The Inner Circle

Hello all,

Do any of you know if there are plans to revise the CCM/CAIQ to account for the various controls required by CCPA and GDPR? 

It would be helpful to clarify how these regulations map into existing CCM controls (or new controls).  They important points to consider, especially when evaluating a SaaS provider, and I'd conject these kind of regulations will be around for many years to come.

If there is a direction you can point me for further discussion, please feel free.

------------------------------
James Leone
Abbott Labs
------------------------------

Hello James,
                    CSA has published the PLA Code of Conduct V3 that is designed to meet the mandatory EU legal personal data protection requirements (GDPR), and to provide guidance for legal compliance and transparency on the level of data protection offered by the cloud service providers. For more information please look here: https://cloudsecurityalliance.org/privacy/gdpr/code-of-conduct/.

The PLA WG is tasked to perform a mapping & gap analysis exercise between the PLA CoC and the CCPA. This exercise is currently ongoing.

On a side note, the new versions CCMv4 and CAIQv4 will include privacy controls designed through the lens of security (e.g., privacy by design/default, protection of personal data/PII), but not at the level of depth required by the GDPR.

Let me know if you have more questions.

Best,

------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------

Original Message:
Sent: May 06, 2020 07:15:44 AM
From: James Leone
Subject: CCPA and GDPR in the CCM/CAIQ

Hello all,

Do any of you know if there are plans to revise the CCM/CAIQ to account for the various controls required by CCPA and GDPR?

It would be helpful to clarify how these regulations map into existing CCM controls (or new controls).  They important points to consider, especially when evaluating a SaaS provider, and I'd conject these kind of regulations will be around for many years to come.

If there is a direction you can point me for further discussion, please feel free.

------------------------------
James Leone
Abbott Labs
------------------------------

Eleftherios,

Is there a target date for CCMv4?

------------------------------
James Leone
Manager
Abbott
------------------------------

Original Message:
Sent: May 06, 2020 09:41:42 AM
From: Eleftherios Skoutaris
Subject: CCPA and GDPR in the CCM/CAIQ

Hello James,
                    CSA has published the PLA Code of Conduct V3 that is designed to meet the mandatory EU legal personal data protection requirements (GDPR), and to provide guidance for legal compliance and transparency on the level of data protection offered by the cloud service providers. For more information please look here: https://cloudsecurityalliance.org/privacy/gdpr/code-of-conduct/.

The PLA WG is tasked to perform a mapping & gap analysis exercise between the PLA CoC and the CCPA. This exercise is currently ongoing.

On a side note, the new versions CCMv4 and CAIQv4 will include privacy controls designed through the lens of security (e.g., privacy by design/default, protection of personal data/PII), but not at the level of depth required by the GDPR.

Let me know if you have more questions.

Best,

------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance

Original Message:
Sent: May 06, 2020 07:15:44 AM
From: James Leone
Subject: CCPA and GDPR in the CCM/CAIQ

Hello all,

Do any of you know if there are plans to revise the CCM/CAIQ to account for the various controls required by CCPA and GDPR?

It would be helpful to clarify how these regulations map into existing CCM controls (or new controls).  They important points to consider, especially when evaluating a SaaS provider, and I'd conject these kind of regulations will be around for many years to come.

If there is a direction you can point me for further discussion, please feel free.

------------------------------
James Leone
Abbott Labs
------------------------------

Hi James,
               Yes, it is expected by end of Q4 2020 (could introduce some little delay up to early Q1 2021 due to the Covid situation).

Best,

Lefteris


------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------

Original Message:
Sent: May 06, 2020 02:26:04 PM
From: James Leone
Subject: CCPA and GDPR in the CCM/CAIQ

Eleftherios,

Is there a target date for CCMv4?

------------------------------
James Leone
Manager
Abbott

Original Message:
Sent: May 06, 2020 09:41:42 AM
From: Eleftherios Skoutaris
Subject: CCPA and GDPR in the CCM/CAIQ

Hello James,
                    CSA has published the PLA Code of Conduct V3 that is designed to meet the mandatory EU legal personal data protection requirements (GDPR), and to provide guidance for legal compliance and transparency on the level of data protection offered by the cloud service providers. For more information please look here: https://cloudsecurityalliance.org/privacy/gdpr/code-of-conduct/.

The PLA WG is tasked to perform a mapping & gap analysis exercise between the PLA CoC and the CCPA. This exercise is currently ongoing.

On a side note, the new versions CCMv4 and CAIQv4 will include privacy controls designed through the lens of security (e.g., privacy by design/default, protection of personal data/PII), but not at the level of depth required by the GDPR.

Let me know if you have more questions.

Best,

------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance

Original Message:
Sent: May 06, 2020 07:15:44 AM
From: James Leone
Subject: CCPA and GDPR in the CCM/CAIQ

Hello all,

Do any of you know if there are plans to revise the CCM/CAIQ to account for the various controls required by CCPA and GDPR?

It would be helpful to clarify how these regulations map into existing CCM controls (or new controls).  They important points to consider, especially when evaluating a SaaS provider, and I'd conject these kind of regulations will be around for many years to come.

If there is a direction you can point me for further discussion, please feel free.

------------------------------
James Leone
Abbott Labs
------------------------------