Guidance Document Auditing the Cloud Controls Matrix

Guidance Document Auditing The Cloud Controls Matrix-PDF Download

  • Date:12 Sep 2020
  • Views:4
  • Downloads:0
  • Pages:13
  • Size:742.88 KB

Share Pdf : Guidance Document Auditing The Cloud Controls Matrix

Download and Preview : Guidance Document Auditing The Cloud Controls Matrix


Report CopyRight/DMCA Form For : Guidance Document Auditing The Cloud Controls Matrix


Transcription:

CLOUD SECURITY ALLIANCE STAR Certification Guidance Document Auditing the Cloud Controls Matrix. 2013 Cloud Security Alliance All Rights Reserved Valid at time of printing. All rights reserved You may download store display on your computer view print and link to the STAR. Certification Guidance Document Auditing the Cloud Controls Matrix at. http www cloudsecurityalliance org star subject to the following a the Guidance may be used solely for. your personal informational non commercial use b the Guidance may not be modified or altered in any way. c the Guidance may not be redistributed and d the trademark copyright or other notices may not be. removed You may quote portions of the Guidance as permitted by the Fair Use provisions of the United States. Copyright Act provided that you attribute the portions to the STAR Certification Guidance Document Auditing. the Cloud Controls Matrix 2013, 2013 Cloud Security Alliance All Rights Reserved 2. CLOUD SECURITY ALLIANCE STAR Certification Guidance Document Auditing the Cloud Controls Matrix. 1 Introduction 4, 2 How does this process provide reassurance to a client of the certified organisation 4. 3 Assigning a score to an organisation 4,4 The assessors grid 6. 5 How will an assessor use this grid 8, 6 How would an assessor approach scoring a control area 8. 7 What type of certificate will a client get 9, 8 Example of how an assessor might audit a control area 10.
2013 Cloud Security Alliance All Rights Reserved 3. CLOUD SECURITY ALLIANCE STAR Certification Guidance Document Auditing the Cloud Controls Matrix. 1 Introduction, The purpose of this document is to provide guidance to certified bodies and associated organizations that are. performing audits or supporting certification activities related to STAR certification. STAR certification and the associated management capability model. 1 Give a prospective customer of the certified organization a greater understanding of the level of control. that the organization has in place, 2 Highlight areas where an organization might wish to improve. 3 Ensure that the Cloud Controls Matrix CCM does not become the minimum requirement but through. the model also characterizes best in class performance. Therefore there are both internal business improvement and external customer reassurance and. transparency reasons for auditing to a management capability model. One of the key objectives of the scheme is to ensure that the scope of the cloud service provider fits for the. consumer s needs and is service level agreement SLA driven. 2 How does this process provide reassurance to a client of. the certified organization, ISO 27001 requires the organization to evaluate their customers requirements and expectations as well. as contractual requirements As a result it requires that the organization has implemented a system to. achieve this evaluation, ISO 27001 requires the organization to conduct a risk analysis that identifies the risks to meeting their. customers expectations, The CCM requires the organization to address the specific issues that are critical to cloud security.
The Maturity Model assesses how well managed activities in the control areas are. No certification can ever guarantee information is 100 secure however ISO 27001 certification and STAR. certification ensure that an organization has an appropriate system for the type of information it is dealing with. that it is well managed and that it is focused on cloud specific concerns. 3 Assigning a score to an organization, An organization must demonstrate that it has all of the controls in place and is operating effectively before an. assessment of the management capability around the controls can occur If the organization has a major. 2013 Cloud Security Alliance All Rights Reserved 4. CLOUD SECURITY ALLIANCE STAR Certification Guidance Document Auditing the Cloud Controls Matrix. nonconformity against any of the controls in the control area the maximum score achievable for that control. When an organization is audited a Management Capability Score will be assigned to each of the control areas in. the CCM This will indicate the capability of the management to ensure that the control is operating effectively. in this area The 11 control areas in CCM version 1 4 are listed below. CONTROL AREAS,1 Compliance,2 Data Governance,3 Facility Security. 4 Human Resources,5 Information Security,7 Operations Management. 8 Release Management,9 Resiliency,10 Risk Management. 11 Security Architecture, The management capability of the controls will be scored on a scale of 1 15 These scores have been divided into.
five different categories that describe the type of approach characteristic of each group of scores. SCORE DESCRIPTOR,1 3 No Formal Approach,4 6 Reactive Approach. 7 9 Proactive Approach,10 12 Improvement Based Approach. 13 15 Optimising Approach, When assigning a score to a control area the five factors below will be considered The lowest score against any. one of those five factors will be the score awarded for the control area. 2013 Cloud Security Alliance All Rights Reserved 5. CLOUD SECURITY ALLIANCE STAR Certification Guidance Document Auditing the Cloud Controls Matrix. 1 Communication and Stakeholder Engagement, 2 Policies Plans and Procedures and a Systematic Approach. 3 Skills and Expertise,4 Ownership Leadership and Management.
5 Monitoring and Measuring, In summary there are a number of control areas on the CCM that will each be awarded a management. capability score on a scale of 1 15 To decide what the score is each control area will be considered against five. capability factors,4 The assessor s grid, In order to make it possible for an assessor to consistently apply a score to the control area the grid below. outlines what would be required of an organization to achieve each score. 2013 Cloud Security Alliance All Rights Reserved 6. CLOUD SECURITY ALLIANCE STAR Certification Guidance Document Auditing the Cloud Controls Matrix. 