Cloud Controls Matrix

Back to discussions
Expand all | Collapse all

CCMv4 Workshop Session - November 26th [Meeting Minutes]

  • 1.  CCMv4 Workshop Session - November 26th [Meeting Minutes]

    Posted Nov 29, 2020 09:13:00 AM
    Edited by Lefteris Skoutaris Nov 30, 2020 02:06:56 AM
    Hi everyone,
                          here are the minutes of our recent workshop session.


    Activities &     Worksheets:
    CCMv4 -to- AICPA TSC 2017 mapping (mapping tool)
    CCMv4 -to- ISO27001/02/17/18 mapping (mapping tool)
    CCMv4 -to- CCMv3.0.1 mapping (mapping tool)
    Implementation Guidance - IG development (worksheet)
    Control Applicability Matrices - CAMs development (worksheet)


    Agenda Items (AIs)
    1. Progress status overview for the following activities:
    • Mappings of CMv4.0 to TSC, ISO27001/02/17/18, CCMv3.0.1
    • Implementation Guidance - IG development
    • Control Applicability Matrices - CAMs development
    2. AoB

    Participants (10):
    Sandra Ackland
    Renu Bedi
    Rajeev Gupta
    Roberto Hernandez
    Bala Kaundinya
    Claus Matzke
    Vani Murthy
    Lefteris Skoutaris (PM)
    Ashish Vashishtha
    Dimitri Vekris



    Meeting Minutes (MMs):

    1. Progress status overview for the following activities:

    Mappings of CCMv4.0 -to- TSC, ISO27001/02/17/18, CCMv3.0.1

    • The CCMv4.0 -to- AICPA TSC 2017 mapping is complete (Congrats to the teams!),
    • The CCMv4.0 -to- ISO27001/02/17/18 mapping is progressing very well, 12/17 domain mappings are delivered, while 4 more are very close to completion (i.e., input is provided by both reviewers and waiting for consolidation) and 1 expecting input from a 2nd reviewer. Vani offered to take over the mapping and 1st review of the UEM domain. Deadline is set for 7/12,
    • The CCMv4.0 -to- CCMv3.0.1 mapping is progressing well at a slower pace with 11/17 domain mappings complete. Deadline is set for 17/12,
    • During the meeting professionals helped out by signing up for domain mappings that were not making good progress,
    • Professionals are kindly asked to consult the "Status Comments" column J on both mappings for any pending assignments (AP1),


    Implementation Guidance (IG) development (Deadline 10/12/20)

    • IG development is progressing well, 3 domains and underlying controls had their guidance developed and reviewed (by 1st & 2nd reviewers),
    • 10 domains are in good progress (again here engaging 2 professionals, for development and validation review) and 4 have not yet started. 6 domains are waiting for final consolidation and then delivery,
    • The exercise is lacking professionals' participation in domains AIS, CCC, GRC and SEF. Professionals that are interested in helping out are kindly invited to contact the PM (Lefteris) (AP2),
    • Professionals are kindly asked to consult the "Status Comments" column H for any pending assignments (AP3).


    Control Applicability Matrices (CAMs) development (Deadline 11/12/20)

    • CAMs development is progressing well, 6 domains have been mapped to the controls applicability matrices, and 4 domains are very close to delivery and waiting for final consolidation,
    • Rajeev has helped to the development of the definitions of the underlying elements of the "Architectural relevance" column (see "Guidance/Terms tab). Professionals are kindly invited to review the definitions (rows 9-14) and comment with any updates. Special focus to be given at the "compute" element current definition and if it needs to be reviewed (AP4),
    • Professionals are kindly asked to consult the "Status Comments" column H for any pending assignments (AP5).

    2. AoB
    • The group carried on the discussion with regards to the mapping methodology approach that should be followed by professionals when comparing two requirements. The debate focused on whether the comparison should be based on a grammatical analysis of the requirements or that professionals should interpret holistically the compared requirements based on own experience. The group decided that mappings should be carried out following the former approach. Sandra offered to draft a paragraph that would describe such a methodology approach (AP6),
    • Next CCMv4 mappings workshop is scheduled for December 3rd, 6 pm EEST (8 am PST/ 5 pm CET/ 11 am EST).




    Action Points (APs):

    • AP1/AP3/AP5: Professionals are kindly asked to consult the "Status Comments" column per activity for any pending assignments.
    • AP2: The IG exercise is lucking professionals' participation in domains AIS, CCC, GRC and SEF. Professionals that are interested in helping out are kindly invited to contact the PM (Lefteris).
    • AP4: Professionals are kindly invited to review the definitions of the underlying elements of the "Architectural relevance" column (see "Guidance/Terms tab and rows 9-14). Special focus to be given at the "Compute" section and its current definition. 
    • AP6: Sandra offered to produce a draft on the mapping methodology that was discussed and agreed during the meeting, and suggested to be followed in future mappings.

    Please let me know if anything important is missed above. 

    Thank you all for your attendance and fruitful discussion.

    Best regards,

    Lefteris



    Progress status snapshots of all CCMv4 exercises (up to 26/11/20)

    CCMv4-to-TSC2017 (Delivered)

    CCMv4-to-ISO27001/02/17/18 (In Progress)


    CCMv4-to-CCMv3.0.1 (In Progress)


    Implementation Guidance (IG) (In Progress)


    Control Applicability Matrices (CAMs) (In Progress)


    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------