SlideShare a Scribd company logo

CSA STAR Program

Schellman & Company, profile picture
Schellman & Company

The document provides an overview of the CSA STAR program, established in 2011 to enhance transparency and assurance in cloud services through independent third-party validation and a public registry. It outlines the framework for STAR certification and attestation, emphasizing the integration of security domains and risk management practices to address common cloud concerns. Additionally, it discusses the benefits and challenges associated with both certification and attestation processes, as well as preparation guidelines for cloud service providers.

Technology
Related topics:
ISO 27001 Overview
1 of 32
Downloaded 50 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The CSA STAR Program: Certification & Attestation
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved 01. Background and Overview 02. CCM Framework 03. Cloud Control Matrix 04. STAR Certification 05. STAR Attestation 06. Preparing 07. Q/A Agenda
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Background & Overview 01 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Cloud Concerns • Observed loss of control • Unknown responsibilities / accountability • Potential liabilities • Inconsistent legal /compliance framework • Lack of transparency • Varying SLA’s
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Beginning ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Launched in 2011, the CSA STAR is the first step in improving transparency and assurance in the cloud.
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Program • Independent 3rd party validation • Publicly available registry • Assurance requirements • Maturity levels CSPs
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Journey ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Prior to issuing the guidance for STAR Certification and STAR Attestation, a CSP could only perform a self-assessment, which meant completing the Consensus Assessments Initiative questionnaire (CAIQ) and making the responses publicly available on the CSA Register. The CAIQ was completed in several different ways and the content varied from short answers to full-page responses.
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Overview of Open Certification Framework02 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Framework OPEN CERTIFICATION FRAMEWORK LEVEL 3 Continuous Monitoring-Based Certification LEVEL 2 Third-Party Assessment-based Certification LEVEL 1 Self-Assessment ASSURANCE TRANSPARENCY CONTINUOUS CERTIFICATION ATTESTATION SELF-ASSESSMENT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Cloud Control Matrix 03 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CCM Domains Application and Interface Security Data Security & ILME and Key Management Infrastructure and Virtualization Security Audit, Assurance and Compliance Governance and Risk Management Mobile Security Business Continuity and Management Resilience Human Resources Security Security Incident Management Change Control and Configuration Management Identity and Access Management Supply Chain Management Data Center Security Interoperability and Portability Threat and Vulnerability Management
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CSA STAR CERTIFICATION 04 CERTIFICATION ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Overview • Rigorous 3rd party independent assessment • Technology-neutral • Integration of ISO 27001:2013 and CSA CCM • Designated an overall maturity score
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Uniform with ISMS • The Assessors Grid Scope and Process
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Scope and Process
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Management Approach • Nonconformities and Impact • Maturity Score and Award • Registration Scope and Process
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Benefits • Complements ISO 27001 Certification • Increased market confidence • Base maturity level • Process improvement opportunities • Increase overall maturity
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Challenges • ISO 27001 Requirement • Focus on management principles • Extent of external deliverable • Subjective score
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Certificate
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CSA STAR ATTESTATION 05 ATTESTATION ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • 3rd Party independent security assessment • Integration with SOC 2 examination and CCM • Testing operational effectiveness of 16 security domains Overview
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Scope Application and Interface Security Datacenter Security Interoperability and Portability Audit Assurance and Compliance Encryption and Key Management Mobile Security Business Continuity Management and Operational Resilience Governance and Risk Management Security Incident Management, e-Discovery, and Cloud Forensics Change Control and Configuration Management Human Resources Supply Chain Management, Transparency, and Accountability Data Security and Information Identity and Access Management Threat and Vulnerability Management Lifecycle Management Infrastructure and Virtualization
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • No prerequisites • Design / operating effectiveness • Review period of 6+ months • Standalone / detailed report • Integration with CCM • Easy comparability Benefits
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Full disclosure of exceptions • Regressive looking report • No relevance after end of review period Challenges
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Report
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Preparing 06 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Define scope and boundaries • Perform a risk assessment • Include CCM in risk treatment • Assess project timeline RISK ASSESSMENT & SCOPE
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Internally • Service auditors READINESS ASSESSMENT
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Policies and procedures • Segregation of duties • Monitoring REMEDIATION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Licensed CPA firm • Auditor Certification • STAR Certification Registrar • Independent • Single Vendor Approach • Audit Team AUDIT FIRM SELECTION
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Baseline in dynamic environment • Authoritative source • Market need • Trust and assurance with customers • Leverage current compliance initiatives It is just the beginning…
©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved JOIN US NEXT TIME: HITRUST for Covered Entities and Business Associates August 14th brightline.com/webinars

