Hello CSA Inner Circle,
This is my first post/thread after joining the CSA Circle Community. I have recently completed the STAR Lead Auditor training, and found the training very useful and expansive on knowledge of cloud compliance and auditing compared to interpreting the available documentation of of the security matrix controls and CAIQ without formal training.
My primary question around some of the course content for specific audiences is related to Cloud Service Providers (CSPs) and organizations that might be in the process of a cloud migration strategy and want to ensure they have compliance understandings while implementing cloud controls, such as overall benefits and risk mitigations. In a shared responsibility model per-say, and the involvement of a STAR auditor, who has responsibility for which control implementations?
Is there any additional documentation that covers a split between organization/company and Cloud Service Provider (CSP) responsibilities? The majority of the STAR Auditor course content appeared to be addressing CSP responsibilities for compliance. Only wondering if there is a breakdown between CSP and company/organization responsibilities for reviewing/completion of the CSM & CAIQ, or if it depends?
Thank you for the support!
Paul M Chavez
------------------------------
Paul Chavez
Security Consultant
Google Cloud (Mandiant)
------------------------------