Dear Jim,
since you are liaising with CIS, would be nice to address (or at least start discussing) also aspects which are becoming more and more crucial. When we take into consideration today's digital transformation journey happening at all levels and sectors, it becomes in my opinion important to add environmental and temporal variables to the framework, not to mention the changing regulation and the compliance obligations and recommendation which becomes an ongoing process, aspects which might have a huge impact on the severity and applicability of the controls. So when inspecting a XaaS provider, I would add a
- Readiness of the provider on changing regulations (adaptability of evolving regulation, nationally and internationally)
- SLA elasticity (options available to clients to adapt upon ad-hoc requirements)
- a chapter with questions to understand at least basically the readiness level against topics such digital transformation & technology innovation (where aspects such environmental and temporal adaptability could be reviewed).
The inputs made by Erik Johnson are also crucial to be taken into the discussion, and highlight the "ZTA" and "shared responsibility" which are key topics. And yes, working with major providers to define secure configs baselines, would be not only helpful, but highly recommended.
------------------------------
Becca Danilo
Manager
Cornèr Banca SA
------------------------------
Original Message:
Sent: Sep 10, 2020 08:18:16 AM
From: Jim Reavis
Subject: Center for Internet Security (CIS) Controls and CSA CCM
Hi All,
I wanted to get some expert opinions on possible collaboration we should do with Center for Internet Security, particularly with their CIS controls as they are updating from ver 7 to 8 and we are updating CCM. I will be talking to CIS leadership soon and was curious what the community thought the synergy might be (beyond mapping).
https://www.cisecurity.org/controls/cis-controls-list/
------------------------------
Jim Reavis CCSK
Cloud Security Alliance
Bellingham WA
------------------------------