Consensus Assessment (CAIQ)

  • 1.  Question about SSRM Control Ownership

    CSA Instructor
    Posted Aug 29, 2022 08:03:00 PM
    I have a question about the SSRM Control Ownership in CAIQ V4.

    It said "Shared CSP and CSC: Both the CSP and CSC share CCM control implementation responsibility and accountability".
    I think the implementation responsibility is shared both the CSP and CSC, but the accountability remains in the CSC. Could somebody teach me why the CSP  has accountability?

    Regards,
        - Morozumi

    ------------------------------
    Masahiro Morozumi
    Director
    CSA Japan Chapter
    ------------------------------


  • 2.  RE: Question about SSRM Control Ownership

    CSA Instructor
    Posted Sep 05, 2022 06:40:00 PM
    Does anybody have any suggestion for this question?

    ------------------------------
    Masahiro Morozumi
    Director
    CSA Japan Chapter
    ------------------------------

    Original Message


  • 3.  RE: Question about SSRM Control Ownership

    Posted Sep 06, 2022 08:55:00 AM

    I would say that accountability is context-dependent in that you first have to answer the question "accountable to whom (and in what domain or context)?".

    The CSP is both responsible and accountable to their customers through contracts and SLAs for implementing and operating the controls that they are responsible for, in whole or in part.  This said, it's also true in many organizations that the executive responsible for entering into a cloud service contract with a CSP is internally accountable to their organization for the performance of the CSP they've selected and the service they've implemented.  Similarly the CSC is accountable to their customers and stakeholders for the performance of the CSPs they've selected and implemented.  Does this make sense?



    ------------------------------
    Erik Johnson CCSK, CCSP, CISSP, PMP
    Senior Research Analyst
    Cloud Security Alliance
    Leesburg VA
    ------------------------------

    Original Message


  • 4.  RE: Question about SSRM Control Ownership

    CSA Instructor
    Posted Sep 06, 2022 06:51:00 PM
    Erik, thank you for your comments.
    I understand the following your points in general:
    1. CSP is both responsible and accountable to their customers through contracts and SLA
    2. CSC is accountable to their customers and stakeholders for the performance of the CSPs.

    So the description:
    "Shared CSP and CSC: Both the CSP and CSC share CCM control implementation responsibility and accountability"
    should be understood to:
    "Shared CSP and CSC: the CSP has CCM control implementation responsibility, and both the CSP and CSC share CCM control implementation accountability"?
    OR
    "Shared CSP and CSC: the CSP has both CCM control implementation responsibility and accountability, and the CSC has CCM control implementation accountability"?

    Could you give me your suggestions for the above my thought?

    Regards,
        - Morozumi

    ------------------------------
    Masahiro Morozumi
    Director
    CSA Japan Chapter
    ------------------------------

    Original Message


  • 5.  RE: Question about SSRM Control Ownership

    Posted Sep 07, 2022 10:39:00 AM

    I'd say that the original language from the CCM/CAIQ 4 regarding Shared controls is accurate: 

    "Shared CSP and CSC: Both the CSP and CSC share CCM control implementation responsibility and accountability"

    Your alternative statements don't seem to account for the CSC having control implementation responsibilities for Shared controls.



    ------------------------------
    Erik Johnson CCSK, CCSP, CISSP, PMP
    Senior Research Analyst
    Cloud Security Alliance
    Leesburg VA
    ------------------------------

    Original Message