Cloud Controls Matrix

Dear members,
                      please find below the minutes from our recent CCM WG call.

Brief summary:
Members are kindly invited to review and submit their comments at the 2 ongoing peer reviews of the CCMv4.0 Implementation Guidelines and CAIQv4 that end on April 14th. Erik presented to the group a set of 4 SSRM columns that are suggested by the WG to be added to the next version of CAIQ (see snapshot below). Please join the CAIQ team sessions and share your view on the usefulness (or not) of the suggested addition. 
Help from auditors is needed on the CCMv4.0 Auditing Guidelines development activity (visit the 'Events' tab here in Circle to join our Fridays' sessions and contribute to the works).

Please find below the usual well-structured and detailed minutes section.

Agenda Items (AIs):

1. Latest update on all CCMv4.0 activities and components development (IG, CAIQ peer reviews, deadlines, next steps)
2. CCMv4.0 mapping & gap analysis exercises to AICPA TSC 2017 and CIS v8.0 (Brief update on progress, call for participation)
3. CCMv4.0 Auditing Guidelines (AGs) development (Brief update on progress, call for auditors participation)
4. AoB (any other topics in need for discussion)

Participants (14):
Angell Duran
Yogesh Gupta
Shawn Harris (Co-chair)
Jan Jacobsen
Erik Johnson
Rajendra Kathal
Bilal Khattak
John Di Maria
Claus Matzke
Sanam Mehra
Akshaya Murthy
Lefteris Skoutaris (PM)
David Sztyk
Ashish Vashishtha


Meeting Minutes (MMs)
1. Latest update on all CCMv4.0 activities and components development (IG, CAIQ peer reviews, deadlines, next steps)

• The CCMv4.0 Implementation Guidelines and the CAIQv4.0 (both final draft versions) are placed for open peer review here and here. CSA is kindly inviting to provide your comments under the CCM domain of your expertise,
• Open peer review for both documents closes on April 14,
• Next step will be the review of received comments and their resolution, which will require a series of workshop sessions, where the CCM WG co-chairs, IG & CAIQv4 authors will be involved. Announcements will be made during our next CCM WG call on April 14th,
• Discussion during the meeting also involved the new proposal for SSRM add-on into the CAIQv4.0 (see snapshot - columns G to J),
  • G: CSP indicates whether the corresponding question/requirement portion of the CCMv4 control is a shared responsibility between the two parties or not.
  • H: CSP indicates whether the corresponding question/requirement portion of the CCMv4 control is applicable to the service under assessment.
  • I: CSP indicates the 'how to' implementation of the corresponding question/requirement portion of the CCMv4 control that is responsible for (CSP-owned, Shared cases)
  • J: CSP indicates the 'how to' implementation of the corresponding question/requirement portion of the CCMv4 control that the CSC is responsible for (CSC-owned, Shared cases)
• Members of the WG are kindly invited to join the CAIQv4 team sessions and share their opinion with the Tony and Erik, leading the works.

2. CCMv4.0 mapping & gap analysis exercises to AICPA TSC 2017 and CIS v8.0 (Brief update on progress, call for participation)

• CCMv4.0 - AICPA TSC 2017 mapping activity: The group is conducting a comparison review exercise based on a version of the CCMv4.0 - TSC2017 mapping that has been shared with the CCM WG by the AICPA group (Audrey Katcher). The comparison review is expected for delivery by the April 15th,
• CCMv4.0 - CISv8.0 mapping activity: The activity is progressing well. The mapping is missing a 2^nd reviewer for the domains: HRS, SEF and UEM. Please reach out to Lefteris (PM) if anyone interested. Hard deadline is set on May 6th,
• Claus and Yogesh estimated that their review on IAM and STA, and IVS will be completed by 7.4 and 2.4 respectively (CCMv4 - CISv8 mapping).

3. CCMv4.0 Auditing Guidelines (AGs) development (Brief update on progress, call for auditors participation)

• The objective of the exercise is to develop assessment guidelines that are tailored to CCMv4.0 control specifications, in aid to auditors for validating the proper implementation of any given CCM control in that it satisfies its security objective and that and that is effective after implementation,
• The group is developing AGs using some of the V4 domains as pilots (TVM, GRC, BCR) and then discuss, refine, build a baseline, which is to follow for aligning the development works for the remaining CCMv4.0 domains,
• Jan offered to help us out with the development of AGs for the CEK domain,
• The exercise is mainly driven from Auditors, who take the lead per domain, nevertheless, all security professionals are welcomed to contribute as 2^nd reviewers,
• The activity is currently lacking help from auditors on the development of AGs for the CCMv4.0 domains: HRS, IPY and UEM. Interested auditors who wish to contribute are kindly invited to join us.

4. AoB (any other topics in need for discussion)

• Please navigate to the 'Events' tab to find the call information for the next CCM WG meetings and workshop sessions.

Action Points (APs)
None

Permanent Action Points (APs)
PAP1: New members joining the CCM WG activities are kindly invited to consult the "Participation Guidelines" document (path: Library -> CCM -> New Members -> Participation Guidelines) or alternatively contact Lefteris (PM) to bring you up to speed with the CCM WG activities.

Please let me know if anything important is missed above or if you have any questions/comments.
Thank you all for your being active and supporting the CCMV4 development.
Best regards,

------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------