CSA Self Assessment - OCF Level 1

Part 1 - General information
CSA Self Assessment - OCF Level 1
OCF Level 1
Cloud Security Alliance (CSA)

CSA Self Assessment - OCF Level 1
The CSA STAR Program has 2 components: 1) the Open Certification Framework Working Group which defined the technical specification for the certification and attestation schemes included in the STAR Program 2) the STAR Register which is the public registry that is used to provide to the general public information about the STAR Program and the results of the various certification assessments. CSA STAR Self Assessment is one of the certification approach offered in the STAR Program and it is positioned at Level 1 of the OCF. The CSA STAR Program is under the direct control of the CSA. The CSA defines the technical specification of the Program based on the input coming from the OCF WG. The OCF WG has a research charter that is updated periodically (every 12-18 months). The charter defines the objectives of the WG, the requirements to become a member and the voting procedure. Moreover the CSA is supported by two advisory boards: Governance, Risk and Compliance (GRC) Stack Steering Committee and the OCF SC. These two SC provide strategic advice to the CSA and the OCF WG. As the scheme owner, the CSA plays the following functions: 1) defines the technical specifications for the assessments/audits procedures 2) defines the set of technical controls that are used during the assessment (the Cloud Control Matrix) 3) define the requirements, process and criteria for accrediting auditor to perform STAR Program related assessments 4) review on periodical basis the assessment performed by qualified auditor to verify the proper implementation of the scheme and the conformity with applicable code of ethics 5) collects feedback and complaints from the users. To maintain the necessary level of independence and separation of duties, the CSA is NOT involved in the audit process.
an organisation, one or more services, set of business processes

CSA Self Assessment - OCF Level 1
Part 2 - Underlying information security standard or best practices
STAR Self Assessment is based on the Cloud Controls Matrix and the Cloud Assessment Initiatives Questionnaire.
Cloud Security Alliance (CSA)
control objectives, detailed technical requirements, other (describe briefly)
Both the CCM and the CAIQ are structured in 16 domains. The CCM is composed of 133 security controls and the CAIQ is composed of 295 questions. The questions in CAIQ are the ones that you ask to verify that a CCM control is implemented. There is no 1:1 correspondence between the CCM controls and the CAIQ questions since there are situations in which more than one question is required to verify the existence of a control.
PaaS, IaaS, SaaS, Organization (processes, policies)
public and free
yes (description below)
The CSA STAR Self Assessment is based on either the CSA Cloud Controls Matrix (CCM) or Cloud Assessment Initiatives Questionnaire (CAIQ). The foundation of the CSA CCM rests on its customised relationship to other industry standards, regulations, and controls frameworks such as: ISO 27001:2013,COBIT 5.0, PCI:DSS v3, AICPA 2014 Trust Service Principles and Criteria, NIST SP800-53, ENISA IAF, HIPAA, Directive 95/46/EC and many others.
Ex.1 DOMAIN: Encryption & Key Management (EKM) CCM Control: EKM-04_Storage and Access: Platform and data appropriate encryption (e.g., AES-256) in open/validated formats and standard algorithms shall be required. Keys shall not be stored in the cloud (i.e. at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider. Key management and key usage shall be separated duties. CAIQ Question(s): EKM-4.1: Do you have platform and data appropriate encryption that uses open/validated formats and standard algorithms? EKM-4.2: Are your encryption keys maintained by the cloud consumer or a trusted key management provider? EKM-4.3: Do you store encryption keys in the cloud? EKM-4.3: Do you have separate key management and key usage duties? Ex.2 DOMAIN: Infrastructure & Virtualization Security CCM Control: IVS-04: Capacity / Resource Planning: The availability, quality, and adequate capacity and resources shall be planned, prepared, and measured to deliver the required system performance in accordance with legal, statutory, and regulatory compliance obligations. Projections of future capacity requirements shall be made to mitigate the risk of system overload. CAIQ Question(s): IVS-04.1: Do you provide documentation regarding what levels of system (network, storage, memory, I/O, etc.) oversubscription you maintain and under what circumstances/scenarios? IVS-04.2: Do you restrict use of the memory oversubscription capabilities present in the hypervisor? IVS-04.3: Do your system capacity requirements take into account current, projected and anticipated capacity needs for all systems used to provide services to the tenants? IVS-04.4: Is system performance monitored and tuned in order to continuously meet regulatory, contractual and business requirements for all the systems used to provide services to the tenants?
Part 3 - Assessments and certification of compliance
STAR Self Assessment is a self assessment. An organization can freely download CAIQ and/or CCM from the CSA web site, complete the due diligence questionnaire and then submit the results to the CSA for publication in the STAR Register. The publication of the self assessment results is for free.
N/A
N/A
other (describe briefly)
Self assessment is performed by the cloud service providers themselves and not by certified auditors.
yes (link below)
no
yes - provide a link to a self-assessment form
other (describe briefly)
Continuous monitoring is part of OCF framework but not part of OCF Level 1. OCF Level 3: CSA STAR Continuous Monitoring enables automation of the current security practices of cloud providers. Providers publish their security practices according to CSA formatting and specifications, and customers and tool vendors can retrieve and present this information in a variety of contexts.
yes - provide a link to an example
yes - provide a link to an example
yes (description below)
Reviewed every year based on relevant input provided by the information security experts.
other (describe briefly)
No the CSA STAR Self Assessment doesn't expire, but the date of publication is clearly stated to allow the customer to verify if the self assessment results are still relevant.
Part 4 - Current adoption and usage
The CSA STAR Program and its underlying technical standards are globally and widely adopted by CSP, Cloud Customers and Governments.
92
global
global
Part 5 - Security objectives
Application & Interface Security
Description:

