Cloud Controls Matrix

Hello, I'm looking for clarification (more context) on CCMv4.0.3, control CCC-05 (please see below for reference):
-------------------------------------------
CCC-05:Include provisions limiting changes directly impacting CSCs owned environments/tenants to explicitly authorized requests within service level agreements between CSPs and CSCs.
-------------------------------------------

What types of changes are we expecting to see within service level agreements between CSPs and CSCs? Specifically on the CSC side, does this control relate to (for example) configuration changes made by the cloud service consumer (CSC) and ensuring that those changes are pre-authorized within a signed CSP contract? Please advise.

Best Regards,

Daniel Downs


------------------------------
Daniel Downs
------------------------------

Hi Daniel,

The CCC-05 requirement is aimed at protecting the CSC from changes that are implemented by the CSP that could impede the operation of the system and (or) jeopardize the security, availability, or integrity of the data consumed by the CSC. In a SaaS engagement, it is quite unlikely that the CSC can implement changes that affect the CSP, usually, it is the other way around – the CSP maintains the systems (usually in a well-architected multi-tenant configuration), its underlying technology stack, and the platform. For this reason, proper procedures, limitations, clear communication, etc. should be in place between the CSP and the CSC to give the CSC peace of mind that the CSP can be trusted in terms of Security, Availability, Processing Integrity, Confidentiality, and Privacy.

It is therefore good practice for the CSC to ensure the service agreement with the CSP includes each party's responsibilities, limitations, and clear change management procedures concerning the scope of services being provided and/or consumed. This might flow into the agreed SLA for service uptime guarantees.

Regrettably, I don't have a contract template readily available to share with you, but I hope the description I provide helps.

Kind Regards,

Johan

------------------------------
Johan Olivier
Security and Privacy Director
Qorus Software
------------------------------

Original Message:
Sent: Dec 02, 2021 09:49:03 AM
From: Daniel Downs
Subject: Looking for clarification on CCMv4.0.3, control CCC-05

Hello, I'm looking for clarification (more context) on CCMv4.0.3, control CCC-05 (please see below for reference):
-------------------------------------------
CCC-05:Include provisions limiting changes directly impacting CSCs owned environments/tenants to explicitly authorized requests within service level agreements between CSPs and CSCs.
-------------------------------------------

What types of changes are we expecting to see within service level agreements between CSPs and CSCs? Specifically on the CSC side, does this control relate to (for example) configuration changes made by the cloud service consumer (CSC) and ensuring that those changes are pre-authorized within a signed CSP contract? Please advise.

Best Regards,

Daniel Downs


------------------------------
Daniel Downs
------------------------------

Thank you, Johan!

This makes sense and is quite helpful.


------------------------------
Daniel Downs
------------------------------

Original Message:
Sent: Dec 08, 2021 11:27:12 PM
From: Johan Olivier
Subject: Looking for clarification on CCMv4.0.3, control CCC-05

Hi Daniel,

The CCC-05 requirement is aimed at protecting the CSC from changes that are implemented by the CSP that could impede the operation of the system and (or) jeopardize the security, availability, or integrity of the data consumed by the CSC. In a SaaS engagement, it is quite unlikely that the CSC can implement changes that affect the CSP, usually, it is the other way around – the CSP maintains the systems (usually in a well-architected multi-tenant configuration), its underlying technology stack, and the platform. For this reason, proper procedures, limitations, clear communication, etc. should be in place between the CSP and the CSC to give the CSC peace of mind that the CSP can be trusted in terms of Security, Availability, Processing Integrity, Confidentiality, and Privacy.

It is therefore good practice for the CSC to ensure the service agreement with the CSP includes each party's responsibilities, limitations, and clear change management procedures concerning the scope of services being provided and/or consumed. This might flow into the agreed SLA for service uptime guarantees.

Regrettably, I don't have a contract template readily available to share with you, but I hope the description I provide helps.

Kind Regards,

Johan

------------------------------
Johan Olivier
Security and Privacy Director
Qorus Software

Original Message:
Sent: Dec 02, 2021 09:49:03 AM
From: Daniel Downs
Subject: Looking for clarification on CCMv4.0.3, control CCC-05

Hello, I'm looking for clarification (more context) on CCMv4.0.3, control CCC-05 (please see below for reference):
-------------------------------------------
CCC-05:Include provisions limiting changes directly impacting CSCs owned environments/tenants to explicitly authorized requests within service level agreements between CSPs and CSCs.
-------------------------------------------

What types of changes are we expecting to see within service level agreements between CSPs and CSCs? Specifically on the CSC side, does this control relate to (for example) configuration changes made by the cloud service consumer (CSC) and ensuring that those changes are pre-authorized within a signed CSP contract? Please advise.

Best Regards,

Daniel Downs


------------------------------
Daniel Downs
------------------------------