CSA Attestation - OCF Level 2
CSA CCM Control Domain 1 - Application & Interface Security controls: Application Security, Customer Access Requirements, Data Integrity, Data Security / Integrity
References:AIS-01, AIS-02, AIS-03, AIS-04
CSA CCM Control Domain 2 - Audit Assurance & Compliance controls: Audit Planning, Independent Audits, Information System Regulatory Mapping
References:AAC-01, AAC-02, AAC-03
CSA CCM Control Domain 3 - Business Continuity Management & Operational Resilience controls: Business Continuity Planning, Business Continuity Testing, Datacenter Utilities / Environmental Conditions, Documentation, Environmental Risks, Equipment Location, Equipment Maintenance, Equipment Power Failures, Impact Analysis, Policy, Retention Policy
References:BCR-01, BCR-02, BCR-03,BCR-04, BCR-05, BCR-06, BCR-07, BCR-08, BCR-09, BCR-10, BCR-11
CSA CCM Control Domain 4 - Change Control & Configuration Management controls: New Development / Acquisition, Outsourced Development, Quality Testing, Unauthorized Software Installations, Production Changes
References:CCC-01, CCC-02, CCC-03, CCC-04, CCC-05
CSA CCM Control Domain 5 - Data Security & Information Lifecycle Management controls: Classification, Data Inventory / Flows, eCommerce Transactions, Handling / Labeling / Security Policy, Non-Production Data, Ownership / Stewardship, Secure Disposal
References:DSI-01, DSI-02, DSI-03, DSI-04, DSI-05, DSI-06, DSI-07
CSA CCM Control Domain 6 - Datacenter Security controls: Asset Management, Controlled Access Points, Equipment Identification, Off-Site Authorization, Off-Site Equipment, Policy, Secure Area Authorization, Unauthorized Persons Entry, User Access
References:DCS-01, DCS-02, DCS-03, DCS-04, DCS-05, DCS-06, DCS-07, DCS-08, DCS-09
CSA CCM Control Domain 7 - Encryption & Key Management controls: Entitlement, Key Generation, Sensitive Data Protection, Storage and Access
References:EKM-01, EKM-02, EKM-03, EKM-04
CSA CCM Control Domain 8 - Governance and Risk Management controls: Baseline Requirements, Data Focus Risk Assessments, Management Oversight, Management Program, Management Support/Involvement, Policy, Policy Enforcement, Policy Impact on Risk Assessments, Policy Reviews, Risk Assessments, Risk Management Framework
References:GRM-01, GRM-02, GRM-03, GRM-04, GRM-05, GRM-06, GRM-07, GRM-08, GRM-09, GRM-10, GRM-11
CSA CCM Control Domain 9 - Human Resources controls: Asset Returns, Background Screening, Employment Agreements, Employment Termination, Mobile Device Management, Non-Disclosure Agreements, Roles / Responsibilities, Technology Acceptable Use, Training / Awareness, User Responsibility, Workspace
References:HRS-01, HRS-02, HRS-03, HRS-04, HRS-05, HRS-06, HRS-07, HRS-08, HRS-09, HRS-10, HRS-11
CSA CCM Control Domain 10 - Identity & Access Management controls: Audit Tools Access, Credential Lifecycle / Provision Management, Diagnostic / Configuration Ports Access, Policies and Procedures, Segregation of Duties, Source Code Access Restriction, Third Party Access, Trusted Sources, User Access Authorization, User Access Reviews, User Access Revocation, User ID Credentials, Utility Programs Access
References:IAM-01, IAM-02, IAM-03, IAM-04, IAM-05, IAM-06, IAM-07, IAM-08, IAM-09, IAM-10, IAM-11,IAM-12,IAM-13
CSA CCM Control Domain 11 - Infrastructure & Virtualization Security controls: Audit Logging / Intrusion Detection, Change Detection, Clock Synchronization, Information System Documentation, Vulnerability Management, Network Security, OS Hardening and Base Controls, Production / Non-Production Environments, Segmentation, VM Security - vMotion Data Protection, VMM Security - Hypervisor Hardening, Wireless Security, Network Architecture
References:IVS-01, IVS-02, IVS-03, IVS-04, IVS-05, IVS-06, IVS-07, IVS-08, IVS-09, IVS-10, IVS-11,IVS-12,IVS-13
CSA CCM Control Domain 12 - Interoperability & Portability controls: APIs, Data Request, Policy & Legal, Standardized Network Protocols, Virtualization
References:IPY-01, IPY-02, IPY-03, IPY-04, IPY-05
CSA CCM Control Domain 13 - Mobile Security controls: Anti-Malware, Application Stores, Approved Applications, Approved Software for BYOD, Awareness and Training, Cloud Based Services, Compatibility, Device Eligibility, Device Inventory, Device Management, Encryption, Jailbreaking and Rooting, Legal, Lockout Screen, Operating Systems, Passwords, Policy, Remote Wipe, Security Patches, Users
References:MOS-01,MOS-02,MOS-03,MOS-04,MOS-05,MOS-06,MOS-07,MOS-08,MOS-09,MOS-10,MOS-11,MOS-12,MOS-13 to MOS-20
CSA CCM Control Domain 14 - Security Incident Management, E-Discovery & Cloud Forensics controls: Contact / Authority Maintenance, Incident Management, Incident Reporting, Incident Response Legal Preparation, Incident Response Metrics
References:SEF-01, SEF-02, SEF-03, SEF-04, SEF-05
CSA CCM Control Domain 15 - Supply Chain Management, Transparency and Accountability controls: Data Quality and Integrity, Incident Reporting, Network / Infrastructure Services, Provider Internal Assessments, Supply Chain Agreements, Supply Chain Governance Reviews, Supply Chain Metrics, Third Party Assessment, Third Party Audits
References:STA-01, STA-02, STA-03, STA-04, STA-05, STA-06, STA-07, STA-08, STA-09
CSA CCM Control Domain 16 - Threat and Vulnerability Management controls: Anti-Virus / Malicious Software, Vulnerability / Patch Management, Mobile Code
References:TVM-01, TVM-02, TVM-03