Cybersecurity standards, certifications, and frameworks read like so much alphabet soup: AICPA TSP SOC 2, CSA STAR, ISO/IEC 27001, NIST SP 800-53. What does it all mean? Is my food trying to tell me something?
There are so many options with so many messy acronyms, it’s hard to keep track of them, remember what they stand for, and unpack the differences between each. It can be even harder still to decide which one to use for your organization.
It doesn’t help that researching them is a pain, since it’s difficult to figure out what’s what without sifting through pages upon pages of content.
A good place to start is the pleasingly pronounceable CSA STAR, because it has a little bit of everything a company might be looking for in a security framework all in one place. Even if it isn’t a perfect fit, it might help point an organization in the right direction.
First off, what is the CSA? The CSA, or Cloud Security Alliance, is a non-profit organization formed to define and raise awareness for the best practices to secure a cloud computing environment.
The CSA developed a cybersecurity framework called the Security Trust and Risk (STAR) Program. As this is put out by the Cloud Security Alliance, if your organization’s infrastructure is not primarily cloud-based, this is probably not the best framework to adopt. If it does apply, the STAR is worth looking into because it has different levels with options than an organization can choose to use as it best suits them. For example, the STAR has options that can be integrated into an organization’s existing frameworks and certifications, as well as options that can be used for free.
The STAR is an open certification framework that allows organizations to document their cloud security and privacy controls and best practices. Then the organization submits their controls and they are published to the CSA STAR Registry .
The STAR Registry is an easily accessible location where your current (and potential) customers can access your security documentation.
The CSA STAR for security is made of two components, a Cloud Controls Matrix (CCM) and a Consensus Assessments Initiative Questionnaire (CAIQ).
What is the CCM?
The Cloud Controls Matrix is the CSA’s cloud computing cybersecurity controls framework. The CCM has 133 controls which are categorized under 16 cloud technology domains. These controls map to many industry-accepted frameworks such as the National Institute of Standards and Technology’s Special Publication 800-53 (NIST SP 800-53), the International Organization for Standardization/International Electrotechnical Commission 27001 (ISO/IEC) 27001, the Payment Card Industry Data Security Standard (PCI DSS), the American Institute of Certified Public Accountants Trust Services Criteria (AICPA TSP), and others.
Snippet of the CCM | Copyright CSA, used with permission.
The CCM can be used as a tool for cloud implementation assessment and provides guidance on which security controls should be implemented where within the cloud supply chain.
What is the CAIQ?
CAIQ – it’s pronounced “cake,” in case you were wondering.
Snippet of the CAIQ | Copyright CSA
The CAIQ , or Consensus Assessments Initiative Questionnaire, is the CSA’s method for enabling organizations to document their security controls. It is a self-assessment questionnaire that asks yes/no questions about an organization’s compliance to the CCM. The completed CAIQ is the document that an organization submits to the STAR Registry.
Having your organization’s security practices in the STAR Registry could help reduce or eliminate the need for filling out potential customer security questionnaires.
There are 3 levels to the CSA STAR.
CSA STAR Level 1
Level 1 is a self assessment process as described above where an organization fills out the CAIQ and submits it to the STAR Registry. Customers can then look up any registered organization’s security practices. It is free for an organization to be added to the STAR Registry. To stay current, organizations must update the Self-Assessments annually.
The CSA also offers a Privacy related self assessment that allows organizations to demonstrate GDPR compliance in the same manner.
Within STAR Level 1 there is a continuous option. Similar to a SOC 2 Type II audit, the controls are evaluated over a period of time instead of a single point in time. With the Level 1 Continuous option an organization continually updates their CAIQ self assessment every 30 days as opposed to the typical annual requirement.
CSA STAR Level 2
The STAR Level 2 involves a third-party assessment. To achieve STAR Level 2 a third-party assessment firm uses an existing industry standard and incorporates the CSA CCM requirements into its third-party assessment. The CSA STAR Level 2 can be either an Attestation or a Certification depending on which industry standard is chosen. There are two industry standards that can be incorporated into the STAR Level 2, the AICPA SOC 2, and the ISO/IEC 2700:2013.
If an organization uses the AICPA Trust Service Principles to complete a SOC 2 audit with the CCM controls then the organization receives a STAR Level 2 Attestation. The Attestation is valid for a period of one year unless updated.
If an organization chooses to complete an assessment with the CCM and the ISO/IEC 27001:2013 standard requirements then they receive a STAR Level 2 Certification. The Level 2 Certification is valid for three years unless updated.
The ability to integrate the CSA STAR with a SOC 2 or ISO 27001 audit might be beneficial for companies because it allows them to leverage these existing industry assessment programs and make them specific to a cloud environment.
The CSA has a list of approved assessment firms organizations can use for a Level 2 Attestation or Certification. Because of the involvement of a third-party the Level 2 comes with the price tag associated with the chosen assessment firm.
As with STAR Level 1, the Level 2 also has a continuous option. For the Level 2 continuous option an organization adds a continuous CAIQ self assessment that must be updated every 30 days. When the assessment firm conducts a re-certification audit they include the CAIQ submissions into the audit for that period.
CSA STAR Level 3: STAR Continuous
Level 3 is the STAR Continuous. This option is still in the works, but will involve an automated process for continuously monitoring security controls. The automated assessment will use monitoring tools such as network and statistics monitoring, log analytics, and resource utilization. A third-party assessor will then evaluate the continuous monitoring security controls for a given period. Once the assessor assures the organizations continuous control security requirements are met the CSA will issue a STAR Level 3 Certificate.
Licensing
Many organizations misinterpret the licensing for the CCM and CAIQ. The STAR Program’s CCM and CAIQ are freely distributed publicly available resources. However, organizations should be cognisant of the terms and conditions for using the CSA’s resources. Organizations must share their CCM or CAIQ data with customers through the CSA’s publicly accessible STAR Registry. The data can be used internally without publishing but users must add the data to the public registry if they want to share it externally – with a customer, for example. Users are only permitted to privately share the data if they obtain a special license.
So is the CSA STAR right for your organization?
Pros:
If your organization has good security, the CSA STAR Registry will highlight your dedication to it.
Your organization’s security controls are in one easily accessible place for customers to see.
Can reduce or eliminate the amount of customer security questionnaires your organization receives and completes.
Can be integrated into a SOC 2 or ISO 27001 audit.
Cons:
If your organization has lackluster security, the CSA STAR Registry will make that visible.
The CSA Star is only applicable to cloud-based organizations and/or products.
The STAR Registry is transparent and freely accessible, which may not be suitable for organizations that don’t want their security controls to be visible to the general public.
Ultimately you will need to consider the needs of your organization and clients to decide which security framework will serve them best. Whether or not that’s the CSA STAR, I hope this makes one part of that alphabet soup a little easier to understand.
To receive more great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/