As organizations look to cloud services to process more sensitive and critical data, security and risk management teams require tools to quickly assess and understand the types and rigor of security controls applied by cloud service providers. CSA STAR Attestation is the first cloud-specific attestation program designed to meet this need. CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles,AT 101) and the CSA Cloud Controls Matrix.
Requirements for the cloud can be quite different than non-cloud environments, so a generic approach to security compliance is not a viable solution for providing evidence of assurance in the cloud. Unique considerations must be given to:
• Understanding the scope of the cloud computing environment.
• Do the current security controls cover the unique aspects of the cloud environment?
• Can the current risk assessment capture the risks correctly?
• Audit trails that prove the effectiveness
Join me as I interview two Principles from Schellman, Ryan Mackie and Gary Nelson as they take you on a journey down the road to Cloud Attestation and provide details of the audit, advice on implementation and the value proposition.