# CSA STAR

# Acronyms, Abbreviations, and Initialisms

# Glossary

The Consensus Assessments Initiative Questionnaire (CAIQ) offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM). Therefore, it helps cloud customers to gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure.

# Overview

The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.

STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.

# Levels

There are multiple levels of assurance for companies that submit to the STAR Registry. Each level has a different set of requirements.

• Level 1: Self-Assessment
• Level 2: Third-Party Audit

# Level 1: Self-Assessment

At STAR Level 1 organizations can submit one or both of the security and privacy self-assessments. For the security assessment, organizations use the CCM to evaluate and document their security controls. The privacy assessment submissions are based on the GDPR Code of Conduct.

# Variations of Level 1

• Security Self-Assessment
• GDPR Self-Assessment

CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers submit the ⌃Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the CCM. This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices.

STAR Self-Assessments are updated annually.

The Code Self-Assessment covers the compliance to GDPR of the service(s) offered by a CSP. A company after the publication of the relevant document on the Registry will receive a Compliance Mark valid for 1 year.

The Self-Assessment shall be revised every time there's a change to the company policies or practices related to the service under assessment.

# Level 2: Third-Party Audit

Level 2 of STAR allows organizations to build off of other industry certifications and standards to make them specific for the cloud.

Organizations looking for a third-party audit can choose from one or more of the security and privacy audits and certifications. An organization's location, along with the regulations and standards it is subject to will have the greatest factor in determining which ones are appropriate to pursue.

There are associated fees for STAR Level 2.

# Variations of Level 2

• STAR Attestation: For SOC 2
• STAR Certification: For ISO/IEC 27001:2013
• C-STAR: For the Greater China Market

The CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CCM. The STAR Attestation provides for rigorous third party independent assessments of cloud providers.

Attestation listings will expire after one year unless updated.

The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. This technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CCM.

Certification certificates follow normal ISO/IEC 27001 protocol and expire after three years unless updated.

The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CCM, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012.

Certification certificates expire after three years unless updated.

# Noteworthy

• STAR is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.
• STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the CCM.
• Cloud providers submit the CAIQ to document compliance with the CCM.
• There are multiple levels of assurance for companies that submit to the STAR Registry.
• STAR Level 1 is known as Self-Assessment.
• STAR Level 2 is known as Third-Party Audit.
• STAR Level 1 contains 2 variations known as Security Self-Assessment and GDPR Self-Assessment.
• STAR Level 2 contains 3 variations known as STAR Attestation: For SOC 2, STAR Certification: For ISO/IEC 27001:2013, and C-STAR: For the Greater China Market.

# Sources

• https://cloudsecurityalliance.org/star
• https://cloudsecurityalliance.org/artifacts/consensus-assessments-initiative-questionnaire-v3-1