2017 Cloud Security Alliance All Rights Reserved

2017 Cloud Security Alliance All Rights Reserved

CSA STAR Attestation Type 1 Marketing Guidelines
April 2017

© 2017 Cloud Security Alliance – All Rights Reserved

All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security Alliance “CSA STAR Attestation Type 1 Marketing Guidelines” at subject to the following: (a) the Document may be used solely for your personal, informational, non-commercial use; (b) the Document may not be modified or altered in any way; (c) the Document may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the Document as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance “CSA STAR Attestation Type 1 Marketing Guidelines” (2017)

What Does STAR Attestation mean?

As organizations look to cloud services to process more sensitive and critical data, security and risk management teams require tools to quickly assess and understand the types and rigor of security controls applied by cloud service providers. CSA STAR Attestation is the first cloud-specific attestation program designed to meet this need. Based on the CSA’s Cloud Controls Matrix (CCM), STAR is the only meta-framework of cloud-specific security controls, mapped to leading standards, that enables accredited 3rd party audit review to give security teams the support and trust they require to enable this move to the cloud.

As a rigorous program based on the SOC2 attestations standards or international equivalent (i.e. ISAE 3000), the STAR Attestation provides for robust reporting on the cloud service provider’s description of its system and controls, including a description of the service auditor’s tests of controls. The reports are intended to meet the needs of a broad range of users that need to understand cloud-specific control at a cloud service provider as it relates to security and the criteria in CCM. Similar to a traditional SOC 2 attestation there are two types of report:

  • Type 1, report on management’s description of a cloud service provider’s system and the suitability of the design of controls (“point in time” assessment); and
  • Type 2, report on management’s description of a cloud service provider’s system and the suitability of the design and operating effectiveness of controls (“over a period of time” assessment)

The Type 1 audit is used as a stepping stone to the more rigorous Type 2 audit. A CSA STAR Attestation Type 1 status demonstrates to your customers the commitment to cloud security through a thorough assessment of the policies and procedures in place to protect the Confidentiality, Integrity, and Availability of their data. A STAR Attestation obtained based on a SOC 2 Type 1 report is only valid for 6 months from the as-of date, i.e., an organization that received their STAR Attestation based on a SOC 2 Type 1 report is required to submit a SOC 2 Type 2 report to maintain uninterrupted STAR Attestation status. The validity period of a STAR Attestation is extended by grace period of 3 months on top of the basic validity period for report generation and delivery (“maximum validity period”).

What does STAR Attestation Type 1 NOT mean?

1) It is important to recognize that STAR Attestation Type 1 only examines the suitability of the control in regards to the Trust Services Criteria, and CSA CCM criteria as of a particular date. A Type 1 Attestation provides a solid foundation for a security program, but must be replaced with a Type 2 Attestation within 9 months. A Type 1 Attestation cannot be renewed.

2) STAR Attestation reflects the security controls in place within the scope defined by the company. Components of your product may be out of scope (such as mobile apps), and these should be clearly defined in your communications. Making misleading claims could result in the STAR Attestation being suspended and removed from the STAR Registry.

3) STAR reports, both Type 1 and Type 2, may be restricted in use and are generally intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the cloud service provider and its internal controls. Most organizations do not distribute their STAR report, but rely on the publicly available certificate on the CSA STAR registry.

If you need guidance concerning any of the guidelines, please contact your certified body or the Cloud Security Alliance .

.

Example Press Release

<Date>

<Company>, <short description>, today announced that it has successfully achieved the Cloud Security Alliance STAR Attestation Type 1 status. Conducted by <auditor>, a leading global professional services firm, STAR Attestation Type 1 examines the suitability of the design of the controls used by <Company> to meet the strict requirements of the Cloud Security Alliance Security Trust & Assurance Registry program and its Cloud Control Matrix (“CCM”).

As companies increasingly move their data and services into the cloud, STAR provides the first and most comprehensive set of Confidentiality, Integrity, and Availability controls specific to the cloud. STAR Attestation Type 1 status demonstrates a commitment to cloud security by <Company>, and is the first step toward STAR Attestation Type 2.

<Company quote here. E.g., “Obtaining the CSA STAR Attestation Type 1 status reinforces our ongoing commitment to the unique security challenges required of cloud service providers,” says John Doe, chief information security officer at <company>. “This certification forms the foundation of a STAR Attestation Type 2, which is expected later this year.”>

About CSA STAR

CSA STAR is the industry’s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, and harmonization of standards, including indications of best practices and validation of security posture of cloud offerings. STAR consists of three levels of assurance, which currently cover four unique offerings all based upon a succinct yet comprehensive list of cloud-centric control objectives in the CSA’s Cloud Controls Matrix (CCM). CCM is the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing.

About <Company>

<Add short description here about company>

© 2017 Cloud Security Alliance - All Rights Reserved. / 1
Top View