More Related Content

PPTX
What is zero trust model (ztm)
Ahmed Banafa
 
PPTX
Introduction to the CSA Cloud Controls Matrix
John Yeoh
 
PDF
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
PDF
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
DOCX
What is zero trust model of information security?
Ahmed Banafa
 
PPTX
Zero Trust Framework for Network Security​
AlgoSec
 
PPTX
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
International Federation of Accountants
 
PPTX
Cyber Terrorism
Deepak Pareek
 
What is zero trust model (ztm)
Ahmed Banafa
 
Introduction to the CSA Cloud Controls Matrix
John Yeoh
 
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
What is zero trust model of information security?
Ahmed Banafa
 
Zero Trust Framework for Network Security​
AlgoSec
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
International Federation of Accountants
 
Cyber Terrorism
Deepak Pareek
 

What's hot (20)

PPTX
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
 
PPT
3. security architecture and models
7wounders
 
PDF
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
PPTX
ISOIEC 42001 AI Management System Slides
GilangRamadhan884333
 
PPTX
5 Steps to a Zero Trust Network - From Theory to Practice
AlgoSec
 
PPTX
Endpoint Protection
Sophos
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PDF
NIST Zero Trust Explained
rtp2009
 
PPTX
Enterprise Security Architecture
Priyanka Aash
 
PDF
Cyber Security (Emerging Threats)
Kaufman & Canoles
 
PPTX
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Avantika University
 
PPTX
Cyber Terrorism
Sai praveen Seva
 
PPT
Introduction to information security
Kumawat Dharmpal
 
PPT
Industrial control systems cybersecurity.ppt
DelforChacnCornejo
 
PPTX
Zero Trust
Boaz Shunami
 
PPTX
The Zero Trust Model of Information Security
Tripwire
 
PPTX
Presentation on GDPR
DipanjanDey12
 
PPT
Firewalls Security – Features and Benefits
Anthony Daniel
 
PPTX
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
PPTX
CISSP - Chapter 4 - Intranet and extranets
Karthikeyan Dhayalan
 
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
 
3. security architecture and models
7wounders
 
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
ISOIEC 42001 AI Management System Slides
GilangRamadhan884333
 
5 Steps to a Zero Trust Network - From Theory to Practice
AlgoSec
 
Endpoint Protection
Sophos
 
Application Security - Your Success Depends on it
WSO2
 
NIST Zero Trust Explained
rtp2009
 
Enterprise Security Architecture
Priyanka Aash
 
Cyber Security (Emerging Threats)
Kaufman & Canoles
 
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Avantika University
 
Cyber Terrorism
Sai praveen Seva
 
Introduction to information security
Kumawat Dharmpal
 
Industrial control systems cybersecurity.ppt
DelforChacnCornejo
 
Zero Trust
Boaz Shunami
 
The Zero Trust Model of Information Security
Tripwire
 
Presentation on GDPR
DipanjanDey12
 
Firewalls Security – Features and Benefits
Anthony Daniel
 
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
CISSP - Chapter 4 - Intranet and extranets
Karthikeyan Dhayalan
 
Ad

Similar to CSA STAR Program (20)

PDF
The CSA STAR Program: Certification & Attestation
Schellman & Company
 
PDF
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Schellman & Company
 
PDF
SOC 1 Overview
Schellman & Company
 
PPTX
Checklist for Competent Cloud Security Management
Cloud Credential Council
 
PPTX
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
Ignyte Assurance Platform
 
DOCX
Cloud Computing - Emerging Opportunities in the CA Profession
Bharath Rao
 
PDF
Cloud services and it security
East Midlands Cyber Security Forum
 
PDF
Everything You Need To Know About SOC 1
Schellman & Company
 
PDF
Moving Your Law Firm to the Cloud: Why the Time Is Now
Clio - Cloud-Based Legal Technology
 
PPTX
CSA STAR Webinar Presentation to know in detail
AyilurRamnath1
 
PPT
2011 Digital Summit - Not So Cloudy - Agcaoili
Phil Agcaoili
 
PDF
Avoiding Limitations of Traditional Approaches to Security
Mighty Guides, Inc.
 
PPTX
Unc charlotte prezo2016
Sanjay R. Gupta
 
PDF
Blokland & Mengerink - Testing Cloud Services - EuroSTAR 2012
TEST Huddle
 
PDF
Cloud Computing for CPAs: What Your Client Will Ask You
Wipfli LLP/Brittenford Systems Inc.
 
