Cloud Controls Matrix

Back to discussions
Expand all | Collapse all

CCMv4 Call, March 17th [Meeting Minutes]

  • 1.  CCMv4 Call, March 17th [Meeting Minutes]

    Posted Mar 19, 2021 04:12:00 AM

    Dear members,
                          please find below the minutes from our recent CCM WG call.

    Brief summary:
    The CCMv4.0 implementation guidelines and CAIQv4 have been placed for 30 days open peer review. An updated version of CCMv4.0 is published online, including 2 mappings (CCMv4.0 to CCMv3.0.1 and ISO27001/02/17/18) and the Controls Applicability Matrix (CAM). 
    CSA would like to kick-off a new mapping exercise with CCMv4.0 and the CISv8.0 controls framework. Thomas and Phyllis from CIS joined our session and shared with the panel an overview of CIS activities and purpose of collaboration with CSA. Professionals are invited to participate in both the CCMv4-CISv8 mapping and CCMv4 auditing guidelines activity and development groups.

    Please find below the usual well-structured and detailed minutes section.

    Agenda Items (AIs):

    1. Latest update on CCMv4.0 current activities and components development (published works, invitation to peer review IGs and CAIQv4)
    2. Kick-off NEW mapping exercise of 'CCMv4.0 - CISv8.0', in collaboration with Center of Internet Security (Call for participation).
    3. CCMv4.0 Auditing Guidelines (AGs) development (status update, call for participation in workshop session)
    4. AoB

     
    Participants (16):
    Renu Bedi
    Ramon Codina
    Angela Dogan
    Angell Duran
    Dennis Faire
    David Friedenberg
    Yogesh Gupta
    Erik Johnson
    Johan Olivier
    Phyllis Lee
    YC Lian
    Claus Matzke
    Thomas Sager
    Lefteris Skoutaris (PM)
    David Sztyk
    Dimitri Vekris

    Meeting Minutes (MMs)

    1. Latest update on CCMv4.0 current activities and components development (published works, invitation to peer review IGs and CAIQv4)
    • The CCMv4.0 Implementation Guidelines (Final Draft) and the CAIQv4.0 (Final draft) are set for a 30 days open peer review (here and here).
    • The 2 CCMv4.0 mappings to CCMv3.0.1 and ISO27001/02/17/18, as well as, the Controls Applicability Matrix (CAM) are final and have been published within the main CCMv4.0 excel file (here).
    • The CCMv4.0 mapping to AISPA TSC 2017 is currently ongoing (expected for delivery beginning of April). The WG is incorporating into the works input provided from the AICPA group (Audrey Katcher).
    • Members of the WG are kindly invited to comment on the IG and CAIQ set for open peer review.

    2. Kick-off NEW mapping exercise of 'CCMv4.0 - CISv8.0', in collaboration with Center of Internet Security (Call for participation)
    • Thomas Sager and Phyllis Lee joined our call and provided an introduction to the Center of Internet Security (CIS) and brief overview and purpose of CISv8.0 safeguards (access audio).
    • New version CISv8.0 final release is planned for May 2021, the framework is comprised of a total of 18 controls including a total of 153 safeguards. The framework comes along with an additional control on (cloud) 'service providers management' (control 15), which also sets the comparison objective with CCMv4.0 for mappings and possible gaps identification (vice versa).
    • Lefteris (PM) announced to the panel the new mapping activity, presented the CCMv4.0-CISv8.0 mapping tool and invited professionals to sign up to the corresponding V4 domains (the tool contains tabs with a 'mapping guidance' and the 'CISv8.0' controls to get everyone started).
    • Professionals are kindly invited to track all updates under the tool's 'Status' tab and pending actions in column 'H' (AP1).
    • Hard deadline for having a final draft version is set for May the 6th.

    3. CCMv4.0 Auditing Guidelines (AGs) development (status update, call for participation in workshop session)
    • The objective of the exercise is to develop assessment guidelines that are tailored to CCMv4.0 control specifications, to help auditors towards the direction of conducting a real world CCMv4.0-based audit,
    • The WG is currently drafting AGs by using some of the V4 domains as pilots (TVM, GRC, BCR) in order to then align the development works for the remaining domains,
    • Good news: The AGs for the TVM and DSP domains are drafted.
    • The exercise is currently missing auditors' participation in the V4 domains: HRS, IPY, IVS and UEM.
    • Professionals in the AGs development group are kindly invited to track all updates under the tool's 'Progress status' tab and pending actions in column 'H' (AP2).
    • Hard deadline for AGs final draft is set on April, 30th.

    4. AoB
    • Please navigate to the 'Events' tab to find the call information for the next CCM WG meetings and workshop sessions.

     

     Action Points (APs)

    AP1: Professionals are kindly invited to track all updates under the CCMv4.0 - CISv8.0 tool's 'Status' tab and pending actions in column 'H'.
    AP2: Professionals in the AGs development group are kindly invited to track all updates under the tool's 'Progress status' tab and pending actions in column 'H'.



    Permanent Action Points (APs)

    PAP1: New members joining the CCM WG activities are kindly invited to consult the "Participation Guidelines" document (path: Library -> CCM -> New Members -> Participation Guidelines) or alternatively contact Lefteris (PM).


    Please let me know if anything important is missed above or if you have any questions/comments.
    Thank you all for your attendance and support!
    Best regards,



    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------