Cloud Controls Matrix

Dear members,
                      please find below a recent update to the current activities of the CCM WG and additional information on how you may contribute.

Brief summary:

• Call for participation in CSA-IBM partnership and mapping activity between the Cloud Controls Matrix v4.0 and IBM Financial Services Cloud Framework (FSCF).
• CCMv4 - CRI FS Profile mapping and gap analysis activity is on track and progressing well.
• SSRM guidelines development planning. Let us know if you have CCMv4 implementation experience and you would like to be part of such guidelines development exercise.
• CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.

Please find below the usual summary of minutes from previous CCM WG call sessions.

Agenda Items (AIs):

1. CSA - IBM Established Partnership
2. CSA - CRI Established Partnership
3. Other mappings to CCMV4
4. CCMv4 SSRM Guidelines Development
5. AoB

• The established partnership between IBM and CSA aims to de-risk cloud environments and enrich cloud security baselines through strategic collaboration in developing and validating cloud controls for the financial sector.
• The CCM WG has successfully completed a base mapping and gap analysis of CCMv4 and the IBM FSCF and has recently kicked-off the "Reverse" mapping and gap analysis, this time on the direction of IBM FSCF to CCMv4.
• The objective of the reverse mapping activity is re-validating the mapped elements derived from the first exercise to ensure consistency and quality results, as well as identifying the gaps that CCMv4 has when compared to the IBM cloud controls framework. 
• Members of the CCM WG who wish to participate in the reverse mapping are kindly invited to contact me (Lefteris).

• The Cloud Security Alliance (CSA) and the Cyber Risk Institute (CRI) have teamed up to provide the financial community with a new cybersecurity assurance framework to satisfy the requirements of financial institutions adopting cloud computing technologies.
• The collaboration is based on the integration via mappings and gap analysis exercises of CSA's Cloud Controls Matrix v4 and CRI's Financial Services Cybersecurity Profile. 
• The CCM WG is currently conducting a base mapping of CCMv4 to CRI FS Profile having good progress (see snapshot).

• CCM WG has discussed conducting additional base and reverse mappings of CCMv4 to other standards in 2022 (not necessarily in this order): ISO27001/02:2022, FedRamp V5, PCI DSS v4, EUCS, as soon as the aforementioned 2 mapping activities are completed.

• CSA would like to embark on another great project for 2022, that is, developing guidelines that will be based on the Shared Security Responsibility Model (SSRM) and that are going to be tailored to each of the CCMv4 control specifications.
• The project is currently at a planning phase in collaboration with AWS team.
• Any experts who are experienced in implementing CCM or other cloud security frameworks, that have a good understanding of the SSRM, and are interested in participating in this project, are kindly invited to contact me.

• Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.

Dear members,
                      please find below a recent update to the current activities of the CCM WG and additional information on how you may contribute.

Brief summary:

• Call for participation in CSA-IBM partnership and mapping activity between the Cloud Controls Matrix v4.0 and IBM Financial Services Cloud Framework (FSCF).
• CCMv4 - CRI FS Profile mapping and gap analysis activity is on track and progressing well.
• SSRM guidelines development planning. Let us know if you have CCMv4 implementation experience and you would like to be part of such guidelines development exercise.
• CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.

Please find below the usual summary of minutes from previous CCM WG call sessions.

Agenda Items (AIs):

1. CSA - IBM Established Partnership
2. CSA - CRI Established Partnership
3. Other mappings to CCMV4
4. CCMv4 SSRM Guidelines Development
5. AoB

• The established partnership between IBM and CSA aims to de-risk cloud environments and enrich cloud security baselines through strategic collaboration in developing and validating cloud controls for the financial sector.
• The CCM WG has successfully completed a base mapping and gap analysis of CCMv4 and the IBM FSCF and has recently kicked-off the "Reverse" mapping and gap analysis, this time on the direction of IBM FSCF to CCMv4.
• The objective of the reverse mapping activity is re-validating the mapped elements derived from the first exercise to ensure consistency and quality results, as well as identifying the gaps that CCMv4 has when compared to the IBM cloud controls framework. 
• Members of the CCM WG who wish to participate in the reverse mapping are kindly invited to contact me (Lefteris).

• The Cloud Security Alliance (CSA) and the Cyber Risk Institute (CRI) have teamed up to provide the financial community with a new cybersecurity assurance framework to satisfy the requirements of financial institutions adopting cloud computing technologies.
• The collaboration is based on the integration via mappings and gap analysis exercises of CSA's Cloud Controls Matrix v4 and CRI's Financial Services Cybersecurity Profile. 
• The CCM WG is currently conducting a base mapping of CCMv4 to CRI FS Profile having good progress (see snapshot).

• CCM WG has discussed conducting additional base and reverse mappings of CCMv4 to other standards in 2022 (not necessarily in this order): ISO27001/02:2022, FedRamp V5, PCI DSS v4, EUCS, as soon as the aforementioned 2 mapping activities are completed.

• CSA would like to embark on another great project for 2022, that is, developing guidelines that will be based on the Shared Security Responsibility Model (SSRM) and that are going to be tailored to each of the CCMv4 control specifications.
• The project is currently at a planning phase in collaboration with AWS team.
• Any experts who are experienced in implementing CCM or other cloud security frameworks, that have a good understanding of the SSRM, and are interested in participating in this project, are kindly invited to contact me.

• Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.