Getting CSA Star Certified

What is CSA Star Compliance? #

CSA Star compliance is the standardization framework developed as a result of the work of over 80,000 IT security professionals from the whole world, working in 25 groups who are continuously trying to improve cloud computing security.

In a way, the cloud space is just a digital variant of private property, and criminals don’t have a preference over what they steal. As long as it has value, a physical or a virtual good will also be of interest to criminals.

With the increase of cloud storage services, associated risks like hacking are have definitely increased. This is why strict Internet security standards, such as ISO 27001 are implemented by the biggest industry players that base their operations on cloud computing. One such example is Microsoft Azure that has a CSA Star-certified service.

What Does a CSA Star Compliance Certification Entail? #

If you meet the CSA (Cloud Security Alliance) criteria for CSA Star access control compliance, your company data and associated certifications will be publicly available for an overview in the CSA Security Trust and Assurance Registry. This transparency ensures that you’ve taken all necessary precautionary measures to adapt your company digital and physical architecture to fit into the CSA Star physical security compliance framework.

Higher levels of CSA Star compliance means that you have been scrutinized by third-party assessors and that you will be consistently monitored to ensure that your CSA Star access control compliance system is running properly. Companies that already use cloud-based electronic access control will be particularly interested in getting this certification. If you are a “lock-and-key” company, your main focus will be directed toward making basic electronic access changes to meet critical security standardization criteria.

3-Level CSA Star Access Control Compliance #

CSA Star compliance is work in the making. Although standardization levels are set, many companies still work on structuring their CSA Star access control compliance and find their rightful place in the international system based on the Cloud Controls Matrix (CCM). The CCM is set to meet accepted standards in the industry. Typical examples include ISO 27001, PCI DSS or HIPAA. But there are more.

If you haven’t made the access to your physical location compliant with these benchmarks, you will be way behind in getting to Level 3 of the CSA Star physical security compliance. Level 3 is about rigorous third-party approved certification based on the requirements of the ISO/IEC 27001 management system standards and the Cloud Controls Matrix.

To get there, your company will need to pass a Level 1 Self-Assessment CSA Star access control compliance check, Level 2 third-party controlled approvals and Level 3 continuous assessment monitoring.

As expected, the most popular model relates to Level 2 CSA Star physical security compliance benchmarks. This is not only because they are strengthened by outside checks, but also because they are currently best developed within the CSA CCM control framework.

Level 2 includes three sub-levels: assessment, attestation and certification. Once you get your CSA Star compliance certificate for your company premises, you can state that the web-based access control solution which you offer to your clients is up to the following internationally harmonized standards:

• Conformity assessment based on ISO/IEC 17021:2011
• Information technology - security techniques based on ISO/IEC 27006:2011
• Guidelines for auditing management systems based on ISO 19011

Thus it can be seen that it’s not easy to establish a strong and secure cloud-security access control system without meeting a long checklist of criteria.

Considering that data on the Internet will only increase, the CSA Star access control compliance requirements may produce the bottleneck effect during the certification. The sooner you start with the procedure, the better. Keep in mind that if you want to get the third-party assessment, it needs to be performed by a certified STAR auditor who must be ISO/IEC 27001 qualified and accredited by the International Accreditation Forum (IAF).

How Do I Meet the CSA Access Control Compliance Standards? #

This basic CSA Star compliance checklist is a practical tool to keep at hand for the most important questions:

• Make sure you understand the structure and the details in the Cloud Controls Matrix (CCM). Learn the criteria to submit an effective report and find your name in the public registry
• Determine the assurance level you need. Will you be happy with a self-assessment or you'll need a hand from someone qualified?
• Check your compliance against the Consensus Assessments Initiative Questionnaire (CAIQ). Your clients, business partners and the certified CSA Star compliance auditor will be relentless when asking cloud security questions -- you should be able to answer them.
• If you’re in finance and accountancy, You may need to get that CSA Star Attestation document.
• Is your industry within the scope of the ISO/IEC 27001:2005 management system standard? You should consider getting a CSA Star Certification from an authorized auditor.
• Doing business on the Greater China Market? If you want to get the CSA C-Star Assessment, your company will need to fulfill a long list of location-related standards.

CSA Star compliance is the most influential system in security industry for security assurance. If you can set the infrastructure of your company facilities within an electronic cloud-based access infrastructure which is transparent, rigorously monitored and harmonized with the international best practices, you will gain irreplaceable competitive advantages, not the least of which enable unimpeded business growth.