Cloud Controls Matrix

Auditing Guidelines dev. Team Call - March 12th [Meeting Minutes]

  • 1.  Auditing Guidelines dev. Team Call - March 12th [Meeting Minutes]

    Posted Mar 15, 2021 05:34:00 AM
    Hi everyone,
                        please find below the minutes from our recent AGs development call session on 12/3 (including latest updates).

    Relevant documentation:
    • CCMv4.0 Auditing Guidelines worksheet (Input document)
    • CCAK extract: module 7 CCM Auditing Guidelines (supportive documentation)
    • CCAK extract: CCM Audit Workbook (supportive documentation)


    Agenda Items (AIs):

    1. Touch base on progress status of Auditing Guidelines (AGs) development for the CCMv4.0 domains selected as pilot exercises
    2. Need professionals to sign up to CCMv4.0 AGs development (call for participation)
    3. AoB

    Participants (15):
    Troin Artis
    Parminder Bawa
    Madhav Chablani
    Brian Dorsey
    Angell Duran
    Sanjeev Gupta
    Harry Lu (Co-chair)
    Shamun Mahmud
    Vani Murthy
    Johan Olivier
    Max Pritikin
    Agnidipta Sarkar
    Steve Sparkes
    Lefteris Skoutaris (PM)
    Ashish Vashishtha

     

    Meeting Minutes (MMs)

    1. Touch base on progress status of Auditing Guidelines (AGs) development for the CCMv4.0 domains selected as pilot exercises
    • The TVM domain is the first domain (and pilot exercise) for which AGs have been developed and reviewed by both auditors (many thanks to Renu and Ashish),
    • Sanjeev begun to write the audit objectives for the A&A domain and next step is to carry on with the AGs development,
    • Agni supported the inclusion of another column under the 'audit workbook' tab with title 'audit criteria' that would help auditors better define and refine and AGs development. Agni was kindly invited and agreed to develop the audit criteria for the BCR domain (to present at next call session), as well as, prepare a first draft of AGs for that domain. (AP1),
    • Ashish begun drafting the AGs for the GRC domain (AGs for GRC-01/06/08 are drafted until this point),
    • Steve has drafted the AGs for all the controls in the DSP domain and waiting for Brian to review (AP2),
    • First set of pilot exercises on V4 domains include the TVM, GRC and BCR (with TVM pilot already completed),
    • Parminder & Sanjeev asked about DCS-08 and how in practice is this control implemented (with objective to derive the auditing approach), PM to communicate the question to the CCM WG and co-chairs (AP3),
    • All professionals are kindly invited to review the drafted auditing guidelines (currently written for DSP and TVM) and discuss during our next meeting (AP4),
    • Hard Deadline is set on 30/4 for delivering a final draft of all CCMv4.0 AGs (next step is that AGs will be set for open peer review in May).


    Snapshot taken from 'progress status' tab of the AG workbook

     

    2. Need professionals to sign up to CCMv4.0 AGs development (call for participation)
    • Would like to kindly invite Auditors to help us out with the AGs development for HRS, IPY,  IVS, UEM (see red '?' in progress status tab above)

    3. AoB
    • Next CCMv4.0 AG dev. call is scheduled on March 19th, 5 pm EEST (7am PST / 10am EST / 4pm CET).


      Action Points (APs)

      AP1: Agni is kindly invited and agreed to develop the audit criteria for the BCR domain (to present at next call session), as well as, prepare a first draft of AGs for that domain.
      AP2: Steve has drafted the AGs for all the controls in the DSP domain and waiting for Brian to review.
      AP3: PM to communicate a question on DCS-08 implementation to the CCM WG and co-chairs.
      AP4: All professionals are kindly invited to review the drafted auditing guidelines (currently written for DSP and TVM) and discuss during our next meeting.


      Please let me know if anything important is missed above. 
      Thank you all for your attendance and support.
      Best regards,

      ------------------------------
      Eleftherios Skoutaris
      Program Manager
      Cloud Security Alliance
      ------------------------------