CSA STAR Certification
Elevate assists CSPs (Cloud Services Providers) get ready to obtain the CSA STAR Certification or the CSA STAR Attestation.
CSA STAR is the trusted program to position your organization as a trusted Cloud provider while improving your security maturity using best practices.
The Cloud Security Alliance (CSA) helps define the best practices for a secure cloud environment. CSA developed and operates the CSA Security, Trust, Assurance & Risk (STAR) Registry Program, widely known for their key principles: “transparency, rigorous auditing, and harmonization of standards”. Organizations who hold the CSA STAR Certification or Attestation are a sign of best practices for their cloud offerings.
Criteria and Scoring
CSA STAR uses a “technology-neutral” approach leveraging on the ISO/IEC 27001 control criteria and adding Cloud-specific controls from best practices and leading standards and regulations. All these controls are mapped in the Cloud Control Matrix or CCM.
The requirement controls are classified in 16 Control Areas in the CCM:
- Audit Assurance and Compliance
- Application & Interface Security
- Business Continuity Management
- Change Control Management
- Data Center Security
- Data Security & Information Lifecycle
- Encryption and Key Management
- Governance and Risk Management
- Human Resources
- Identity and Access Management
- Interoperability & Portability
- Infrastructure and Virtualization Security
- Mobile Security
- Security Incident Management
- Supply Chain, Transparency & Accountability
- Threat and Vulnerability Management
CCM is currently the most widely used standard for Cloud security assurance and compliance, and it provides organizations with required structure, detail, and clarity regarding information security for their Cloud service.
CSPs can either choose to perform a Certification or an Attestation. The difference is the following:
CSA STAR Certificates are issued for a period of 3 years and it is required that an ISO/IEC 27001 Certification be current when issuing a CSA STAR Certification.
The Certification process follows the same protocol as ISO/IEC 27001. Thus ‘a point in time’ audit.
The STAR Attestation is an independent, third-party assessment of the security of a CSP that leverages the requirements of the SOC 2 framework (based on the AICPA Trust Services Principles (TSP)) in conjunction with the CCM. By pursuing the STAR Attestation, it allows organizations to demonstrate the suitability of the design and operating effectiveness of their controls over a period of time, rather than at a point in time.
How Does Elevate Assist CSP’s
We already help many CSPs perform the readiness towards ISO 27001 and SOC 2 and know how to integrate CSA STAR to:
- Perform the Gap Analysis
- Provide recommendations and assist with implementation to increase the scoring
- Perform remediation activities (from policy development to technical configuration advisory)
- Be Your ‘Go To’ security trusted advisor to improve your contract environment