PDF
Certified Cybersecurity Compliance Professional.PREVIEW.pdf
GAFM ACADEMY
 
PDF
EuroCACS 2016 There are giants in the sky
Carlos Chalico
 
PDF
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Alan Yau Ti Dun
 
PDF
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Happiest Minds Technologies
 
PDF
Introduction to CSA Australia 2013 by David Ross
CloudSecurityAllianceAustralia
 
The CSA STAR Program: Certification & Attestation
Schellman & Company
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Schellman & Company
 
SOC 1 Overview
Schellman & Company
 
Checklist for Competent Cloud Security Management
Cloud Credential Council
 
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
Ignyte Assurance Platform
 
Cloud Computing - Emerging Opportunities in the CA Profession
Bharath Rao
 
Cloud services and it security
East Midlands Cyber Security Forum
 
Everything You Need To Know About SOC 1
Schellman & Company
 
Moving Your Law Firm to the Cloud: Why the Time Is Now
Clio - Cloud-Based Legal Technology
 
CSA STAR Webinar Presentation to know in detail
AyilurRamnath1
 
2011 Digital Summit - Not So Cloudy - Agcaoili
Phil Agcaoili
 
Avoiding Limitations of Traditional Approaches to Security
Mighty Guides, Inc.
 
Unc charlotte prezo2016
Sanjay R. Gupta
 
Blokland & Mengerink - Testing Cloud Services - EuroSTAR 2012
TEST Huddle
 
Cloud Computing for CPAs: What Your Client Will Ask You
Wipfli LLP/Brittenford Systems Inc.
 
Certified Cybersecurity Compliance Professional.PREVIEW.pdf
GAFM ACADEMY
 
EuroCACS 2016 There are giants in the sky
Carlos Chalico
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Alan Yau Ti Dun
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Happiest Minds Technologies
 
Introduction to CSA Australia 2013 by David Ross
CloudSecurityAllianceAustralia
 
Ad

More from Schellman & Company (16)

PDF
Privacy in the Cloud- Introduction to ISO 27018
Schellman & Company
 
PDF
Demystifying the Cyber NISTs
Schellman & Company
 
PDF
Determining Scope for PCI DSS Compliance
Schellman & Company
 
PDF
Privacy shield: What You Need To Know About Storing EU Data
Schellman & Company
 
PDF
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Schellman & Company
 
PDF
PA-DSS and Application Penetration Testing
Schellman & Company
 
PDF
Get Ready Now for HITRUST 2017
Schellman & Company
 
PDF
STAND OUT: Why You Should Become ISO 27001 Certified
Schellman & Company
 
PDF
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Schellman & Company
 
PDF
SOC 2 and You
Schellman & Company
 
PDF
SOC 2: Build Trust and Confidence
Schellman & Company
 
PDF
12 Steps to Preparing for a QAR
Schellman & Company
 
PDF
EPCS Overview
Schellman & Company
 
PDF
PCI DSS 3.0 Overview and Key Updates
Schellman & Company
 
PDF
10 Steps Toward FedRAMP Compliance
Schellman & Company
 
PDF
Your've Been Hacked in Florida! Now What?
Schellman & Company
 
Privacy in the Cloud- Introduction to ISO 27018
Schellman & Company
 
Demystifying the Cyber NISTs
Schellman & Company
 
Determining Scope for PCI DSS Compliance
Schellman & Company
 
Privacy shield: What You Need To Know About Storing EU Data
Schellman & Company
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Schellman & Company
 
PA-DSS and Application Penetration Testing
Schellman & Company
 
Get Ready Now for HITRUST 2017
Schellman & Company
 
STAND OUT: Why You Should Become ISO 27001 Certified
Schellman & Company
 
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Schellman & Company
 
SOC 2 and You
Schellman & Company
 
SOC 2: Build Trust and Confidence
Schellman & Company
 
12 Steps to Preparing for a QAR
Schellman & Company
 
EPCS Overview
Schellman & Company
 
PCI DSS 3.0 Overview and Key Updates
Schellman & Company
 
10 Steps Toward FedRAMP Compliance
Schellman & Company
 
Your've Been Hacked in Florida! Now What?
Schellman & Company
 

Recently uploaded (20)

PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
ssuserf8b8bd1
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
PPT
Teaching material agriculture food technology
LiaRayya
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
KodekX | Application Modernization Development
KodekX
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
ssuserf8b8bd1
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
Teaching material agriculture food technology
LiaRayya
 

