Dear members,
Below you can find the meting minutes from the PLA working group call of July 16th.
To hear the recording: https://cloudsecurityalliance.zoom.us/rec/share/RXoEm5CdEAlvsjRSfPjIx0KR-To8xhAZBOjOBRsVDpdCx-vtOJcarACThXTngRIH.plQlcwe2P7dfCEQn (Passcode: 85c=#+tP)
Minutes:
The group discussed the discrepancies between the EU's Coc and the ISO 27001 standard, particularly in relation to specific domain controls. They agreed to review each domain in ISO 27001 to ensure it aligns with the CoC. Isabella committed to discussing this approach with her team. Additionally, they decided to split the workload for reviewing controls without ISO references, with Isabella reviewing the first half and Louis the second. The group will reconvene in two weeks to continue the discussion.
Previous action items:
Update on new working group initiative on 'Mapping of the CSA Code of Conduct to the EU Cloud Code of Conduct' online document. The group members are called to work on the mapping in the 3rd Tab called 'PLA CoP v EUCloud COC' . (The first 2 tabs are for consulting). Row 8 can be used as an example.
- Marina will review the previous yellow cells of CSA and WP 3.0 controls and provide feedback to Jacopo Dirutigliano. - DONE
- Louis will add a few words to the "no gap" justifications in the code of conduct. - DONE
- Marina to map rows 57 - 66 - DONE
- Louis to map rows 67-76. PENDING
New action items:
Description of task: 'Mapping of the CSA Code of Conduct to the EU Cloud Code of Conduct' online document:
The group members are called to work on the mapping in the 3rd Tab called 'PLA CoP v EUCloud COC'
Column C contains the provision/control form the EU Code of Conduct while Column F will need to be filled with the corresponding provision from the CSA Code of Conduct.
Column H needs to be filled with the values of No Gap, Partial Gap or Full Gap, depending on the overlap the 2 Code of Conducts may or may not have. In the case of no gap, no amendment will be necessary from the CSP to the already implemented provision. In the case of 'partial or full gap', the CSP will need to amend the already implemented CSA CoC provision to match the EU CoC benchmark.
- Louis ( @Louis Pinault) to map rows 67-76
- Louis ( @Louis Pinault ) to review ISO 27001 domains and compare them to CSA controls for rows referencing ISO standards.
- Louis ( @Louis Pinault) to complete mapping for rows 22, 25, 88, and 90.
- Isabella ( @Isabella Oldani) to review offline the partial gaps identified in rows 57-67 and discuss with Jacopo.
- Isabella ( @Isabella Oldani) to review the other half of ISO 27001 domains in the U Cloud CoC and compare them to CSA controls for rows referencing ISO standards.
- Marina to update row 11 to reflect no gap instead of partial gap. Include more CSA CoC controls for row 10. For row 62 and control [5.13.B] to consider provision 8 (personal data breach) in case the partial gap can be avoided. Row 63, to check if "promptly" and "without hindrance" elements can be considered as implied in the data portability requirements under the CSA CoC.
- Marina to complete mapping for rows 21 and 24. And rows 80,81.
The EU Cloud Code of Conduct can be downloaded/consulted here.
The CSA Code of Conduct is in tab 'PLA Code of Practice (CoP) v4.1' here.
Next working group call:
Date: July 30
Time: 08:00 am. PT / 11:00 .m. ET / 15:00 GMT
URL: https://cloudsecurityalliance.zoom.us/j/82987382695?pwd=amZ6cEljSCtXVU01OUVRbUUyTTNRdz09 (Meeting ID: 829 8738 2695, Passcode: 794440)
Kind regards,
Marina
------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------