Publication Peer Review
Enterprise Authority To Operate (EATO) Controls Framework
Open Until: 05/12/2024
The Enterprise Authority To Operate (EATO) working group is opening their Controls Framework for open peer review.
Background: Why?
- The CSA Enterprise Authority to Operate (EATO) Working Group has identified gaps in the understanding and implementation of information security and data protection controls by small—to mid-sized cloud-based XaaS, particularly when processing sensitive data of highly regulated industries, inhibiting market adoption of such services.
- For consuming Corporate Customers who have to abide by multiple and tight regulations, such Cloud-based XaaS cannot be adopted "out of the box" but has to be assessed individually (i.e., by each potential customer) using heavy-weight Risk and Cloud Control Assessments.
- These assessments result in many findings regarding control deficiencies. The findings lead to complex remediation requirements for the vendor and their services.
- Overall, this is a significant and redundant cost with multiple and potentially also overlapping or even conflicting effort-intensive assessments and remediation processes, both to the vendor and to several potential Corporate Customers.
Objectives: What?
- EATO targets identifying and remediating risks resulting from control failures inherent in XaaS products with underlying cloud-based infrastructure or platforms.
- The controls assessed relate to information security and privacy, Business Continuity, Data Retention, Archiving, and vendor/service provider controls and risks.
- Establish an industry-standard controls and assessment framework for XaaS catering to customer firms in highly regulated industries.
- Controls are based on CCMv4, but they are tailored:
- Core controls have been sharpened to apply stricter and more detailed information security compliance requirements and evidencing scrutiny, catering to the needs of highly regulated corporate customers.
- Some controls have been added compared to CCMv4 where necessary for highly regulated corporate customers.
- Other controls have been combined/collapsed to reduce the assessment's load on the XaaS providers and focus on compliance with Core Controls.
- A small number of controls existing in CCMv4 have been dropped, again to focus on compliance with Core Controls.
- Establish a global, trusted independent assessment service for small and mid-sized Cloud-based XaaS providers against the industry standard enhanced controls framework.
- Establish a trusted and independently certified remediation consultancy service that enables XaaS Providers to change the design of their services and implement security by design.
Approach: How?
- Provide a trusted certification to subscribing firms enabling to reduce cost and risk.
- Improvement of information security by design across XaaS Providers:
- By incentivizing to conduct an assessment, and only one instead of many
- Reducing cost for XaaS Providers for the assessment
- Focusing efforts on remediation against one central / combined set of findings instead of many disparate and potentially conflicting requirements
- Efficiency gains for Subscribing Firms as there is only one central assessment instead of one each per firm wanting to use the XaaS Providers’ services
- Reduction of cost and effort for Subscribing Firms using a shared trusted assessment
- Globally accepted and trusted Certificate that also covers effective remediation performed and validated.
Peer review period has ended.