Dear members,
Please find the minutes from the last PLA WG call on the 7th of November:
Minutes:
New action items:
-
Louis ( @Louis Pinault) to work on rows 23, 24, 25, 42
-
Rajat ( @Rajat Dubey) to work on rows 115, 116, 147, 197, 198.
-
Unassigned red cells for the mapping of the CPRA to the GDPR: 199 to 202, 214, 215, 228 to 234, 263, 266, 269, 287 to 299, 304 to 309.
Next working group call:
Day: Tuesday, 5th of December
Time: 08:00 a.m. PST / 11:00 EST / 16:00 GMT / 17:00 CET.
URL: https://cloudsecurityalliance.zoom.us/j/82987382695?pwd=amZ6cEljSCtXVU01OUVRbUUyTTNRdz09 (Meeting ID: 829 8738 2695, Passcode: 794440)
Kind regards,
Marina
***********************************************************************************************************************************************************************
Structure of the table included in the "CPRA - PLA_CoC Mapping" tab:
This table is structured as follows:
- Columns from A to C include the results of our previous CPRA – GDPR mapping exercise (all previous comments have been removed and the results of our discussion are now consolidated in column C);
- Column D ("Type of Provision") is meant to be completed with an indication of the type of provision that is included in Columns B and C (whether "Obligation" or "Definition & Procedures"). The relevant type of provision should have been already selected for all provisions that we have examined so far.
- Column E ("PLA Code of Practice Controls Mapping") needs to be filled out by adding a reference (if any) to the relevant Control (of the CSA CoC) that covers the relevant CCPA provisions identified in columns B and C (which raise obligations for Cloud Service Providers – "CSPs" or include definitions that are relevant for determining the scope of those obligations);
- Column F ("Gap Identification") is meant to be used in order to specify whether the relevant CCPA provisions is covered or not by the identified Control (of the CSA CoC) and, if so, to what extent ("No Gap" / "Partial Gap" / "Full Gap"). In particular:
- "No gap" should be selected when compliance with the Control identified in Column E would allow CSPs to fully comply with the obligations stemming from the relevant CCPA provisions (identified in Columns B and C);
- "Partial Gap" should be selected when compliance with the Control identified in Column E would allow CSPs to partly comply with the obligations stemming from the relevant CCPA provisions (identified in Columns B and C), with the result that some compensating Controls would need to be added to the CoC;
- "Full gap" should be selected when there is no corresponding Control that can be leveraged in order to ensure that CSPs can comply with the obligations stemming from the relevant CCPA provisions (identified in Columns B and C), with the result that a new Control should be set up.
- Column G ("Gap analysis") should be filled out with a summary of the analysis performed in Columns E and F;
- Column H ("Compensating Control") should be completed with an indication of the "compensating control" that need to be added to the CoC (in order to ensure that CSPs can fully comply with the obligations stemming from the relevant CCPA provisions) in the event that a "Partial" or "Full Gap" has been identified in Column F (in other words, what Control need to be added to the CoC / how an existing Control needs to be amended in order to ensure that CSPs can fully comply with the relevant CCPA provision?);
- Colum I ("Reviewer's Name") should be completed with the name of the participant to the PLA WG that would like to contribute to this analysis;
- Column J ("Co-Chair Team Review") is meant to be completed with comments from the Co-Chair Team on the analysis performed by the Reviewer.
*****************************************************************************************************************************************************
------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------