The Inner Circle

 View Only

  • 1.  Questions after completion of the CSA STAR Auditor course

    Posted 30 days ago

    Hello CSA Inner Circle,

    This is my first post/thread after joining the CSA Circle Community.  I have recently completed the STAR Lead Auditor training, and found the training very useful and expansive on knowledge of cloud compliance and auditing compared to interpreting the available documentation of of the security matrix controls and CAIQ without formal training.

    My primary question around some of the course content for specific audiences is related to Cloud Service Providers (CSPs) and organizations that might be in the process of a cloud migration strategy and want to ensure they have compliance understandings while implementing cloud controls, such as overall benefits and risk mitigations. In a shared responsibility model per-say, and the involvement of a STAR auditor, who has responsibility for which control implementations?

    Is there any additional documentation that covers a split between organization/company and Cloud Service Provider (CSP) responsibilities? The majority of the STAR Auditor course content appeared to be addressing CSP responsibilities for compliance.  Only wondering if there is a breakdown between CSP and company/organization responsibilities for reviewing/completion of the CSM & CAIQ, or if it depends?

    Thank you for the support!

    Paul M Chavez



    ------------------------------
    Paul Chavez
    Security Consultant
    Google Cloud (Mandiant)
    ------------------------------


  • 2.  RE: Questions after completion of the CSA STAR Auditor course

    Posted 28 days ago
    Hi Paul, 
    Thanks for your kind words on the value you got out of the STAR LA course.

    We have quite an extensive SSRM Implementation Guide that will be released very shortly. I am pretty sure this will provide more than enough guidance. I don't have the exact date, but @Eleftherios Skoutaris the lead analyst on this could provide that information.
    Either way, you should get notified when it is released.
    John A DiMaria; CSSBB, AMBCI, HISP, MHISP, CERP
    Director of Operations Excellence
    Cloud Security Alliance
    m:+1 314 374-9752





    This e-mail account is used only for work-related purposes; it is not guaranteed that any correspondence sent to this address will be read by the addressee only, as it may be necessary, under certain circumstances, for third parties appointed by the Cloud Security Alliance to access this e-mail account. Please do not send any messages of a personal nature to this address.



    Original Message