On behalf of the CDPC Leadership Team: Open Review Period - Cloud Data Protection Cert Candidate Project
Blog Article Published: 03/29/2014
We would like to invite Cloud Security Alliance (CSA) members as well as the cloud and security community to participate in the open review period for a new candidate project that we are proposing for contribution to the CSA Research Portfolio. In addition, we are considering contributing this Intellectual Property to CSA for further development with no patent or copyright encumbrances. The name of the project is the Cloud Data Protection Cert (CDPC) which we, Richard Noguera, Global Head of Information Security at Gap, Inc. and Evelyn de Souza, Compliance and Data Privacy Leader at Cisco Systems, co-developed. The open review period will start today and end on April 28, 2014. As background, the Cloud Data Protection Cert is intended to be a web-based tool that presents Cloud Providers and Cloud Consumers with a tiered data sensitivity model. Given all the recent and ongoing news tied to data breaches, this is intended to help companies apply optimum data protection controls within cloud environments by reporting an overall protection score and controls guidance based on a maturity curve. We are proposing that the Cloud Data Protection Cert be included as part of the CSA’s Governance, Risk Management and Compliance (GRC) stack as organizations will also have more granular controls for leveraging the Cloud Controls Matrix (CCM). As part of the GRC stack, it will allow for implementing controls based on data type and recognizes that controls don't apply equally across data with a more public profile versus data that is regulated. At the recent RSA Conference (US), we held an exclusive executive roundtable where 23 CISO and VP-InfoSec level attendees across service providers, industry and security vendors participated and provided feedback to the beta version of the web-based tool. The feedback was positive, so we decided to open this up to a larger audience for review and comments. ACTION We would like to ask reviewers of the Cloud Data Protection Cert for assistance in assessing the following:
- Would you like to see this project contributed to CSA for further development?
- Is the tiered data protection model useful?
- Should it be built into the CCM as a default model versus a one size fits all data protection model?
- Should this be a standalone tool within the GRC suite of tools or merged with the CCM?
- Do reviewers like this format for this tool – what should stay the same – what should change?