Dear members,
please find below the joint minutes from our recent CCM WG main and workshop calls.
Brief summary:
- The CCMv4.0 Implementation guidelines are final and expected for release on September 14th and during the CSA Sectember event.
- The CCMv4.0 auditing guidelines are under final review by the CCM group of auditors.
- The CCMv4 - PCI DSS v3.2.1 mapping and gap analysis is almost complete.
- CSA has kicked-off a NEW mapping between CCMv4 - NIST 800-53r5.
Please find below the usual well-structured and detailed minutes section.
Agenda Items (AIs):
- CCMv4.0 components development and ongoing reviews
- CCMv4.0 mapping & gap analysis exercises (NIST 800-53r5, PCI DSSv3.2.1)
- AoB
Participants (19):
Robin Basham
Geoff Bird
John Britton
Madhav Chablani
Angela Dogan
Angell Duran
David Friedenberg
Damian Heal
Frank Jaramillo
Erik Johnson
Sudhir Kamble
Rajendra Kathal
Bala Kaundinya
John D. Maria
Claus Matzke
Johan Olivier
Thomas Sager
Lefteris Skoutaris (PM)
David Sztyk
Meeting Minutes (MMs):
1. CCMv4.0 components development and ongoing reviews
- The CCMv4.0 implementation guidelines are final and expected to be published during the Sectember event, on September 14th.
- The guidelines are to be published in both 'pdf' and 'excel' based formats (in the latter case as an additional tab in the CCMv4 excel sheet),
- Erik extended current section 1.1.4 of the document to include references to SSRM in relation to CCMv4 components,
- Johan, Angell and Madhav finished the description on CCM domains IVS, TVM and IPY respectively.
- Erik and Damian discussed possible improvements to the CCMv4.0 auditing guidelines with respect to the SSRM and specifically on the guidelines of STA 1-6.
- Lefteris has invited Erik to contribute to the final review on the auditing guidelines assigned under group D.
- Lefteris shared internally (CSA) the implementation guidelines document for proper design/formatting and preparation for its publication and working on its encoding in YAML format.
- The CCMv4.0 auditing guidelines are under final review by the working group.
- The CCM is split into 4 groups of domains and equal number of groups A-D of reviewers (auditors).
- Sanjeev, Damian, Dave and Agnidipta offered to lead the review on those groups.
- All leaders and group reviewers are active and sessions are scheduled per group to coordinate and conduct the reviews.
2. CCMv4.0 mapping & gap analysis exercises
- The CCMv4.0 - PCI DSSv3.2.1 mapping is almost complete
- 16/17 domains mappings are delivered,
- LOG domain is pending 2 comments consolidation by 1st reviewer (Thomas conducted 2nd review, waiting for Vani),
- Lefteris conducting consistency checks and preparing the content for encoding in YAML.
- CSA has kicked-off a new mapping activity between CCMv4.0 - NIST 800-53r5.
- Robin has been invited by the CCM leadership team to lead on the mapping activity of CCM and NIST 800-53 and has provided guidance in that direction,
- Robin has included two tabs in the tool 'Sample Mapping to NIST Parent Control' and 'Sample Mapping NIST Enhancement Level Control' to assist experts,
- Experts participating in the exercise are also invited to visit the 'Mapping Guidance' tab of the tool in order to follow a consistent mapping approach with previous CSA mappings,
- 3 CCM domains, BCR, STA and UEM are missing a 2nd reviewer (contact Lefteris if someone is interested in participating),
- Professionals are kindly invited to visit the Status Description column (under the Progress Status tab) of the mapping tool for any pending actions on their end (AP1).
Snapshot of 'CCMv4-PCI DSSv3.2.1' tool's progress tab
Snapshot of 'CCMv4-NIST 800-53r5' tool's progress tab
3. AoB
- Please navigate to the 'Events' tab to find the call information for the upcoming CCM WG meetings.
Action Points (APs)
AP1: Professionals are kindly invited to visit the Status Description column (under the Progress Status tab) of the CCMv4 - NIST 800-53r5 mapping tool for any pending actions on their end (AP1).
Please let me know if anything important is missed above or if you have any questions/comments.
Thank you all for your being active and supporting us.
Best regards,
------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------