Cloud Controls Matrix

CCMv4 Call, June 23rd [Meeting Minutes]

  • 1.  CCMv4 Call, June 23rd [Meeting Minutes]

    Posted Jun 25, 2021 02:21:00 AM
    Dear members,
                          please find below the joint minutes from our recent CCM WG main and workshop calls.

    Brief summary:
    • The CCMv4.0 Implementation Guidelines' final review and comments integration is expected to be complete by the end of this month.
    • CSA is working on a 'clean' and polished version of the guidelines.
    • The CCMv4.0 Auditing Guidelines will be set for open peer review on Monday, the 28th. Members and especially auditors are kindly invited to review and provide us with your feedback.
    • The CCM WG is currently conducting a mapping of CCMv4.0 and PCI DSSv3.2.1.
    • Please stay tuned for the announcement of the CCMv4 - NIST framework mapping.

    Please find below the usual well-structured and detailed minutes section.

    Agenda Items (AIs):

    1. CCMv4.0 components review & development (Implementation & Auditing guidelines, status update, deadlines, next steps)
    2. Mapping & gap analysis exercises (Update on activities)
    3. AoB


    Participants (16):
    John Britton
    Vishal Chaudhary
    Madhav Chablani
    John DiMaria
    Angell Duran
    Shawn Harris (Co-chair)
    Matthew Hoerig
    Frank Jaramillo
    Joel John
    Erik Johnson
    Bala Kaundinya
    Claus Matzke
    Johan Olivier
    Lefteris Skoutaris (PM)
    Ashish Vashishtha
    Dimitri Vekris


    Meeting Minutes (MMs):

    1. CCMv4.0 components review & development (Implementation & Auditing guidelines, status update, deadlines, next steps)

    • The implementation guidelines final review is split into four groups
      • Group A: A&A, AIS, BCR, CCC, CEK (review is led by Daniele and it is completed)
      • Group B: DCS, DSP, GRC, HRS (review is led by Johan and it is completed)
      • Group C: IAM, IPY, IVS, LOG (review is led by Harry and it is completed)
      • Group D: SEF, STA, TVM, UEM (review is led by Erik). The review is ongoing, IGs for SEF and STA are complete. Pending IGs review for TVM and UEM.
      • Deadline is set by the end of June.
    • Lefteris (PM) is preparing a 'clean' version of the implementation guidelines here. Work is in progress.
    • Johan offered to help out with the migration of a clean version of IGs for the domains of group B.
    • The CCM WG has developed a first draft of the CCMv4.0 Auditing Guidelines (AGs). The AGs will be set for open peer review on 28/6.

    2. Mapping & gap analysis exercises (Update on activities)
      • The recent mapping activities of CCMv4.0 to AICPA TSC 2017 and CISv8.0 have been successfully completed. Both mappings are expected to be published on 13/7,
      • CSA has kicked-off a new mapping activity of CCMv4.0 and PCI DSSv3.2.1, hard deadline is set for 30/7,
      • Vishal offered to contribute to the 2nd review of BCR and SEF domains mapping,
      • Reviewers are kindly invited to visit the Status Description tab of the mapping tool for any pending actions on their end (AP1),
      • CSA is in contact with NIST and is discussing a collective approach between NIST and CCM WGs for jointly conducting a mapping exercise.

      Snapshot of 'CCMv4-PCI DSSv3.2.1' tool's progress tab
      3. AoB
      • Please navigate to the 'Events' tab to find the call information for the upcoming CCM WG meetings.


      Action Points (APs)

      AP1: Reviewers are kindly invited to visit the Status Description tab of the mapping tool for any pending actions on their end.



      Please let me know if anything important is missed above or if you have any questions/comments.
      Thank you all for your being active and supporting us with the CCMV4 development.
      Best regards,



      ------------------------------
      Eleftherios Skoutaris
      Program Manager
      Cloud Security Alliance
      ------------------------------