CSA CCM Control Domain 1 - Application & Interface Security controls: Application Security, Customer Access Requirements, Data Integrity, Data Security / Integrity

References:

AIS-01, AIS-02, AIS-03, AIS-04

Audit Assurance & Compliance
Description:

CSA CCM Control Domain 2 - Audit Assurance & Compliance controls: Audit Planning, Independent Audits, Information System Regulatory Mapping

References:

AAC-01, AAC-02, AAC-03

Business Continuity Management & Operational Resilience
Description:

CSA CCM Control Domain 3 - Business Continuity Management & Operational Resilience controls: Business Continuity Planning, Business Continuity Testing, Datacenter Utilities / Environmental Conditions, Documentation, Environmental Risks, Equipment Location, Equipment Maintenance, Equipment Power Failures, Impact Analysis, Policy, Retention Policy

References:

BCR-01, BCR-02, BCR-03,BCR-04, BCR-05, BCR-06, BCR-07, BCR-08, BCR-09, BCR-10, BCR-11

Change Control & Configuration Management
Description:

CSA CCM Control Domain 4 - Change Control & Configuration Management controls: New Development / Acquisition, Outsourced Development, Quality Testing, Unauthorized Software Installations, Production Changes

References:

CCC-01, CCC-02, CCC-03, CCC-04, CCC-05

Data Security & Information Lifecycle Management
Description:

CSA CCM Control Domain 5 - Data Security & Information Lifecycle Management controls: Classification, Data Inventory / Flows, eCommerce Transactions, Handling / Labeling / Security Policy, Non-Production Data, Ownership / Stewardship, Secure Disposal

References:

DSI-01, DSI-02, DSI-03, DSI-04, DSI-05, DSI-06, DSI-07

Datacenter Security
Description:

CSA CCM Control Domain 6 - Datacenter Security controls: Asset Management, Controlled Access Points, Equipment Identification, Off-Site Authorization, Off-Site Equipment, Policy, Secure Area Authorization, Unauthorized Persons Entry, User Access

References:

DCS-01, DCS-02, DCS-03, DCS-04, DCS-05, DCS-06, DCS-07, DCS-08, DCS-09

Encryption & Key Management
Description:

CSA CCM Control Domain 7 - Encryption & Key Management controls: Entitlement, Key Generation, Sensitive Data Protection, Storage and Access

References:

EKM-01, EKM-02, EKM-03, EKM-04

Governance and Risk Management
Description:

CSA CCM Control Domain 8 - Governance and Risk Management controls: Baseline Requirements, Data Focus Risk Assessments, Management Oversight, Management Program, Management Support/Involvement, Policy, Policy Enforcement, Policy Impact on Risk Assessments, Policy Reviews, Risk Assessments, Risk Management Framework

