Information Security Exchange

The CSA-STAR Certification

The CSP Differentiator

Mike Edwards

29 April 2014

Copyright © 2013 BSI. All rights reserved. 3

Content

• Who is BSI?

• Who is the CSA?

• What is CSA-STAR?

• The Open Certification Framework (OCF)

• The Cloud Controls Matrix (CCM)

• Management Capability Model

• CSA-STAR Certification process

• Why certify?

Copyright © 2013 BSI. All rights reserved. 4

Who is BSI – 10 fast facts

Copyright © 2013 BSI. All rights reserved. 5

Who is the CSA?

• Founded in 2008 as a not-for-profit organization

• Undertake numerous research and lobbying activities on the importance of secure cloud infrastructure

• Global network of regional chapters members from corporate – individual level

Copyright © 2013 BSI. All rights reserved. 6

CSA Corporate Members

Copyright © 2013 BSI. All rights reserved. 7

What is the CSA-STAR?

• Launched November 2011

• Encourage transparency of security practices

• Free publicly available registry

• Open to all Cloud Service Providers

• Makes security capabilities a market differentiator

Copyright © 2013 BSI. All rights reserved. 8

Open Certification Framework (OCF)

• Publicly available:

• Open Certification Framework

• Self Assessment

• Certification

• Attestation

• Continuous

Copyright © 2013 BSI. All rights reserved. 9

The Cloud Controls Matrix (CCM)

• Technology-neutral framework of controls

• Aligns to multiple IS frameworks and methodologies

• V1.4 98 Controls in 11 domains

• V3.0 136 controls in 16 domains

• V3.0.1 to include ISO/IEC 27001:2013 alignment – at peer review

• Provides structured security tailored to the cloud industry

Copyright © 2013 BSI. All rights reserved. 10

The Management Capability Score

Score Descriptor

1 – 3 No Formal Approach

4 – 6 Reactive Approach

7 – 9 Proactive Approach

10 – 12 Improvement Based Approach

13 - 15 Optimizing Approach

Copyright © 2013 BSI. All rights reserved. 11

Management Capability Model

Copyright © 2013 BSI. All rights reserved. 12

The CSA-STAR Certification process

• Controls decided upon

• Score out of 15

• All preceding levels must be achieved

• Assess over 16 domains

• Lowest score for each of the domains represented in final scoring

• Average over the 16 domain scores provides maturity score

Copyright © 2013 BSI. All rights reserved. 13

Award structure

Copyright © 2013 BSI. All rights reserved. 14

CSA-STAR Certification process

• Certificate issued to successful client

• Certificate valid for three years and subject to same auditing process as ISO/IEC 27001 certificate

Copyright © 2013 BSI. All rights reserved. 15

CSA-STAR Certification requirements

• Must have a valid ISO/IEC 27001 certificate with an accredited certification body

• Scope for CSA-STAR can differ from ISO/IEC 27001 – but must be subset of it

• Auditing requirements for CSA-STAR the same as for ISO/IEC 27001. If you need 5 days for ISO/IEC 27001 an additional 5 days required to certify to CSA-STAR

• Certificates can run on different cycles – ISO/IEC 27001 certificate must remain in date

Copyright © 2013 BSI. All rights reserved. 16

Initial Certification Audit: Stages 1 & 2

Copyright © 2013 BSI. All rights reserved. 17

Why certify?

• It gives a prospective customer of the certified organization a greater understanding of the level of control the organization they are buying from has in place

• Highlights areas where an organization might wish to improve

• Ensures the CCM does not become the minimum requirement, but through the model also highlights what best in class performance is like

• Internal (business improvement) and external (customer reassurance and transparency) reasons for auditing to a management capability model

• One of the key objectives of the scheme is to ensure the scope of the Cloud Service Provider is fit for purpose and SLA driven (Customer Focused)

Copyright © 2013 BSI. All rights reserved. 18

ISO/IEC 27001, CCM & maturity – A match made in heaven (or at least the clouds!)

• ISO/IEC 27001 requires the organization to evaluate their customers’ requirements and expectation, and contractual requirements. It requires that they have implemented a system to achieve this.

• ISO/IEC 27001 requires the organization to have conducted a risk analysis that identifies the risks to meeting their customer’s expectations.

• The Cloud Controls Matrix requires the organization to address the specific issues that are critical to cloud security.

• The maturity model assesses how well managed activities in the control areas are.

• No Certification can ever guarantee information is 100% secure however ISO/IEC 27001 certification and CSA - STAR certification ensures an organization has an appropriate system for the type of information it is dealing with and that it is well managed and focused on cloud specific concerns.

Copyright © 2013 BSI. All rights reserved. 19

Any questions?

Copyright © 2013 BSI. All rights reserved. 20

Contact us

Address: BSI Group Kitemark Court Davy Avenue, Knowlhill Milton Keynes, MK5 8PP United Kingdom

Telephone: +44 845 086 9000

Email: training@bsigroup.com

Links: www.bsigroup.co.uk/training