Cloud Controls Matrix

Back to discussions
Expand all | Collapse all

CCMv4 Workshop Session - April 8th [Meeting Minutes]

  • 1.  CCMv4 Workshop Session - April 8th [Meeting Minutes]

    Posted Apr 09, 2021 05:44:00 AM

    Hi everyone,
                        please find below the minutes from our yesterday's workshop session.

    Agenda Items (AIs)

    1. CCMv4.0 - TSC 2017 mapping progress status (comparison review of CCM WG and AICPA group mapping versions)
    2. CCMv4.0 - CISv8.0 mapping progress status
    3. AoB

     

    Participants (12):
    Geoff Bird
    John Britton
    Madhav Chablani
    Angela Dogan
    Angell Duran
    Damian Heal
    Joel John
    Erik Johnson
    Audrey Katcher
    Bala Kaundinya
    Claus Matzke
    Lefteris Skoutaris (PM)


    Meeting Minutes (MMs)

    1. CCMv4 - TSC 2017 mapping progress status (comparison review of CCM WG and AICPA group mapping versions)
    • Consensus on the final mapping & gap analysis is met for 12/17 domains,
    • Lefteris to share an email with Angell and Audrey with pending issues on DSP and invite them to discuss and resolve them (AP1).
    • UEM mappings & gap descriptions were adapted to the missing term 'endpoint' were deemed appropriate,
    • STA domain review has been assigned to Johan. Johan has conducted the review and Audrey is invited to re-evaluate against the AICPA group version,
    • Erik elaborated on the purpose of STA-11 (after a question posed by Johan), copying directly here Erik's response:'the organization being audited must implement a process that reviews (rather than stipulates) how the supply chain business partners conduct internal assessments within their own organization. I'd also point to STA-06 for reference here that speaks to lifecycle responsibility allocations (including audit/assessment) where each party must "Implement, operate, and audit or assess the portions of the SSRM which the organization is responsible for." This might help explain the relationship to STA.'
    • Madhav has completed the review and consolidated Audrey's input on CCC,
    • IVS and LOG domains have pending issues waiting to be addressed by Troin (AP2)
    • All professionals are kindly asked to consult the 'status comments' column (and messages attached within the mapping itself) for assigned pending actions (AP3).
    • Hard deadline is set for April 15th.

    CCMv4.0 - TSC 2017 Mapping (progress status snapshot)


    2. Progress status of the CCMv4.0 - CISv8.0 mapping exercise and call for participation
    • 8/17 domain mappings are delivered (each reviewed by 2 professionals),
    • Claus elaborated on a very interesting portion of the STA mapping and CIS, and describe his approach when mapping the SSRM controls 1-6. This specific set of control requirements of the cloud shared responsibility for any given control implementation is not addressed in CIS, hence full gaps have been identified. On the other hand, STA controls from 7-14 were mapped, pertaining to most common security requirements for the cloud supply chain, also stipulated within SLAs between the involved parties,
    • Bala and Geoff joined the exercise as 2nd reviewers to conduct the mapping for HRS and SEF respectively,
    • The activity is missing a 2nd reviewer for mapping the domains STA and UEM (see open slots with '?' at the screenshot below),
    • All professionals are kindly asked to consult the 'status description' column (and messages attached within the mapping itself) for any assigned pending actions (AP3).
    • Hard deadline is set for May 6th.

    CCMv4.0 - CISv8.0 Mapping (progress status snapshot)


    3. AoB
    • Next CCMv4 workshop call is scheduled on April 15th, 6 pm EEST (9 am PST/ 5 pm CET/ 12 pm EST).
    • Lefteris invited professionals who are authors of the CCMv4.0 Implementation Guidelines to participate in the next main CCM WG call on14.4, where a team is going to be put together to work on the IG comments resolution received from the open peer review (CCMv4.0 IG peer review will end on April 14).

    Action Points (APs)
    AP1: Lefteris to share an email with Angell and Audrey with pending issues on DSP and invite them to discuss and resolve them.
    AP2: IVS and LOG domains have pending issues waiting to be addressed by Troin.
    AP3: All professionals are kindly asked to consult the 'status description/comments' column (and messages attached within the main body of the mapping itself) for assigned pending actions.



    Please let me know if anything important is missed above.
    Thank you all for being active and supporting us!
    Best regards,

    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------