The Ultimate Guide to
Cloud Security Alliance’s Security Trust Assurance and Risk (CSA STAR)
What is CSA STAR?
With so much sensitive information now being stored in the cloud, keeping it safe weighs heavily on the minds of both cloud service providers (CSP) and cloud customers. Offered by the Cloud Security Alliance (CSA), the Security Trust Assurance and Risk (STAR) program is considered a gold standard in cloud security assurance.
CSA Security Trust, Assurance and Risk is the most powerful security assurance program for the cloud. Its program encompasses important principles of rigorous auditing, transparency, and a combination of standards. Organizations who use CSA STAR show that they are dedicated to best practices and validate the secure posture of their cloud offerings. It also enables solution providers to offer proof to current and future customers of the controls in place.
This program is based on three foundational tools which bring instant credibility in security circles. The first, CSA’s Cloud Control Matrix (CCM), is considered the de facto standard for cloud security and compliance and outlines all cloud-specific security controls. The second, the Consensus Assessments Initiative Questionnaire (CAIQ), provides a list of 295 questions for cloud customers to ask their providers to gauge CCM compliance. The third, the CSA’s Code of Conduct for GDPR Compliance, is a robust guide created to assist organizations in GDPR adherence.
What Are the Benefits of CSA STAR Compliance?
Cloud service providers obtaining a CSA STAR certification can expect to better build, establish, and maintain robust security programs while solidifying their position as trusted cloud vendors. They can expect to see accelerated sales cycles and to grow their business helping new customers navigate secure cloud adoption. STAR-certified CSPs enjoy being part of a global database that’s viewed as a trusted marketplace by cloud customers.
Equally important is that the CSA STAR program can be leveraged as an organization’s integrated security system—demonstrating an advanced level of cloud governance and compliance. CSA STAR maps to multiple standards and regulations, effortlessly blending multiple frameworks for an integrated security system that helps eliminate compliance gaps and avoid unmitigated risks. If your organization already holds other compliance initiatives such as ISO 27001, SOC 2, or GB/T22080-2008n, you can add STAR certification to make any of these specific to cloud environments. Hyperproof’s crosswalks feature allows you to do this dramatically faster and with ease.
Overview of the CSA STAR framework
The Registry is a fundamental feature of the STAR program—CSPs can demonstrate security and privacy best practices by listing on the Registry, which provides an effective means of evaluation for consumers.
The STAR program’s open certification framework contains three levels: self-assessment (Level 1), third-party audit (Level 2), and continuous auditing (Level 3). The level of certification will also be displayed on the registry.
Determining Which STAR Level is Right for Your Business
The level your organization pursues should depend on how much transparency and security assurance you desire. By this, Level 1 (Self-Assessment) is best for organizations operating in lower-risk environments. Level 2 (Third-party auditing) is best for organizations operating in medium to high-risk environments and who already have ISO 27001, SOC 2 or GB/T22080. Level 3 (Continuous Auditing) is best for full-service CSP enterprises operating in high-risk environments who want to display the highest level of transparency and security assurance in cloud environments.
Self-Assessment is best for organizations operating in lower-risk environments.
Third-party auditing is best for organizations operating in medium to high-risk environments and who already have ISO 27001, SOC 2 or GB/T22080.
Continuous Auditing is best for full-service CSP enterprises operating in high-risk environments who want to display the highest level of transparency and security assurance in cloud environments.
Hyperproof for CSA STAR Compliance
Hyperproof’s compliance operations platform can provide an excellent starting point for organizations looking to obtain their CSA STAR certification, as it contains all CCM requirements in addition to all the requirements outlined in the CSA Code of Conduct for GDPR Compliance. Our platform makes it easy to scale up and harmonize multiple requirements across multiple information security standards, expediting the timeline to getting listed in the Registry and becoming CSA STAR certified for all size organizations.
Hyperproof comes with a CSA STAR “starter compliance template” designed to help organizations accelerate their journey to compliance. The template comes with all CSA STAR requirements. Once you’ve implemented the template, you can upload your existing evidence files, link them to the right controls and requirements, and iterate from there (e.g. tailor certain controls or collect additional pieces of evidence). For organizations who already have existing controls in place, it’s quite simple to edit the provided controls, add new controls, and remove superfluous ones.
Instead of developing your own file system and using spreadsheets to track updates, you can store all of your evidence in Hyperproof and link each piece of evidence to the right control and requirement. Hyperproof provides the ability to link one evidence file to multiple requirements/controls, so you don’t have to pull the same evidence files again and again if you’re preparing for multiple audits.
Hyperproof also makes it easy for compliance professionals to collect evidence from business stakeholders. A compliance project owner can assign tasks to business stakeholders (e.g. submit this type of evidence) and remind people to complete their tasks on a cadence. Business stakeholders do not need to learn the language of compliance or any new tools. They can receive notifications to complete tasks through the tools they are already using (e.g. Outlook, Slack, Gmail), complete the tasks in those tools, and have information routed back and reflected in Hyperproof in near real-time.
Hyperproof provides real-time feedback on your audit preparedness and control evaluation efforts. It comes with dashboards to help you identify what controls are already in place vs. what’s missing in real-time, so you can put solutions in place to close those gaps well ahead of an auditor’s visit.
When you’re ready to share your work with your auditor, you can invite your auditor to review your work in Hyperproof—so no one has to spend their precious time uploading/downloading files and sending emails back and forth. Additionally, Hyperproof provides a central place for compliance process owners and auditors to communicate with one another.
Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get CSA STAR ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.