Cloud Controls Matrix

CCMv4 Workshop Call, July 29th [Meeting Minutes]

  • 1.  CCMv4 Workshop Call, July 29th [Meeting Minutes]

    Posted Jul 30, 2021 03:06:00 AM

    Dear members,
                          please find below the joint minutes from our recent workshop call.

    Brief summary:

    • The CCM WG is currently working on developing the 'introduction' section of the CCMv4.0 Implementation Guidelines documentation.
    • Members of the community are kindly invited to contribute to the sub-/sections of the document. The document is scheduled for release during the CSA Sectember event mid September.
    • The CCMv4 - PCI DSS v3.2.1 mapping and gap analysis is progressing well with 12/17 domains mappings completed.
    • In need for a 2nd reviewer on IVS and LOG domains mapping to PCI-DSS, 

    Please find below the usual well-structured and detailed minutes section.

    Agenda Items (AIs):

    1. CCMv4.0 Implementation Guidelines development
    2. Mapping & gap analysis exercises
    3. AoB


    Participants (10):
    Geoff Bird
    John Britton
    Madhav Chablani
    Angell Duran
    Frank Jaramillo
    Joel John
    Erik Johnson
    Claus Matzke
    Johan Olivier
    Lefteris Skoutaris (PM)



    Meeting Minutes (MMs):

    1. CCMv4.0 Implementation Guidelines development

    • The main content of implementation guidelines per each of the 17 CCMv4 cloud security domains is final and currently undergoing a copyediting process,
    • The group is working on the introduction section of the same document (exec. summary, introduction, glossary, etc.),
    • A great team of professionals, consisting of: Geoff Bird, Madhav Chablani, Angell Duran, Joel John, Erik Johnson, Bala Kaundinya, Claus Matzke, Johan Olivier, Michael Roza, are developing the introduction section of the document and providing a description for each CCM domain and its usefulness to cloud organizations,
    • The implementation guidelines are to be published both in document form and in the CCMv4.0 excel sheet as an additional tab,
    • PM is encoding the guidelines into YAML format for more efficient versioning and error control.

    2. Mapping & gap analysis exercises (Update on activities)
    • CSA has kicked-off a new mapping activity of CCMv4.0 and PCI DSSv3.2.1, hard deadline is set for 15/8,
    • The mapping on 12/17 CCM domains has been successfully completed (incl. a 2nd review),
    • Johan has consolidated all comments provided by Angell on the 2nd validation review for the mapping of HRS, 
    • Geoff has successfully validated all mappings done by Michael on CES,
    • Tanya had to step down on the 2nd review of IVS and LOG, need a 2nd reviewer to carry on these reviews,
    • Renu and Joel conducted 2nd review on STA and TVM respectively,
    • Professionals are kindly invited to visit the 'Status Description' tab of the mapping tool for any pending actions on their end (AP1).


    Snapshot of 'CCMv4-PCI DSSv3.2.1' tool's progress tab

     

    3. AoB

    • Please navigate to the 'Events' tab to find the call information for the upcoming CCM WG meetings.
    • CSA will announce soon the kick-off activity for the mapping of CCMv4 to NIST 800-53 rev4/5, possibly at next week's main CCMv4 call (plus in Circle)


    Action Points (APs)

    AP1: Professionals are kindly invited to visit the 'Status Description' tab of the CCMv4 - PCI DSSv3.2.1 mapping tool for any pending actions on their end (AP1).

    Please let me know if anything important is missed above or if you have any questions/comments.
    Thank you all for your being active and supporting us.
    Best regards,



    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------