Cloud Controls Matrix

Back to discussions
Expand all | Collapse all

CCMv4 Call, June 9th [Meeting Minutes]

  • 1.  CCMv4 Call, June 9th [Meeting Minutes]

    Posted Jun 14, 2021 05:10:00 AM

    Dear members,
                          please find below the joint minutes from our recent CCM WG main and workshop calls.

    Brief summary:
    The CAIQv4 is final and published. The CCMv4.0 Implementation Guidelines are undergoing a final review expected to finish by end of June. CSA has kicked-off a new mapping exercise between CCMv4.0 and PCI DSS v3.2.1., participation is welcomed. A first draft of CCMv4.0 Auditing Guidelines (AGs) is now complete.

    Please find below the usual well-structured and detailed minutes section.

    Agenda Items (AIs):

    1. CCMv4.0 components review & development (CAIQv4, Implementation & Auditing guidelines, status update, deadlines, next steps)
    2. Mapping & gap analysis exercises (Update on activities)
    3. AoB


    Participants (10):
    John Britton
    Bobbie-Lynn Burton
    Madhav Chablani
    John DiMaria
    Angell Duran
    Frank Jaramillo
    Claus Matzke
    Johan Olivier
    Lefteris Skoutaris (PM)
    Ashish Vashishtha

     

    Meeting Minutes (MMs):

    1. CCMv4.0 components review & development (CAIQv4, Implementation & Auditing guidelines, status update, deadlines, next steps)

    • The CAIQv4 has been released and it is available for download here, while a brief description on its new elements and transition policy can be found at the blog here.
    • The final review on the CCMv4.0 Implementation Guidelines (IGs) is still ongoing and expected to finish end of June. Publication of the guidelines is expected at mid-July.
    • The CCM WG has developed a first draft of the CCMv4.0 Auditing Guidelines (AGs). The work is pending a 2nd review on the BCR domain. Expected to be shared for peer review and receiving comments at mid-July.

    Snapshot of 'CCMv4.0 Auditing Guidelines' tool's progress tab 



    2. Mapping & gap analysis exercises (Update on activities)
      • The recent mapping activities of CCMv4.0 to AICPA TSC 2017 and CISv8.0 have been successfully completed. Both mappings are currently coded in JSON/YAML format and are expected to be published at mid-July,
      • CSA has kicked-off a new mapping activity of CCMv4.0 and PCI DSSv3.2.1, hard deadline is set on 30/7,
      • Professionals are kindly invited to participate in the exercise and volunteer for any of the below open slots as 1st or 2nd reviewer,
      • Reviewers are kindly invited to visit the Status Description tab of the mapping tool for any pending actions on their end (AP1),
      • CSA is in contact with NIST and is discussing a collective approach between NIST and CCM WGs for jointly conducting a mapping exercise.

      Snapshot of 'CCMv4-PCI DSSv3.2.1' tool's progress tab 
      3. AoB
      • Please navigate to the 'Events' tab to find the call information for the upcoming CCM WG meetings.


      Action Points (APs)

      AP1: Reviewers are kindly invited to visit the Status Description tab of the mapping tool for any pending actions on their end.



      Please let me know if anything important is missed above or if you have any questions/comments.
      Thank you all for your being active and supporting CCMV4 development.
      Best regards,



      ------------------------------
      Eleftherios Skoutaris
      Program Manager
      Cloud Security Alliance
      ------------------------------