Dear members,
This is a reminder of the our first 2024 call of the PLA working group, scheduled to take place tomorrow.
Agenda:
- Isabella ( @Isabella Oldani) to review Rajat's rows 228 to 234 and 214-215.
- Louis ( @Louis Pinault) to work on rows 263, 266, 269 and 291 - 299,
- Yuvaraj ( @Yuvaraj Madheswaran) to work on rows 287-290,
- Isabella ( @Isabella Oldani) to review Row 26 and check there is a gap and a new control is needed, or if the Code of Conduct provides any info on remediation for the business or cloud customer, based on the controls Louis provided from the previous action item. Review also row 200 and check why Article 29 was selected as relevant.
How to contribute:
In google document: 2023_11_03_CPRA - PLA_CoP_Mapping (WiP)' document, tab "CPRA - PLA_CoC Mapping" (with the green label), while the other tabs are included in the file as a reference.
-
- For the red cells (in scope): Complete columns D, E, F, G and H by doing the same mapping exercise under CCPA but this time under CPRA. i.e. The GDPR Code of Conduct controls (column C) meet the CPRA requirements. (please therefore ignore all RED cells that have been marked – in Column C – as "Out of Scope")
- Column I: name of "Reviewer";
- The Reviewer will then need to complete Column E by identifying the relevant Control (of the CSA CoC) that would allow CSPs to comply with the obligations stemming from the relevant CCPA provisions identified in Columns B and C. This can be done by first checking the tab "PLA Annex 10" of the Excel document Possible outcomes:
-
-
-
- If a corresponding Control can be found in tab "PLA Annex 10", this Control can be added in Column E (by also adding "PLA – Annex 10" in brackets) and Column F can be completed with "No Gap";
- If a corresponding Control cannot be found in tab "PLA Annex 10", the Reviewer should then check the "PLA Code of Practice (CoP) v4.1" tab of the Excel file:
- If a corresponding Control is found in this tab, this Control can be added in Column E and Column F can be completed with "No Gap";
- If a corresponding Control is found in this tab but the identified Control would not allow CSPs to fully comply with the obligations stemming from the relevant CCPA provisions identified in Columns B and C, this Control can be added in Column E and Column F can be completed with "Partial Gap";
- If no corresponding Control can be found in this tab, Column F can be completed with "Full Gap".
- The Reviewer should then briefly summarize the results of their analysis in Column G;
- Lastly, in case Column F has been completed with "Full" or "Partial Gap", the Reviewer should identify the proposed compensating Control in Column H.
Please note that the chairs have already completed row 22 of the "CPRA - PLA_CoC Mapping" tab as a reference for the group on how we would proceed.
- Lastly, please also note that the group can also use as a reference the work that has been done in tab "CCPA - PLA_CoC Mapping (for pub)" of the Excel file which has been developed before the CPRA came into force (we now need to do the same exercise in relation to the amended text of the CCPA).
To connect on the call:
Day: 16 January 2024
Time: 08:00 a.m. PST / 11:00 EST / 16:00 GMT / 17:00 CET.
URL: https://cloudsecurityalliance.zoom.us/j/82987382695?pwd=amZ6cEljSCtXVU01OUVRbUUyTTNRdz09 (Meeting ID: 829 8738 2695, Passcode: 794440)
Warm regards,
Marina
------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------