5 How will an assessor use this grid, This grid should be used to assign an overall score to each of the control areas in the CCM e g data governance. or facilities security The Maturity Model aims to assess the maturity of the management processes in place. around the controls In most cases an organization will apply a common management approach across all of the. controls in a control area Therefore one maturity score will be applicable to the whole control area In cases. where multiple management approaches are taken different controls in the same control area could be. awarded different scores In this circumstance the lowest score should be taken When a maturity score is. applied to the whole control area it is easier to justify the maturity level as described in the scenario below. Individual controls are too specific to make it possible to assign a level to them in isolation Consider for. example DG 06 Production data shall not be replicated or used in non production environments This. control would not require much in the way of skills or training or leadership However if you look across the. full range of data governance controls there is scope to assess the majority of the factors on this matrix Take. for example DG 01 All data shall be designated with stewardship with assigned responsibilities defined. documented and communicated This control would allow an assessor the opportunity to evaluate the. capability of a number of factors that could not be ascertained just by looking at DG 06. 6 How does an assessor approach scoring a control area. 1 The assessor will look at all of the controls in the control area to ensure that based on the risk. assessment the organization had implemented the appropriate controls If a control was not directly. addressed the client would need to demonstrate why it was not covered through their risk assessment. or statement of applicability or through compensating controls. 2 The assessor will decide which of the five factors could be applied to the controls in the control area all. factors are applicable to most control areas in most organizations but in some circumstances only some. of the factors should be considered, 3 The assessor will look for evidence of the organization s capability to manage these factors. a It is expected that similar management structures will span all of the individual controls within a. control area However if there are significantly different management approaches in the control. area the organization will be awarded the score for the weakest management approach There. are more likely to be multiple management approaches in place in the information security. control area, 4 In order to achieve a certain score all of the lower levels must be achieved first For example if an.
organization misses a vital element at the lower levels of the model they will receive a low score even if. they have some of the higher level attributes in place. 5 The client will be awarded the lowest score they achieved for any of the factors assessed against the. control area e g if they score 11 for leadership 9 for communication and 4 for skills the score for the. control area is 4, 2013 Cloud Security Alliance All Rights Reserved 8. CLOUD SECURITY ALLIANCE STAR Certification Guidance Document Auditing the Cloud Controls Matrix. 6 If a client has a major NCR1 in the area the maximum possible score will be 6. 7 The assessor will then move onto the next control area. 8 Once the assessor has assessed all of the control areas there will be 11 scores if assessed using v1 4 of. 9 The average score will be used to assign the overall level for the client. 10 The organization s report will highlight what level of maturity their system has achieved. Notes Due to the way the controls are structured an organization that has all of the controls properly in place. in the control area will score fairly highly on the controls matrix For example in the risk management control. area RI 01 states Organizations shall develop and maintain an enterprise risk management framework to. manage risk to an acceptable level This can be assessed against most of the factors of the maturity model and. could be a sophisticated high scoring implementation or it could be poorly managed achieving a low score. However as you look at the other controls in this control area they are more specific and more detailed about. what is required Consider for example Risks shall be mitigated to an acceptable level Acceptance levels based. on risk criteria shall be established and documented in accordance with reasonable resolution time frames and. executive approval This is characteristic of the higher management capability levels of the model Therefore it. would be difficult for a client to have all of the CCM controls in place and not score relatively well. 7 What type of certificate will a client get, A client will be awarded a certificate following the assessment 2 Depending on the capability level they. achieved they may get,1 No award,2 A bronze award,3 A silver award. 4 A gold award, The award is based on the average score received across the 11 control areas. If the organization has an average score of less than 3 it will receive a certificate with no award. If the organization has an average score between 3 and 6 it will receive a bronze award. If the organization has an average score between 6 and 9 it will receive a silver award. If the organization has an average score greater than 9 it will receive a gold award. NCR Non Conformance Report, In jurisdictions where the issuing of additional certificates is difficult STAR certification may be included in the scope of the.
ISO 27001 certificate and it can be endorsed appropriately. 2013 Cloud Security Alliance All Rights Reserved 9. CLOUD SECURITY ALLIANCE STAR Certification Guidance Document Auditing the Cloud Controls Matrix. ISO 27001 is a management systems standard and by definition requires a systematic approach to managing an. organization Therefore if an organization is certified to ISO 27001 it is very unlikely that they would not achieve. at least a bronze certificate, 8 Example of how an assessor might audit a control area. The facilities security control area is used here as an illustration because it is a relatively tangible example there. are actually eight controls in this area in v1 4 Only the first four are examined here. The description below is a simplified example of how an assessor might audit the control It is not supposed to. describe in detail what an assessor would do The approach would vary considerably depending on the type of. organization being auditing The approach would be framed by the organization s analysis of its customers. expectations and contractual requirements that comes from ISO 27001 and the organization s overall. information security risk analysis that comes from ISO 27001. Control ID Description, Facility Security Policies and procedures shall be established for maintaining a safe and secure. User Access working environment in offices rooms facilities and secure areas. Facility Security Physical access to information assets and functions by users and support. User Access personnel shall be restricted, Physical security perimeters fences walls barriers guards gates electronic. Facility Security, surveillance physical authentication mechanisms reception desks and security. Controlled FS 03, patrols shall be implemented to safeguard sensitive data and information.
CLOUD SECURITY ALLIANCE STAR Certification Guidance Document Auditing the Cloud Controls Matrix 6 If a client has a major NCR1 in the area the maximum possible score will be 6 7 The assessor will then move onto the next control area 8 Once the assessor has assessed all of the control areas there will be 11 scores if assessed using v1 4 of

Related Books