an approved G-Cloud supplier. Our Cloud security compliance readiness assessment and remediation consultancy service gives you an objective assessment of your compliance with the 14 Cloud Security Principles (14 CSPs), the Cloud Security Alliance’s Cloud Controls Matrix (CSA CCM) or the Cloud Security Alliance’s Security, Trust and Assurance Registry (CSA STAR).
Benefits of adoption
Both the 14 CSPs and the CSA CCM are applicable to and highly recommended for any organisation offering Cloud services. The frameworks are also applicable to organisations that use the Cloud for internal hosting of corporate data or services.
Compliance with either of these standards is achieved by adopting appropriate controls to meet the specified criteria defined within each framework.
Compliance requires a systematic review of services and processes with respect to Cloud infrastructure and how it is managed with respect to a data lifecycle.
The 14 CSPs
The 14 CSPs are defined by the National Cyber Security Centre (NCSC) and provide a comprehensive set of security controls for operation within the Cloud:
- 1. Data in transit protection
- 2. Asset protection and resilience
- 3. Separation between users
- 4. Governance framework
- 5. Operational security
- 6. Personnel security
- 7. Secure development
- 8. Supply chain security
- 9. Secure user management
- 10. Identity and authentication
- 11. External interface protection
- 12. Secure service administration
- 13. Audit information for users
- 14. Secure use of the service
The CSA CCM
The CSA CCM provides a framework that gives a detailed understanding of security concepts and principles that are aligned with the CSA guidance in 16 domains:
- 1. Application & Interface Security
- 2. Audit Assurance & Compliance
- 3. Business Continuity Management & Operational Resilience
- 4. Change Control & Configuration Management
- 5. Data Security & Information Lifecycle Management
- 6. Datacenter Security
- 7. Encryption & Key Management
- 8. Governance and Risk Management
- 9. Human Resources
- 10. Identity & Access Management
- 11. Infrastructure & Virtualization Security
- 12. Interoperability & Portability
- 13. Mobile Security
- 14. Security Incident Management, E-Discovery & Cloud Forensics
- 15. Supply Chain Management, Transparency and Accountability
- 16. Threat and Vulnerability Management
The CSA STAR
The CSA STAR is the industry’s most powerful programme for security assurance in the Cloud. STAR consists of three levels of assurance, which cover four unique offerings based on the Cloud-centric control objectives in the CSA CCM. The STAR programme includes a registry that documents the security controls provided by popular Cloud computing offerings.
The CSA STAR is offered in three steps:
Step 1: Level 1 – CSA STAR self-assessment
- a. Free and open to all Cloud providers, this allows them to submit self-assessment reports that document compliance with CSA-published best practices. The following can be used to demonstrate compliance:
- i. Consensus Assessments Initiative Questionnaire (CAIQ); or
- ii. The CSA CCM.
Step 2: Level 2
- a. CSA STAR attestation
- i. STAR attestation is an independent third-party assessment of the security of a Cloud service provider, based on Type I or Type II SOC attestations supplemented by the criteria in the CCM.
- b. CSA STAR certification
- i. STAR certification is an independent third-party assessment of the security of a Cloud service provider. The technology-neutral certification is based on the requirements of the ISO 27001 ISMS standard and the CSA CCM.
- c. CSA C-STAR assessment
- i. C-STAR assessment is an independent third-party assessment of the security of a Cloud service provider for the Greater China market, which harmonises CSA best practices with Chinese national standards.
Step 3: CSA STAR – continuous monitoring
- a. CSA STAR continuous monitoring will be based on a continuous auditing/assessment of relevant security properties. It will be built on the following CSA best practices/standards:
- i. CCM
- ii. Cloud Trust Protocol (CTP)
- iii. CloudAudit (A6)
The CSA STAR benefits
The CSA STAR provides a comprehensive framework for Cloud governance and security controls. It complements other standards, such as ISO 27001, to provide an effective, risk-based assessment of Cloud security risks and remediation strategies. The key benefits of certification:
- Provides top management with visibility of the Cloud estate so that they can evaluate the effectiveness of their management system in relation to the expectations of the Cloud security industry and ISO 27001.
- Implements an audit that is designed to reflect how well your organisation’s objectives are aligned with the optimisation of your Cloud services.
- Provides empirical evidence to assess progress and performance levels via an independently validated award from an external certified body.
- Benchmarks your performance against your peers.
How IT Governance can help you
Our Cloud security compliance readiness assessment and remediation consultancy service begins with an on-site readiness assessment of your conformance to the requirements outlined by the 14 CSPs, the CSA CCM or the CSA STAR, focusing on your people, processes and technology.
It includes interviews with senior stakeholders within the organisation responsible for Cloud services, a high-level review of documentation, and a review of the information security management system (ISMS), technical controls and processes.
Following the readiness assessment, you will be given a detailed report highlighting the findings of our visit. This report will document non-compliances and areas of improvement that will need to be addressed in order to meet the requirements of the framework.
We can provide further consultancy support and advice to help remediate any identified gaps.
Typical consultancy delivery milestones
Cloud security readiness assessment (gap analysis)
- Project scoping
- Compliance review against the 14 CSPs, the CSA CCM or the CSA STAR
- Detailed readiness assessment report
- Project roadmap
Cloud security remediation consultancy
- Project scoping
- Help selecting suitable controls from the 14 CSPs, the CSA CCM or the CSA STAR
- Documentation compilation and review
- Audit against the control frameworks
- Penetration testing
- Architectural review