Cloud Controls Matrix

Back to discussions
Expand all | Collapse all

CCMv4 Workshop Session - April 23rd [Meeting Minutes]

  • 1.  CCMv4 Workshop Session - April 23rd [Meeting Minutes]

    Posted Apr 26, 2021 06:49:00 AM
    Hi everyone,
                        please find below the minutes from our recent workshop session.

    Agenda Items (AIs)

    1. CCMv4.0 mapping projects and their progress status
    2. CCMv4.0 Implementation Guidelines final review
    3. AoB

     

    Participants (7):
    Angell Duran
    Bala Kaundinya
    Claus Matzke
    Vani Murthy
    Johan Olivier
    Thomas Sager
    Lefteris Skoutaris (PM)

      

    Meeting Minutes (MMs)

    1. CCMv4.0 mapping projects and their progress status
    CCMv4.0 - TSC 2017 Mapping
    • Mapping is complete,
    • 17/17 domains have been mapped and reviewed by CCM WG professionals and validated by the AICPA group,
    • Lefteris (PM) to adjust the mapping to CSA's presentation style prior to publication by 6/5 (AP1).

    CCMv4.0 - CISv8.0 Mapping
    • The mapping is progressing well with 15/17 domains completed,
    • Lefteris has invited the CIS team to review the mapping and suggest possible enhancements by 6/5,
    • An additional column 'H' has been added to the mapping environment to accept the input from the CIS team,
    • The BCR domain is pending a 2nd review by Johan who offered to be 2nd reviewer and carry on the activity (AP2),
    • The SEF domain is pending final consolidation of 3 comments received from Geoff (AP3),
    • Hard deadline is set for May 6th.


    2. CCMv4.0 Implementation Guidelines final review
    • CCMv4.0 IG document used for the review (includes open peer review + Google's comments),
    • The WG has kicked-off the final review of the CCMv4.0 Implementation Guidelines on 22/4,
    • The review will be conducted by 3 groups and in 4 phases (see snapshots below) and will be supervised by CCM WG co-chair Harry Lu,
    • Claus and Johan asked whether the auxiliary verbs 'should/may' are to be consistently used in the IGs instead of 'must/shall', based on a comment provided by Google to replace the latter with the former in one of the controls. The group agreed that IGs are developed in form of recommendations, and adhere to organizations best practices for the implementation of CCM controls, hence and the verbs 'should/may' seem more appropriate, as also agreed in past meetings of the CCM WG,
    • Phase 2 contains a list of activities that are to be followed by professionals per domain review (see bullet points bellow),
    • All professionals are kindly invited to provide their feedback under Phase 2 activities by May 6th (deadline).


    3. AoB
    • Next CCMv4 workshop call is scheduled on May 6th, 6 pm EEST (9 am PST/ 5 pm CET/ 12 pm EST).
    • Next CCMv4.0 Implementation Guidelines 2 hours review session (with Harry) is scheduled on May 7th.

     

    Action Points (APs)
    AP1: Lefteris (PM) to adjust the mapping to CSA's presentation style prior to publication.
    AP2: The BCR domain is pending a 2nd review by Johan who offered to be 2nd reviewer and carry on the activity.
    AP3: The SEF domain is pending final consolidation of 3 comments received from Geoff.


    Please let me know if anything important is missed above.
    Thank you all for being active and supporting us!
    Best regards,

    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------