CSA STAR Program

  • 1. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The CSA STAR Program: Certification & Attestation
  • 2. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved 01. Background and Overview 02. CCM Framework 03. Cloud Control Matrix 04. STAR Certification 05. STAR Attestation 06. Preparing 07. Q/A Agenda
  • 3. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Background & Overview 01 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 4. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Cloud Concerns • Observed loss of control • Unknown responsibilities / accountability • Potential liabilities • Inconsistent legal /compliance framework • Lack of transparency • Varying SLA’s
  • 5. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Beginning ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Launched in 2011, the CSA STAR is the first step in improving transparency and assurance in the cloud.
  • 6. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Program • Independent 3rd party validation • Publicly available registry • Assurance requirements • Maturity levels CSPs
  • 7. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved The Journey ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Prior to issuing the guidance for STAR Certification and STAR Attestation, a CSP could only perform a self-assessment, which meant completing the Consensus Assessments Initiative questionnaire (CAIQ) and making the responses publicly available on the CSA Register. The CAIQ was completed in several different ways and the content varied from short answers to full-page responses.
  • 8. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Overview of Open Certification Framework02 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 9. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Framework OPEN CERTIFICATION FRAMEWORK LEVEL 3 Continuous Monitoring-Based Certification LEVEL 2 Third-Party Assessment-based Certification LEVEL 1 Self-Assessment ASSURANCE TRANSPARENCY CONTINUOUS CERTIFICATION ATTESTATION SELF-ASSESSMENT
  • 10. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Cloud Control Matrix 03 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 11. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CCM Domains Application and Interface Security Data Security & ILME and Key Management Infrastructure and Virtualization Security Audit, Assurance and Compliance Governance and Risk Management Mobile Security Business Continuity and Management Resilience Human Resources Security Security Incident Management Change Control and Configuration Management Identity and Access Management Supply Chain Management Data Center Security Interoperability and Portability Threat and Vulnerability Management
  • 12. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CSA STAR CERTIFICATION 04 CERTIFICATION ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 13. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Overview • Rigorous 3rd party independent assessment • Technology-neutral • Integration of ISO 27001:2013 and CSA CCM • Designated an overall maturity score
  • 14. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Uniform with ISMS • The Assessors Grid Scope and Process
  • 15. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Scope and Process
  • 16. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Management Approach • Nonconformities and Impact • Maturity Score and Award • Registration Scope and Process
  • 17. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Benefits • Complements ISO 27001 Certification • Increased market confidence • Base maturity level • Process improvement opportunities • Increase overall maturity
  • 18. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Challenges • ISO 27001 Requirement • Focus on management principles • Extent of external deliverable • Subjective score
  • 19. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Certificate
  • 20. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved CSA STAR ATTESTATION 05 ATTESTATION ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 21. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • 3rd Party independent security assessment • Integration with SOC 2 examination and CCM • Testing operational effectiveness of 16 security domains Overview
  • 22. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Scope Application and Interface Security Datacenter Security Interoperability and Portability Audit Assurance and Compliance Encryption and Key Management Mobile Security Business Continuity Management and Operational Resilience Governance and Risk Management Security Incident Management, e-Discovery, and Cloud Forensics Change Control and Configuration Management Human Resources Supply Chain Management, Transparency, and Accountability Data Security and Information Identity and Access Management Threat and Vulnerability Management Lifecycle Management Infrastructure and Virtualization
  • 23. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • No prerequisites • Design / operating effectiveness • Review period of 6+ months • Standalone / detailed report • Integration with CCM • Easy comparability Benefits
  • 24. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Full disclosure of exceptions • Regressive looking report • No relevance after end of review period Challenges
  • 25. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Report
  • 26. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved Preparing 06 ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved
  • 27. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Define scope and boundaries • Perform a risk assessment • Include CCM in risk treatment • Assess project timeline RISK ASSESSMENT & SCOPE
  • 28. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Internally • Service auditors READINESS ASSESSMENT
  • 29. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Policies and procedures • Segregation of duties • Monitoring REMEDIATION
  • 30. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Licensed CPA firm • Auditor Certification • STAR Certification Registrar • Independent • Single Vendor Approach • Audit Team AUDIT FIRM SELECTION
  • 31. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved • Baseline in dynamic environment • Authoritative source • Market need • Trust and assurance with customers • Leverage current compliance initiatives It is just the beginning…
  • 32. ©2015 BrightLine CPAs & Associates, Inc. All Rights Reserved JOIN US NEXT TIME: HITRUST for Covered Entities and Business Associates August 14th brightline.com/webinars