Downloads Arrow to Content

A Precis for the CloudTrust Protocol (V2.0)

The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency.

Release Date: September 01, 2010

Anti-Bot Working Group Charter

Anti-Bot Working Group Charter

Release Date: December 04, 2013

Article 29 Working Party Cloud Computing Opinion: A Blow to Safe Harbor

The Article 29 Data Protection Working Party—which includes representatives of the data protection authorities of each of the European Union member states—recently issued an opinion on cloud computing that could impact U.S. cloud providers.

Release Date: February 22, 2013

Big Data Analytics for Security Intelligence

Big Data Analytics for Security Intelligence

Release Date: September 24, 2013

Big Data Working Group Charter

The Big Data Working Group (BDWG) will be identifying scalable techniques for data-centric security and privacy problems.

Release Date: May 04, 2012

CCAQIS Survey v1.2

The purpose of this survey is to capture the current state of data governance and data security capabilities offered by leading cloud service providers in the industry. The results of this survey will be aggregated and used for guidance and research conducted by CSA and its affiliates.

Release Date: August 01, 2011

CCM v3.0 Info Sheet

CCM v3.0 Info Sheet

Release Date: October 07, 2013

Cloud Computing for Business

This book is for all these people, and indeed for all executives whose companies are using, or thinking of using, cloud computing.

Release Date: March 02, 2011

Cloud Computing Vulnerability Incidents:  A Statistical Overview

Cloud Computing Vulnerability Incidents: A Statistical Overview

In an attempt to ascertain Cloud Computing reliability, 11,491 news articles on cloud computing-related outages from 39 news sources between Jan 2008 and Feb 2012 – effectively covering the first five years of cloud computing – were reviewed.

Release Date: May 31, 2013

Cloud Computing: What Damages in Case of Outages

Cloud Computing: What Damages in Case of Outages

Service interruptions are inevitable regardless of whether the cloud service provider is a small company or a large company. When a cloud service goes down, users lose access to their data; they may also be deprived from the processing capabilities that are provided as part of the cloud offering.

Release Date: May 21, 2013

Cloud Controls Matrix V1.0

Release Date: April 27, 2010

Cloud Controls Matrix V1.01

Release Date: October 20, 2010

Cloud Controls Matrix V1.1

Release Date: December 17, 2010

Cloud Controls Matrix v1.2

Release Date: August 26, 2011

Cloud Controls Matrix v1.3

Release Date: September 20, 2012

Cloud Controls Matrix v1.4

Release Date: March 08, 2013

Cloud Controls Matrix v3.0

Cloud Controls Matrix v3.0

Cloud Controls Matrix (CCM) Version 3.0, is a comprehensive update to the industry’s gold standard for assessing cloud centric information security risks.

Release Date: September 26, 2013

CloudCERT Report to CSA Summit 2011

Release Date: February 14, 2011

CloudTrust Protocol Information Overview

The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency.

Release Date: June 01, 2011

CloudTrust Protocol Information Overview Powerpoint

The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency.

Release Date: September 01, 2011

Comment on Big Data and the Future of Privacy

Comment on Big Data and the Future of Privacy

Responses to questions on the relationship between big data and public policy, government, technology trends, and policy frameworks.

Release Date: April 09, 2014

Consensus Assessments Initiative Questionnaire v1.1

Consensus Assessments Initiative Questionnaire v1.1

Questionnaire is organized using CSA 13 governing & operating domains divided into “control areas” within CSA’s Control Matrix structure.

Release Date: September 01, 2011

CSA Congress 2012 Big Data Overview

Crystallization of best practices for security and privacy in big data.

Release Date: November 06, 2012

CSA Position Paper on AICPA Service Organization Control Reports

CSA Position Paper on AICPA Service Organization Control Reports

The Cloud Security Alliance (CSA) has drafted the CSA Position Paper on AICPA Service Organization Control Reports as a means to educate its members and provide guidance on selecting the most appropriate reporting standard.

Release Date: February 25, 2013

CSA Security Guidance Domain 3: Legal Issues: Contracts and Electronic Discovery

This domain highlights some of the legal aspects raised by cloud computing. It provides general background on legal issues that can be raised by moving data to the cloud, some issues for consideration in a cloud services agreement, and the special issues presented by electronic discovery under Western litigation.

Release Date: November 14, 2011

CSA V3 Guideline: Book Excerpts

Culture‐free, one‐size‐fits‐all English is usually the most efficient way to speak to a large, heterogeneous audience of E2s. In contrast, there are times when our English materials are intended for E2s in a small number of specific countries. In these cases, it might make good business sense to produce more than one English version, sensitive to the first language of the readers.

Release Date: July 02, 2011

CSA/ISACA Cloud Market Maturity Study Results

A collaborative project by ISACA and CSA, the Cloud Market Maturity study provides business and IT leaders with insight into the maturity of cloud computing and will help identify any changes in the market.

Release Date: September 27, 2012

Defined Categories of Service 2011

Release Date: October 26, 2011

Enterprise Architecture Mapping V1.9

Release Date: November 09, 2011

Enterprise Architecture Model V1.1

Release Date: October 26, 2011

Enterprise Architecture v2.0

Enterprise Architecture v2.0

Release Date: February 25, 2013

Expanded Top Ten Big Data Security and Privacy Challenges

Expanded Top Ten Big Data Security and Privacy Challenges

Big Data remains one of the most talked about technology trends in 2013. But lost among all the excitement about the potential of Big Data are the very real security and privacy challenges that threaten to slow this momentum.

