Cloud Controls Matrix

CCMv4 Development Activities Update (29/4/22)

  • 1.  CCMv4 Development Activities Update (29/4/22)

    Posted Apr 29, 2022 05:25:00 AM

    Dear members,
                          please find below a recent update to the current activities of the CCM WG and additional information on how you may contribute.

    Brief summary:

    • The mapping project of CCMv4 to ISO/IEC 27002:2022 is scheduled to kick-off next Thursday, 5/5. Experts are kindly invited to join the call.
    • CCMv4 - CRI FS Profile mapping is completed. Teams are working on the normalization of identified "deviations" between the 2 mappings conducted.
    • IBM FSCF - CCMv4 "reverse" mapping activity is ongoing and expected to be completed end of May.
    • CCMv4 is encoded in OSCAL. CSA-CIS and NIST jointly working for the translation of mappings into OSCAL.
    • CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.

    Please find below a comprehensive summary of minutes from previous CCM WG call sessions.

    Agenda Items (AIs):

    1. CCMv4 - ISO/IEC 27002:2022 Mapping project
    2. CSA - CRI Established Partnership
    3. CSA - IBM Established Partnership
    4. Other mappings to CCMV4
    5. CCMv4 SSRM Guidelines Dev. project
    6. AoB

    Meetings Minutes (MMs):

    1. CCMv4 - ISO/IEC 27002:2022 Mapping project
    • Would like to thank you for your interest and high participation in this mapping project.
    • Lefteris has shared the mapping tool and ISO standards with the group of experts who will carry out the mapping.
    • The project will kick-off next Thursday 5/5. Please join the CCM WG Workshop Session on the same day, 6pm EEST (8 am PDT, 11 am EDT). Call info to join can be found also under the "Events" tab here in Circle.
    • Experts are kindly invited to join the next call session in order to discuss in more detail the scope of activities and use of ISO standards as well as the mapping methodology that is to be followed.


    2. CSA - CRI Established Partnership
    • The CSA and the Cyber Risk Institute (CRI) have teamed up to provide the financial community with a new cybersecurity assurance framework to satisfy the requirements of financial institutions adopting cloud computing technologies.
    • The collaboration is based on the alignment via mappings and gap analysis exercises of CSA's Cloud Controls Matrix v4 and CRI's Financial Services Cybersecurity Profile. 
    • The CCM WG has completed the 2nd mapping of CCMv4 and CRI Profile.
    • Teams of both groups are currently working on the normalization of "deviations" identified between the "mappings results" of two mapping projects.


    3. CSA - IBM Established Partnership
    • CSA has established a partnership with IBM to de-risk cloud environments and enrich cloud security baselines through strategic collaboration in developing and validating cloud controls for the financial sector.
    • The CCM WG has successfully completed a base mapping and gap analysis of CCMv4 - IBM FSCF and it is currently conducting the "Reverse" mapping on the direction of IBM FSCF to CCMv4.
    • The reverse mapping allows both CSA and IBM to validate and align the mapped controls with the first exercise in order to ensure consistency and quality results, and moreover to identify the gaps that CCMv4 has when compared to the IBM cloud controls framework. 
    • This mapping project is expected to be completed by end of May.
    4. Other mappings to CCMV4
    • A call for participation is going to be announced in the next 2-3 weeks for a new mapping project that involves CCMv4 and PCI DSS v4.0.
    • CSA UAE chapter has completed a mapping between CCMv4 and NESA's Information Assurance Standards (IAS), soon to be published at CSA's website.
    • CSA has established a collaboration with the Information Security Forum (ISF) to conduct a "base" and "reverse" mapping between CCMv4 and SOGP.
    • CIS is collaborating with NIST for the translation of mappings into OSCAL. CSA has provided CCMv4 in OSCAL in context of this joint collaboration effort. 
    5. CCMv4 SSRM Guidelines Development
    • CSA would like to embark on a project for developing guidelines that will be based on the Shared Security Responsibility Model (SSRM) and that are going to be tailored to each CCMv4 control specification.
    • The project is currently at a planning phase in collaboration with AWS and CCM WG co-chair David Nickles.
    • Experts who are experienced in implementing CCM or other cloud security frameworks, who have a good understanding of the SSRM and are interested in participating in this project, are kindly invited to contact me.
    6. AoB
    • Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.

    Action Points (APs)
    No action points defined.

    Please let me know if you have any questions/comments.
    Thank you all for your being active and supporting the CCMv4 development.
    Best regards,

    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------