Dear members,
Below you can find the meting minutes from the PLA working group call of July 30th.
Minutes:
Tasks progress:
The group discussed the progress of certain tasks. Jacopo noted that some tasks highlighted in yellow, previously assigned to Kathy, were still incomplete. Marina confirmed she and Louis were working on these and would finalize them soon.
ISO 27001 alignment with CSA Code of Conduct:
Jacopo Dirutigliano discussed the alignment between the ISO 27001 and the CSA code of conduct. He highlighted that the CSA code of conduct requires CSPs to comply with the controls outlined in the ISO 27001. However, he also noted a potential gap between the two, which would need to be identified.
Previous action items:
Update on new working group initiative on 'Mapping of the CSA Code of Conduct to the EU Cloud Code of Conduct' online document. The group members are called to work on the mapping in the 3rd Tab called 'PLA CoP v EUCloud COC' . (The first 2 tabs are for consulting). Row 8 can be used as an example.
- Louis to map rows 67-76 - DONE
- Louis to review ISO 27001 domains and compare them to CSA controls for rows referencing ISO standards. - DONE
- Louis to complete mapping for rows 22, 25, 88, and 90. - Partially PENDING (rows 88 and 90 are complete)
- Isabella to review offline the partial gaps identified in rows 57-67 and discuss with Jacopo. - PENDING
- Isabella to review the other half of ISO 27001 domains in the U Cloud CoC and compare them to CSA controls for rows referencing ISO standards. - DONE
- Marina to update row 11 to reflect no gap instead of partial gap. Include more CSA CoC controls for row 10. For row 62 and control [5.13.B] to consider provision 8 (personal data breach) in case the partial gap can be avoided. Row 63, to check if "promptly" and "without hindrance" elements can be considered as implied in the data portability requirements under the CSA CoC. - Partially DONE (pending row 63)
- Marina to complete mapping for rows 21 and 24. And rows 80,81. - Partially DONE (rows 80,81 are pending)
New action items:
Description of task: 'Mapping of the CSA Code of Conduct to the EU Cloud Code of Conduct' online document:
The group members are called to work on the mapping in the 3rd Tab called 'PLA CoP v EUCloud COC'
Column C contains the provision/control form the EU Code of Conduct while Column F will need to be filled with the corresponding provision from the CSA Code of Conduct.
Column H needs to be filled with the values of No Gap, Partial Gap or Full Gap, depending on the overlap the 2 Code of Conducts may or may not have. In the case of no gap, no amendment will be necessary from the CSP to the already implemented provision. In the case of 'partial or full gap', the CSP will need to amend the already implemented CSA CoC provision to match the EU CoC benchmark.
- Louis ( @Louis Pinault) to complete rows 22 and 25 that previously belonged to Kathy,
- Jacopo and Isabella ( @Isabella Oldani) to verify the validity of rows 57-67 so that they can be marked as completed.
- Jacopo to check the ISO cells (77-79, 82-87 and 89) and row 7 in yellow.
- Marina to complete rows: 63, 80, 81.
The EU Cloud Code of Conduct can be downloaded/consulted here.
The CSA Code of Conduct is in tab 'PLA Code of Practice (CoP) v4.1' here.
Next working group call:
Date: August 13
Time: 08:00 am. PT / 11:00 .m. ET / 15:00 GMT
URL: https://cloudsecurityalliance.zoom.us/j/82987382695?pwd=amZ6cEljSCtXVU01OUVRbUUyTTNRdz09 (Meeting ID: 829 8738 2695, Passcode: 794440)
Kind regards,
Marina
------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------