Release Date: June 16, 2013

Government Access to Information Survey Results

Government Access to Information Survey Results

The survey received almost 500 responses from CSA members around the world. It found that 56% of non-US residents were now less likely to use US-based cloud providers, in light of recent revelations about government access to customer information.

Release Date: July 23, 2013

GRC Stack

Release Date: March 08, 2013

GRC Stack Courseware

Release Date: October 10, 2011

GRC Stack Training Document

Release Date: March 06, 2011

Innovation Initiative Charter

Release Date: February 24, 2012

Innovation Initiative Overview Powerpoint

Release Date: February 24, 2012

Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing

Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing

The purpose of this document is to survey the issues related to forensic investigation in cloud environments, to describe the international standards for cloud forensics, and to summarize the current integration of cloud forensic requirements into service level agreements (SLAs).

Release Date: June 26, 2013

Mobile Device Management: Key Components

Release Date: September 20, 2012

Mobile Top Threats

Release Date: October 04, 2012

Mobile Working Group Charter

Release Date: February 21, 2012

Net+ Initiative CCM v.3 Candidate Mappings

Net+ Initiative CCM v.3 Candidate Mappings

A team of 30 CIOs, CISOs, and other executives from Internet2’s membership (both higher education institutions and industry service providers) developed this extended version of the CCM. This version includes candidate mappings to address higher education security and compliance requirements.

Release Date: December 01, 2013

OCF Vision Statement

OCF Vision Statement

The CSA Open Certification Framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives.

Release Date: August 17, 2012

Planning for E-Discovery in the Cloud

Planning for E-Discovery in the Cloud

Release Date: May 21, 2013

Privacy Level Agreement (PLA) Outline Annex

Privacy Level Agreement (PLA) Outline Annex

Release Date: February 24, 2013

Privacy Level Agreement (PLA) Outline for the Sale of Cloud Services in the European Union

Privacy Level Agreement (PLA) Outline for the Sale of Cloud Services in the European Union

The Outline provides a structure for Cloud Service Providers (CSP) to disclose, in a consistent matter, information about the privacy and data protection policies, procedures and practices used when processing personal data that customers upload or store in the CSP’s servers.

Release Date: February 24, 2013

Publicizing Your STAR Certification

Publicizing Your STAR Certification

The following guidelines will help you to apply good practice in publicizing, communicating and promoting your certification to stakeholders, including staff, customers and business partners, and to the general public.

Release Date: September 03, 2013

Requirements for Bodies Providing STAR Certification

Requirements for Bodies Providing STAR Certification

This document outlines how to conduct a STAR certification assessments to the Cloud Controls Matrix (CCM) as part of an ISO 27001 assessment.

Release Date: September 03, 2013

Research Lifecycle

Research Lifecycle

A step-by-step guide to producing and distributing research artifacts. From inspiration and conception to publication and distribution, it covers the the process for research projects and their typical timeframes. The Research Lifecycle is a tool to provide a framework for the life of a research artifact.

Release Date: March 19, 2014

SAFEcode/CSA: Practices for Secure Development of Cloud Applications

SAFEcode/CSA: Practices for Secure Development of Cloud Applications

SAFECode and CSA partnered to determine whether additional software security guidance was needed to address unique threats to the cloud computing, and if so, to identify specific security practices in the context of identified threats.

Release Date: December 04, 2013

Security Guidance for Critical Areas of Focus in Cloud Computing V3.0

Security Guidance for Critical Areas of Focus in Cloud Computing V3.0

The CSA guidance as it enters its third edition seeks to establish a stable, secure baseline for cloud operations. This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely. Domains have been rewritten to emphasize security, stability and privacy, ensuring corporate privacy in a multi-tenant environment.

Release Date: November 14, 2011

Small Business Working Group Charter

Small Business Working Group Charter

Release Date: April 04, 2013

Software Defined Perimeter

Software Defined Perimeter

This document explains the software defined perimeter (SDP) security framework and how it can be deployed to protect application infrastructure from network-based attacks. The SDP incorporates security standards from organizations such as the National Institute of Standards and Technology (NIST) as well as security concepts from organizations such as the U.S. Department of Defense (DoD) into an integrated framework.

Release Date: December 01, 2013

STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM)

STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM)

There are a number of control areas on the CCM that will each be awarded a management capability score on a scale of 1-15. To decide what the score is each control area will be considered against 5 capability factors.

Release Date: September 03, 2013

The Future of Security

The Future of Security

Disruption defines the business of information security. New technologies change how businesses work, as well as what risks people take. Attackers shift their strategies. But the better security professionals predict and prepare for these disruptions, the more effective we can be.

Release Date: February 25, 2014

The Future of Security: Executive Summary

The Future of Security: Executive Summary

Disruption defines the business of information security. New technologies change how businesses work, as well as what risks people take. Attackers shift their strategies. But the better security professionals predict and prepare for these disruptions, the more effective we can be.

Release Date: February 25, 2014

The Notorious Nine: Cloud Computing Top Threats in 2013

The Notorious Nine: Cloud Computing Top Threats in 2013

Providing organizations with up-to-date, expert-informed understanding of cloud security threats in order to make educated risk-management decisions regarding cloud adoption strategies.

Release Date: February 24, 2013

What Rules Apply to Government Access to Data Held by US Cloud Service Providers

What rules regulate government access to data held by US cloud service providers.

Release Date: February 22, 2013

Page Dividing Line