Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

CSA and the Cyber Risk Institute: CCM Addendum for the Financial Sector

Home
Industry Insights
CSA and the Cyber Risk Institute: CCM Addendum for the Financial Sector

Blog Article Published: 06/28/2022

Written by Daniele Catteddu, Chief Technology Officer, CSA.


The CSA Cloud Controls Matrix (CCM) is 11 years old. Almost a teenager! Over time it has evolved and matured and has been a fundamental piece of the cloud journey for several thousands of organizations worldwide. Virtually any organization willing to implement cloud computing in a secure way has made use of our framework. The reasons are several, the CCM is:

  • Cloud relevant
  • Connected to all the most important security standards, laws and regulations that are important in the cloud space
  • Agile, and therefore able to reflect the technical and compliance changes of the cloud landscape
  • Technology-agnostic
  • The standard of reference of the STAR Program
  • Open source and free for users to adopt

The characteristics and qualities of the CCM are a coherent reflection of the vision that we always had for our framework at CSA. This vision now represents the lingua franca for cloud security, a de facto standard representing the center of gravity for any cloud governance, risk and compliance effort. It is a tool kit with several components that each of the cloud actors (CSPs, customers and assurance providers) can use to guide their actions and support their approach to the cloud, regardless of the size of the organization, its risk profile and the business sector in which it operates.

Does this mean that the CCM in its current version is sufficient to satisfy all the security and compliance requirements for every business sector? No, otherwise, we’d probably close the shop, call mission accomplished and go on permanent vacation.

The CCM is not perfect and the CCM has not yet accomplished its long-term vision. That has been one of the reasons why we decided to partner with the Cyber Risk Institute (CRI) to develop a CCM addendum for the financial sector.

Financial institutions have been looking at extending their cloud adoption rate over the course of the last few years. For a long time, cloud was to financial institutions as the apple was to Adam and Eve: a very tempting and forbidden fruit. That had to do with several things, mainly related to compliance and regulatory supervision, which I won’t elaborate on in this blog. The bottom line is that the financial institutions were from one side pressured to move to the cloud for effectiveness and efficiency reasons, but they couldn’t, or they were limited in the scope of what they could do, given some compliance constrains.

In the meantime, cloud has matured, providers have been able to accommodate most, if not all, the needs and requirements of financial institutions, and finally cloud is ready in highly regulated sectors. This doesn’t mean that the compliance and regulatory requirements have magically disappeared and/or evaporated somewhere in the stratosphere, it just means that there are technologies, procedures and best practices able to satisfy them.

CSA has moved strategically along the path of accommodating sector-specific requirements within our CCM framework. The way we’ve gone about this is coherent with our motto of applying common sense and not reinventing the wheel. For this reason, rather than creating ex novo a new set of controls to layer on top of the CCM core controls, we simply partnered with a like-minded organization, CRI. CRI has already created a framework, the CRI Profile for the Financial Sector, that covers most of the cybersecurity-relevant requirements of financial institutes at the global level.

Similarly to the CCM, CRI’s Profile had a limitation. It didn’t sufficiently cover the specificity of cloud computing security. As you can imagine, it didn’t take too long for both organizations to realize how powerful and fruitful a collaborative effort could be. In this collaboration, we would map the controls within the two respective frameworks, perform a gap analysis, and create addenda to add cloud-specific controls into the CRI Profile and to add financial sector-specific requirements into the CCM.

Today, we are glad to release the results of such a collaboration. You can download the addendum here.

This is only the first step in a process that will eventually lead to the creation of the dedicated version of CSA STAR Level 2 for financial institutions. We are now starting to look for financial institutions willing to work in a pilot program. Please get in contact with us to join this new initiative.

Cloud Controls MatrixFinancial ServicesIndustrySTAR

Share this content on your favorite social network today!

Latest from CSA
Join AT&T Cybersecurity in Chicago
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Evaluate the Security of Your Cloud Service Provider with the CSA STAR Registry

Published: 04/13/2024

CSA Turns 15: Kicking Off the Next 85 Years of Cloud Security Excellence

Published: 04/04/2024

CSA Community Spotlight: Establishing Cloud Security Standards with Dr. Ricci Ieong

Published: 04/03/2024

CSA STAR Level 2: All About STAR Attestations and Certifications

Published: 03/23/2024