By John DiMaria, Assurance Investigatory Fellow, Cloud Security Alliance
As a SixSigma Black Belt I was brought up over the years with the philosophy of continual monitoring and improvement, moving from a reactive state to a preventive state. Actually, I wrote a white paper a couple of years ago on how SixSigma is applied to security.
The basic premise is it emphasizes early detection and prevention of problems, rather than the correction of problems after they have occurred. It eliminates the point in time “inspection” by deploying continuous monitoring and auditing. This approach basically saved the automotive industry back in the 1980s.
This age-old and proven process is the best way I can describe what CSA has done with the launch of another step in the direction of increasing transparency and assurance … continuous auditing.
Continuous auditing focuses on testing for the occurrence of a risk and the on-going effectiveness of a control. A framework and detailed procedures, along with technology, are key to enabling such an approach. Continuous auditing offers an enhanced way to understand risks and controls and improve on sampling from periodic reviews to ongoing testing.
STAR Continuous is a component of the CSA STAR Program that gives cloud service providers (CSP) the opportunity to integrate their approach to cloud security compliance and certification with additional capabilities to validate their security posture on an ongoing basis. Continuous auditing empowers an organization to make precise statements on the compliance status at any time over the whole time span in which the continuous audit process is executed, achieving an “always up-to-date” compliance status by increasing the frequency of the auditing process.
Continuous auditing is not intended to replace traditional auditing, but rather is to be used as a tool to enhance audit effectiveness and increase transparency to stakeholders and interested parties.
STAR Continuous contains three models for continuous monitoring. Each of the three models provides a different level of assurance by covering requirements of continuous auditing with various levels of scrutiny. The three models are defined as:
1. Continuous self-assessment
2. Extended certification with continuous self-assessment
3. Continuous certification
Essentially, the proposed framework starts from a simple process of the timely submission of self- assessment compliance reports and moves up to a continuous certification of the fulfillment of control objectives.
How does it help you as a cloud service provider?
• Provides top management with greater visibility, so that they can evaluate the effectiveness of their management system in real-time in relation to expectations of internal, regulatory and the cloud security industry standards;
• Implements an audit that is designed to reflect how your organization’s objectives are aimed at optimizing the cloud services;
• Demonstrates progress and performance levels that go beyond the traditional “point in time” scenario; and
• For customers of cloud service providers, STAR Continuous will provide a greater understanding of the level of controls that are in place and their effectiveness.
CSA is committed to helping customers have a deeper understanding of their security postures. Since the STAR Registry was launched in 2011 as the first step in improving transparency and assurance in the cloud, it has evolved into a program that encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.
CSA STAR is being recognized as the international harmonized solution leading the way of trust for cloud providers, users and their stakeholders by providing an integrated, cost-effective solution that decreases complexity and increases assurance and transparency. It simultaneously enables organizations to secure their information, protect themselves from cyber-threats, reduce risk and strengthen their information governance and privacy platform.
Want to find out more? Contact us at [email protected]