STAR Testimonial: The First Cloud-Specific Attestation Program

CSA’s STAR Attestation is the first cloud-specific attestation program designed to quickly assess and understand the types and rigor of security controls applied by cloud service providers. This is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC2 engagements.

The CSA Security Update podcast is hosted by John DiMaria, CSA Assurance Investigatory Fellow, and explores STAR, CSA best practices, research, and associated technologies and tools.

This blog is part of a series where we’ll be editing key CSA Security Update episodes into shorter Q&As. In today’s post, John interviews Debbie Zaller, Principal, Practice Leader, and SME for Schellman & Company, LLC who leads the Midwest Region along with the Privacy, SOC 2 and SOC 3 service lines. She answers questions about the STAR Attestation process while discussing the value of having successfully completed the audit.

Listen to the full podcast here.

The SOC 2 Process

John DiMaria: We have a special guest today, Debbie Zaller. She began her career in 2000 in the technology and risk assurance practice, and now leads the Midwest Region of Schellman & Company, along with Privacy, SOC 2 and SOC 3 service lines, and is also on the AICPA's SOC specialist task force.

STAR Attestation is the attestation with the SOC 2 that has CCM controls integrated into it. For those not familiar, how is a typical SOC 2 engagement planned and carried out?

Debbie Zaller: The first step in the process is determining the scope of the engagement. The scope would determine the five SOC 2 categories to include in the examination: security, availability, confidentiality, processing integrity, and privacy. The second step is determining the organization’s preparedness for the examination. This is done by an external CPA firm or by an internal audit or compliance group. At the end of the examination, management will have a report that highlights the data security controls that reduce third-party risks when organizations use a third party to store, process, or handle any sensitive information for their customers.

Comparing Audits

JD: With the plethora of compliance issues, certifications and regulations, there’s always a concern about “here’s another thing to do when it comes to STAR.” How do you avoid redundancy concerning the SOC 2 assessment when doing a STAR Attestation audit?

DZ: It makes sense to overlap and combine similar IT compliance initiatives. CSA has mapped the SOC 2 criteria to the Cloud Controls Matrix (CCM). It's really a matter of determining what CCM criteria relate to those in-scope services that we've defined with the organization. The STAR Attestation must include all of the 16 domains of the CCM, and includes the CCM criteria mapped to SOC 2 criteria. If we're doing a Type 2, we will see how controls operated over a period of time meet the SOC 2 criteria and the mapped CCM criteria. So the STAR Attestation will actually be a much longer report, but certainly valuable for cloud providers.

JD: Can you explain the differences between Type 1 and Type 2 audits when it comes to getting your full STAR Attestation?

DZ: It's pretty typical to see a Type 1 for first examinations followed by a Type 2. The Type 1 is a point in time examination showing the controls that are in place at that point in time to meet the applicable criteria. So it's great for organizations that have not been through an examination before. A Type 2 most often covers a 12-month period. The examination will test how those controls operated over that period of time. Auditors would come in at the end of the review period and perform testing backwards to see how controls operated, providing a much more detailed audit. It would also determine the risks of an organization handling their customer’s sensitive data.

Benefits of STAR Attestation

JD: So obviously providing services like STAR Attestation, ISO, or SOC 2 is an investment that organizations make. How do you articulate the value of adding STAR Attestation to someone who already is doing a SOC 2?

DZ: There are several benefits to the STAR Attestation. The first is in the CCM criteria. The 16 domains highlight controls applicable to most cloud providers and are more detailed than the SOC 2 criteria. It’s a more rigorous examination but shows the depth of the security controls for cloud providers. The second benefit is the registry. Listing your organization on the CSA’s registry is a marketing tool for having completed the STAR Attestation by an independent CPA firm.

JD: Suppose I want to do both - the STAR Certification and STAR Attestation. Some things obviously don’t overlap, but do you look at CCM on both?

DZ: You’re right, both of these assessments look at the CCM. When performing them together, we make use of the same testing of the CCM so that we're not duplicating efforts. Clients aren't providing us the same information twice. All the evidence is reused and the interviews are the same.

Commit to STAR

JD: What is the time commitment of a SOC 2 versus a STAR Attestation. Or more specifically, what is the additional time commitment of adding a STAR Attestation to a SOC 2?

DZ: It depends. If you did the SOC 2 examination including all five categories, the STAR Attestation may not be as much of an overhaul, but is still a more rigorous audit. The additional time commitment could be 25% more or even double. While SOC 2 criteria spans five categories, the 16 CCM domains add on a lot more testing that will need to be checked during the examination. Readiness is hugely important when considering a STAR Attestation because the audit is for customers and you want it to be favorable and clean.

JD: Thanks a lot Debbie! Thanks, and talk to you soon.

To continue the conversation, contact Debbie at [email protected].