The Quest for Multi-Party Recognition
The CSA Security Update podcast is hosted by John DiMaria, CSA Assurance Investigatory Fellow, and explores the STAR Program, CSA best practices, research, and associated technologies and tools. This blog is part of a series where we edit key CSA Security Update episodes into shorter Q&As. In today’s post, John interviews representatives from CIS, CRI and Schellman as they discuss how STAR Level 2 attestations and certifications have allowed them to complement SOC 2 and ISO/IEC 27001:2013 with the criteria from the CSA Cloud Controls Matrix to achieve multi-party recognition. To learn more about STAR Level 2 and how the CCM is used to complement other industry standards, go here.
Listen to the full podcast here.
John DiMaria: We welcome Phyllis Lee, Senior Director for Controls at the Center for Internet Security (CIS), Joshua Magri, Founder and Managing Director at the Cyber Risk Institute (CRI), and Doug Barbin, Chief Growth Officer and Services Leader at Schellman. Today we’re going to cover multi-party recognition. With all the standards we have to deal with, it’s critical to have a harmonized approach to reduce risk and increase security posture. Phyllis, when implementing CIS and CCM controls, how do they facilitate each other?
Phyllis Lee: With the CIS controls, there are far fewer than other control frameworks. We have 18 controls supported by 153 safeguards. If you implement a certain safeguard, you’re compliant with this control in ISO, with this control in CSA CCM, with this one in NIST CSF, or NIST 800-53. It’s too much for organizations to look at individual control frameworks and try to be compliant with them, but they need to be able to cross-reference and minimize their work.
JD: Awesome. So Josh, should we put the financial sector into some special category to raise the awareness of potential global disasters that can lead to breach?
Josh Magri: We are already in a special category. We have to deal with confidentiality attacks on integrity and attacks on availability. So given our risk profile and our regulatory profile, we really did need to utilize a common framework and organizational structure to describe risks and compliance.
JD: Interesting. Everybody wants to avoid crossover. Doug, what’s the advantage of a combined or integrated audit approach?
Doug Barbin: When we come into a client environment, there’s no Schellman standard for information security that we push. We look at our job as understanding our client’s controls to meet cybersecurity requirements. I would never tell anyone to build their security program around the SOC 2 trust services criteria. ISO 27001 is a great framework, but it’s also high level. Any company that adopts ISO 27001 certification has to go to the next level of granularity during their own risk assessment and their own risk treatment. So, there may or may not be examples of control sets that you can use to help guide the organization.
JD: Phyllis, what are the potential solutions to the challenge of trying to juggle all of these requirements or standards at the same time. How can we really avoid interpretation issues?
PL: When written at a high level, people don’t understand what it means to show successful implementation. At CIS, we try to do one task per safeguard, as well as create the controls assessment specification. Oftentimes, security experts say “as frequently as needed” because it depends on the network. But, many organizations don’t know how to decide that. I think all the frameworks need to add specific metrics.
JD: Josh, we’ve had some discussions about the framework and interpretations people have written. Where do you see this going in terms of trying to eliminate interpretation issues?
JM: I agree with Phyllis that we can be more precise. We have guidance documents with a description of what each diagnostic question means. The auditors have examples of effective evidence. So, we’re in a sector where if you respond to a diagnostic, you have to provide documentation to support it. There are going to be issues where we have to say “as needed” because what we’re trying to do is pull in regulatory provisions.
JD: And Doug, I know that auditors have many discussions with customers, particularly about interpretation. How do you deal with those issues?
DB: In some cases, there’s another party involved. Anything that points to a standard or evidence to support whether or not it meets the standard is going to be better. You need to have a consolidated approach. Teams should be looking at access controls, making sure that they meet all requirements. This requires looking at the control activity and branching out to the control frameworks.
JD: Over the past year and a half, there’s been a call for continuous monitoring and certification. So Doug, do you see when certification or continuous monitoring is going to become a mandate?
DB: I think we’re already seeing a lot of that. Companies are apprehensive to want to have auditors coming in all the time, not wanting to see us more than maybe twice a year. But, it creates opportunities for technology.
JD: Josh, in high risk areas, has continuous monitoring against day-to-day audits shown effectiveness?
JM: The financial industry is a numbers industry. But, the mandates are going to come at the industry in different ways than they will others. It is unlikely that some legislation will make sense across all sectors. But because cloud service providers aren’t directly regulated from the financial regulators, there's going to be some level of pushback that develops.
JD: And Phyllis, in terms of continuous monitoring, would CIS support specific metrics that help to show effectiveness across the board of multiple standards?
PL: Yeah, definitely. In our control assessment specifications, the goal is to automate as much as possible. Continuous monitoring is already here and on the horizon. So I think we're getting there. We are moving toward automation more and more.
JD: Thank you all, and have a great weekend.
Click here for more information regarding STAR certification and the different levels of STAR.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.