Cloud Controls Matrix

  • 1.  Clarification on TVM-06 Penetration Test Frequency

    Posted Nov 08, 2022 08:07:00 AM

    To implement TVM-06 "Define, implement and evaluate processes procedures and technical measures for the periodic performance of penetration testing by independent third parties." of CSA star(CCMv4.0.5).

    For the CSP which having more than 50 Cloud products, If the CSP were defining the frequency of Penetration Testing as a 3 year cycle,
    Penetration Testing will be performed on all 50 products on a batch by batch basis within the 3 year cycle and the cycle continues. Finally all the products will be done a Penetration Test once in 3 years by the independent third party.

    As the periodicity is not mentioned in the control TVM-06, a reasonable periodicity seems to be acceptable for us.

    Questions:
    Will this process satisfy the control TVM-06?

    Please give reference to the industry best practices to implement the control TVM-06.



    ------------------------------
    Mano Bharathi
    Unknown
    Unknown
    ------------------------------


  • 2.  RE: Clarification on TVM-06 Penetration Test Frequency

    Posted Nov 09, 2022 02:49:00 AM
    Edited by Lefteris Skoutaris Nov 09, 2022 04:56:00 AM
    Hi Mano,
    Your syllogism with regards to the frequency of penetration testing defined as an 'open variable' in the TVM-06 is correct.

    The CCMv4 Auditing Guidelines for TVM-06 stipulate that:
    Auditing Guidelines
    1. Examine policy for adequacy, currency, and effectiveness.
    2. Determine if the process for defining frequency of penetration testing is defined.
    3. Determine if the process for selection of independent third parties is defined, and
    evaluated.

    According to the above point 2, from an auditor's perspective, control requirement in relation to 'frequency' is met when there exists a process for defining one. Therefore, frequency is not bound by a fixed time period value.

    Similarly would recommend to consult the CCMv4 auditing guidelines for other CCM controls of interest. 
    The CCMv4 auditing guidelines have been developed by experienced, active, eligible to the task auditors & should be used as reference for compliance-relevant inquiries to the CCM.

    Best regards,
    Lefteris



    ------------------------------
    Eleftherios Skoutaris
    Program Manager
    Cloud Security Alliance
    ------------------------------

    Original Message


  • 3.  RE: Clarification on TVM-06 Penetration Test Frequency

    Posted Nov 11, 2022 11:23:00 PM

    Hi Lefteris,

    Thank you for your clarification, I'll definitely look into the CCMv4 Auditing Guidelines.

    Thanks and Regards
    Mano



    ------------------------------
    Mano Bharathi Compliance
    Compliance Implementer
    Chennai
    ------------------------------

    Original Message