References:

GRM-01, GRM-02, GRM-03, GRM-04, GRM-05, GRM-06, GRM-07, GRM-08, GRM-09, GRM-10, GRM-11

Human Resources
Description:

CSA CCM Control Domain 9 - Human Resources controls: Asset Returns, Background Screening, Employment Agreements, Employment Termination, Mobile Device Management, Non-Disclosure Agreements, Roles / Responsibilities, Technology Acceptable Use, Training / Awareness, User Responsibility, Workspace

References:

HRS-01, HRS-02, HRS-03, HRS-04, HRS-05, HRS-06, HRS-07, HRS-08, HRS-09, HRS-10, HRS-11

Identity & Access Management
Description:

CSA CCM Control Domain 10 - Identity & Access Management controls: Audit Tools Access, Credential Lifecycle / Provision Management, Diagnostic / Configuration Ports Access, Policies and Procedures, Segregation of Duties, Source Code Access Restriction, Third Party Access, Trusted Sources, User Access Authorization, User Access Reviews, User Access Revocation, User ID Credentials, Utility Programs Access

References:

IAM-01, IAM-02, IAM-03, IAM-04, IAM-05, IAM-06, IAM-07, IAM-08, IAM-09, IAM-10, IAM-11,IAM-12,IAM-13

Infrastructure & Virtualization Security
Description:

CSA CCM Control Domain 11 - Infrastructure & Virtualization Security controls: Audit Logging / Intrusion Detection, Change Detection, Clock Synchronization, Information System Documentation, Vulnerability Management, Network Security, OS Hardening and Base Controls, Production / Non-Production Environments, Segmentation, VM Security - vMotion Data Protection, VMM Security - Hypervisor Hardening, Wireless Security, Network Architecture

References:

IVS-01, IVS-02, IVS-03, IVS-04, IVS-05, IVS-06, IVS-07, IVS-08, IVS-09, IVS-10, IVS-11,IVS-12,IVS-13

Interoperability & Portability
Description:

CSA CCM Control Domain 12 - Interoperability & Portability controls: APIs, Data Request, Policy & Legal, Standardized Network Protocols, Virtualization

References:

IPY-01, IPY-02, IPY-03, IPY-04, IPY-05

Mobile Security
Description:

CSA CCM Control Domain 13 - Mobile Security controls: Anti-Malware, Application Stores, Approved Applications, Approved Software for BYOD, Awareness and Training, Cloud Based Services, Compatibility, Device Eligibility, Device Inventory, Device Management, Encryption, Jailbreaking and Rooting, Legal, Lockout Screen, Operating Systems, Passwords, Policy, Remote Wipe, Security Patches, Users

References:

MOS-01,MOS-02,MOS-03,MOS-04,MOS-05,MOS-06,MOS-07,MOS-08,MOS-09,MOS-10,MOS-11,MOS-12,MOS-13 to MOS-20

Security Incident Management, E-Discovery & Cloud Forensics
Description:

CSA CCM Control Domain 14 - Security Incident Management, E-Discovery & Cloud Forensics controls: Contact / Authority Maintenance, Incident Management, Incident Reporting, Incident Response Legal Preparation, Incident Response Metrics

References:

SEF-01, SEF-02, SEF-03, SEF-04, SEF-05

Supply Chain Management, Transparency and Accountability
Description:

CSA CCM Control Domain 15 - Supply Chain Management, Transparency and Accountability controls: Data Quality and Integrity, Incident Reporting, Network / Infrastructure Services, Provider Internal Assessments, Supply Chain Agreements, Supply Chain Governance Reviews, Supply Chain Metrics, Third Party Assessment, Third Party Audits

References:

STA-01, STA-02, STA-03, STA-04, STA-05, STA-06, STA-07, STA-08, STA-09

Threat and Vulnerability Management
Description:

CSA CCM Control Domain 16 - Threat and Vulnerability Management controls: Anti-Virus / Malicious Software, Vulnerability / Patch Management, Mobile Code

References:

TVM-01, TVM-02, TVM-03