Understanding the Cloud Security Alliance STAR Program
The Cloud Security Alliance STAR Program is a comprehensive and multi-layered security program that provides assurance within the cloud. There are various aspects of the STAR Program, including its principles, levels, and the benefits it offers to both cloud providers and users.
The Security, Trust, Assurance, and Risk (STAR) Program is a publicly accessible registry that contains security and privacy controls that Cloud Service Provider (CSP) adopted in their environment. It encompasses key principles of transparency, rigorous auditing, and harmonization of standards. By adhering to the CSA STAR Program, companies indicate best practices and validate the security and privacy posture of their cloud offerings.
The Importance of STAR
The STAR Program is designed to reduce complexity and alleviate the need for multiple customer questionnaires. It allows cloud service providers to show their security and compliance posture, including the regulations, standards, and frameworks they adhere to. This transparency builds trust and confidence as well as reduces compliance activities among current and potential customers.
STAR Program Levels
The STAR Program offers two levels of assurance, each with different requirements and benefits.
LEVEL 1: SELF-ASSESSMENT
At this level, organizations can self-assess and submit their security and/or privacy controls posture. This is suitable for organizations operating in a low-risk environment and looking for a cost-effective way to improve trust and transparency.
Security Self-Assessment is a complimentary offer that documents the security controls provided by various cloud computing offerings. It promotes industry transparency and provides customer visibility into specific provider security practices. CSPs can fill out and submit STAR Level 1: Security Questionnaire (CAIQ v4) to get registered in the CSA STAR Registry.
The GDPR Self-Assessment covers compliance with the privacy of the service(s) offered by a Cloud Service Provider. After registering the required files on the CSA’s STAR Registry, service providers will be marked as Compliant for one year. The controls must be revised whenever there’s a change in the company policies or practices related to the service under assessment.
LEVEL 2: THIRD-PARTY AUDIT
Level 2 allows organizations to build off other industry certifications and standards to make them specific for cloud services. This level is suitable for organizations operating in a medium to high-risk environment and already adhering to standards like ISO27001, SOC 2, GB/T 22080-2008, or GDPR.
STAR CERTIFICATION: FOR ISO/IEC 27001
The CSA STAR Certification is a third-party independent assessment that leverages the requirements of the ISO/IEC 27001 management system standard along with the CSA Cloud Controls Matrix (CCM) version 4.
To achieve STAR Certification, a CSP must have an active ISO 27001 certification or undergo the STAR Certification assessment in tandem with an ISO 27001 certification review. The certification program follows the normal ISO/IEC 27001 protocol and expires after three years.
The assessment evaluates the CSP’s maturity level across each CCM security domain, scoring them on five management principles:
- Stakeholder Engagement
- Security governance, and a Systematic Approach
- Skills and Expertise of people that are involved in managing security controls
- Ownership, Leadership, and Management of security processes
- Monitoring and Measuring security controls
STAR ATTESTATION: FOR SOC 2 TYPE 2
The STAR Attestation provides rigorous third-party independent assessments of cloud service providers. The CSA STAR Attestation leverages the requirements of the AICPA governed SOC 2 Type 2 Attestation along.
To apply for CSA STAR attestation, a CSP must have a SOC 2 Type 2 Attestation report or can get the SOC 2 Type 2 and STAR together. Organizations that are applying for their first STAR Attestation can provide a SOC 2 Type 1 and submit a SOC 2 Type 2 report within 18 months or less to maintain uninterrupted STAR Attestation status.
These are the steps you need to consider when preparing for the STAR Attestation against the CCM.
- The STAR Attestation must include the Security Category (a.k.a. Common Criteria) as one of the 5 AICPA Trust Services Criteria (TSC).
- Organizations define applicable CCM controls, not their auditor.
- Organizations must set the appropriate controls for their environment and ensure they are suitably designed to meet the applicable criteria.
- All CCM controls will be evaluated and any controls that are deemed not applicable must be justified within the report.
- The auditor will map the TSC to the CCM including all CCM domains.
- The STAR Attestation report follows the AICPA SOC 2 guidance.
The Cloud Security Alliance STAR Program is a vital tool in the cloud security landscape. By offering different levels of assurance and aligning with various industry standards, it provides a flexible and robust framework for organizations to demonstrate their commitment to security and privacy. The program’s transparency and rigorous assessments make it a trusted benchmark in the industry, fostering better relationships between cloud providers and users.