Erik, thank you for your comments.
I understand the following your points in general:
1. CSP is both responsible and accountable to their customers through contracts and SLA
2. CSC is accountable to their customers and stakeholders for the performance of the CSPs.
So the description:
"Shared CSP and CSC: Both the CSP and CSC share CCM control implementation responsibility and accountability"
should be understood to:
"Shared CSP and CSC: the CSP has CCM control implementation responsibility, and both the CSP and CSC share CCM control implementation accountability"?
OR
"Shared CSP and CSC: the CSP has both CCM control implementation responsibility and accountability, and the CSC has CCM control implementation accountability"?
Could you give me your suggestions for the above my thought?
Regards,
- Morozumi
------------------------------
Masahiro Morozumi
Director
CSA Japan Chapter
------------------------------
Original Message:
Sent: Sep 06, 2022 08:54:54 AM
From: Erik Johnson
Subject: Question about SSRM Control Ownership
I would say that accountability is context-dependent in that you first have to answer the question "accountable to whom (and in what domain or context)?".
The CSP is both responsible and accountable to their customers through contracts and SLAs for implementing and operating the controls that they are responsible for, in whole or in part. This said, it's also true in many organizations that the executive responsible for entering into a cloud service contract with a CSP is internally accountable to their organization for the performance of the CSP they've selected and the service they've implemented. Similarly the CSC is accountable to their customers and stakeholders for the performance of the CSPs they've selected and implemented. Does this make sense?
------------------------------
Erik Johnson CCSK, CCSP, CISSP, PMP
Senior Research Analyst
Cloud Security Alliance
Leesburg VA
Original Message:
Sent: Aug 29, 2022 08:02:42 PM
From: Masahiro Morozumi
Subject: Question about SSRM Control Ownership
I have a question about the SSRM Control Ownership in CAIQ V4.
It said "Shared CSP and CSC: Both the CSP and CSC share CCM control implementation responsibility and accountability".
I think the implementation responsibility is shared both the CSP and CSC, but the accountability remains in the CSC. Could somebody teach me why the CSP has accountability?
Regards,
- Morozumi
------------------------------
Masahiro Morozumi
Director
CSA Japan Chapter
------------------------------