Cloud Controls Matrix

CCMv4 Call, May 26th [Meeting Minutes]

  • 1.  CCMv4 Call, May 26th [Meeting Minutes]

    Posted May 31, 2021 08:25:00 AM

    Dear members,
                          please find below the joint minutes from our recent CCM WG main and workshop call.

    Brief summary:
    The CAIQv4 is final and its publication is planned on the 7th of June. The CCMv4.0 Implementation Guidelines are placed under final peer review and expected to be completed at the end of June. CSA has kicked-off a new mapping exercise between CCMv4.0 and PCI DSS v3.2.1., participation is needed. The first draft of CCMv4.0 Auditing Guidelines (AGs) is now complete.

    Please find below the usual well-structured and detailed minutes section.

    Agenda Items (AIs):

    1. CCMv4.0 components review & development (Implementation Guidelines, CAIQv4, deadlines, next steps)
    2. Mapping & gap analysis exercises (Update on activities)
    3. Auditing Guidelines (AGs) development (Update on progress)
    4. AoB


    Participants (15):

    Brian Dorsey
    Angell Duran
    John Finizio
    Matt Hoerig
    Frank Jaramillo
    Joel John
    Erik Johnson
    Bala Kaundinya
    Joe Martella
    Claus Matzke
    Johan Olivier
    Michael Roza
    Lefteris Skoutaris (PM)
    David Sztyk
    Dimitri Vekris

     

    Meeting Minutes (MMs):

    1. CCMv4.0 components review & development (Implementation Guidelines, CAIQv4, deadlines, next steps)

    • CAIQv4 has gone through copyediting, changes are applied and it is now final. Public release is planned for June 7th.
    • The CAIQv4 is to be included as an additional tab within the master CCMv4.0 excel sheet, while the CAIQv4 submission form (for self-assessments) is going to be presented as a separate sheet.
    • The CCMv4.0 Implementation Guidelines final review is currently ongoing. The CCM WG is incorporating into the main body of the guidelines all the accepted changes that were received during the open peer review. Expected period for its finalization is the end June.

    2. Mapping & gap analysis exercises (Update on activities)
      • The recent mapping activities of CCMv4.0 to AICPA TSC 2017 and CISv8.0 have been successfully completed. The mappings are planned for release at the end of June,
      • CSA has kicked-off a new mapping activity of CCMv4.0 and PCI DSSv3.2.1, deadline is set on 30/7.
      • Professionals are kindly invited to participate in the exercise and volunteer for any of the below available CCMv4 domains as 1st or 2nd reviewer,
      • CSA is in contact with NIST and is discussing a collective approach between NIST and CCM WGs for conducting the CCMv4.0 - NIST 800-53 mapping exercise.


      3. CCMv4.0 Auditing Guidelines (AGs) development (Update on progress)
      • All CCMv4.0 domains have a first draft of their auditing guidelines developed,
      • The AGs for 13/17 CCM domains have received a 2nd review and are finalized at a draft version,
      • The AGs for the remaining 4 domains are currently undergoing a 2nd review and the consolidation of received comments by CCM WG auditors,
      • Next steps for the AGs development will be discussed during the next CCM leadership meeting on June 7th.

      4. AoB
      • Please navigate to the 'Events' tab to find the call information for the upcoming CCM WG meetings.


      Action Points (APs)
      None


      Please let me know if anything important is missed above or if you have any questions/comments.
      Thank you all for your being active and supporting the CCMV4 development.
      Best regards,



      ------------------------------
      Eleftherios Skoutaris
      Program Manager
      Cloud Security Alliance
      ------------------------------