STAR Testimonial: CSA STAR + SOC2 - From Readiness to Attestation
CSA’s STAR Attestation is the first cloud-specific attestation program designed to quickly assess and understand the types and rigor of security controls applied by cloud service providers. This is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC2 engagements. The CSA Security Update podcast is hosted by John DiMaria, CSA Assurance Investigatory Fellow, and explores STAR, CSA best practices, research, and associated technologies and tools.
This blog is part of a series where we’ll be editing key CSA Security Update episodes into shorter Q&As. In today’s post, John interviews Audrey Katcher, partner of RubinBrown’s Business Advisory Services Group overseeing the group’s Information Technology Risk Services. She answers questions about SOC2 attestation, such as: What are the criteria for the SOC2 attestation? What is CSA STAR and how does it complement SOC2?
Listen to the full podcast here.
Combining the Frameworks
John DiMaria: I have a special guest today, Audrey Katcher. She is currently a partner for RubinBrown's business advisory services group and she oversees the group IT risk services. She is also the AICPA liaison for the CSA open certification framework. Audrey was instrumental in putting together the STAR Attestation rules of engagement and worked closely with CSA to make that happen.
People understand CSA STAR and a lot of people understand SOC2, especially those that are actually using it. Putting those two together, when we say CSA STAR and SOC2, what are we really talking about?
Audrey Katcher: We're talking about bringing together two frameworks into one report so that management can speak globally to all of the different standards that can be covered with the Cloud Controls Matrix. The benefit of bringing the two frameworks together into a certification is to really show the credibility of not only achieving SOC2, but how that maps out and covers the Cloud Controls Matrix.
JD: What are some of the business drivers? What leads organizations to say, "I'm doing SOC2, I want to add CSA STAR." What's the typical business case that drives them in that direction?
AK: By adding the CSA STAR, companies have the opportunity to represent the coverage of the Cloud Control Matrix, which is mapped to quote every standard that there could be for security. The standards that are important in one country may not be the same in other countries. Being able to represent that on a global basis with the framework of CSA STAR in this SOC2 attestation is very powerful and differentiating.
JD: People tend to react to a mandate of some sort. “Are my competitors doing it?” It's a reaction perspective rather than a proactive perception. Why do organizations wait to react to this? Why shouldn't they just go ahead and get the CSA STAR Attestation? What's the business case for that?
AK: One of the stories I like to tell is about a startup company around 2009. They wanted to differentiate their SaaS business and prove that they had security over their information. Early on when there were only a few people, the security person was literally in a closet. They said, "I've got to get on top of this security. We have to represent ourselves to the world as secure." They rolled forward from 49 people in 2009 to publicly traded today with over 800 people. They knew early on that differentiating with the CSA STAR and SOC2 is what would make the difference.
What to Expect from a Readiness Assessment
JD: We have this gap assessment called the Consensus Assessment Initiative Questionnaire (CAIQ), which is an extended control set tied in with the Cloud Controls Matrix that gives you yes and no questions that possibly could be asked by an assessor. What's the advantages of a readiness assessment versus just jumping into the process?
AK: In addition to using the extended questionnaire, with the SOC2, you have to represent the controls for operating throughout the period. We often find that the client is doing good things, but they just didn't keep evidence throughout the period. What the readiness says is, "Let’s look at the system description management created, let's look at the controls, and let's make sure that we have our evidence ready to be audited later in the period." That allows the actual SOC reporting period that's covered to be executed more cleanly.
JD: So in ISO 27001, you're allowed to have these readiness assessments prior to your audit? And these are typically not consultive, they're just going in and saying, "Here's where the gaps are. Here's where your issues are," so you can understand whether or not you want to jump into the audit or not.
AK: Management is responsible for the description that meets the SOC2 criteria. That includes defining the boundaries for the report. We have to maintain independence for when we're getting ready to do the attestation. Under consulting standards, we can assess and recommend based on management's drafted description and controls. We can perform a test to help make sure that the readiness is adequate enough to process appropriately. We usually give management two to three months after that readiness assessment to practice evidencing the controls. We start the period as an independent assessor after that.
Organizing the Controls
JD: What do you tell clients when they ask you about STAR Attestation? What do you tell them when they say, "Why would I want to do this?" What’s the perspective from a client to an assessor?
AK: When they're developing their framework and controls that would be covered under SOC2 and CCM, understanding how it's mapped to things like NIST can help them have a more thorough description and listing of controls. When a client is coming to work with them in the future and saying, "Okay, do you have good controls?" Now they can say, "I didn't make up controls just for my service commitments and requirements based on just NIST. I did it on something broader, like the Cloud Controls Matrix."
JD: So you have these 133 Cloud Controls Matrix controls and the SOC2 trust principles. I'm sure you don't go through everything twice. How is that carried out? Is the cycle between audits the same as well?
AK: We like to look at the SOC2 as a mechanism that can provide reporting to audit once and report many. We encourage clients to set up an environment where they can pull their controls into one tool and they can manage the controls throughout the period. Then they can refer back to that to cover not just the controls for SOC2, but those that overlap with NIST and others.
JD: It is more of an integrated approach. Then you follow the same cycle that you normally do, even if they weren't using anything else?
AK: Management is pulling together the controls. For the SOC2 reporting with CSA STAR, they want to consider their timing. What is the period of the SOC2 report? Will that control perform within that period? That first period may be something as short as four months. The standard period is going to be annually. They may want to consider their control performance and how they're setting them up so that they can have it performed once versus having to perform it for each different standard.
STAR and SOC2 in Today’s Environment
JD: Adding the CCM to the SOC2 sector is going to give you a higher comfort level. Your report that gets you on the CSA STAR registry allows you to get more exposure to current and potential clients. In today's world, why is the additional comfort level of this attestation more important now than it ever was?
AK: A lot of companies are moving to work from home and adding cloud environments. I am very happy to see a lot of them are asking for the SOC2. Business is running to the cloud more than ever before and they need to get comfortable quickly.
JD: If you have lockdown situations, you aren't afforded the luxury of time and resources to do any onsite work or proper due diligence. The STAR registry really increases the integrity of what you've done. People are moving to the cloud and they don't have as many eyes on their suppliers as they would like to have. This becomes something that is very valuable to them.
AK: This is a time for those entities to move from self certification and get that independent assessment. Then they’ll be able to move forward into continuous monitoring. Don't wait for this. Let this be something that you can address now.
To continue the conversation, contact Audrey at [email protected].
Click here for more information regarding STAR certification and the different levels of STAR.