CSA Continues Campaign To Improve Transparency And Assurance In The Cloud Market With Position Paper On AICPA Reporting Framework
SAN FRANCISCO, CA – Feb 25, 2013 – The Cloud Security Alliance today released a position paper on the American Institute of CPAs’ reporting framework, as a means of educating its members and providing guidance on selecting the most appropriate reporting option. The position paper is the latest step in CSA’s previously announced Open Certification Framework and STAR Attestation initiatives.
The AICPA’s reporting framework, known as Service Organization Control Reports, consists of three major document types. The first – the SOC 1SM report – deals with controls over financial reporting. The SOC 2SM report focuses on controls that bear on a service provider’s security, processing integrity and operating availability, as well as the confidentiality and privacy of data moving through its systems. A third report, SOC 3SM, is a compressed version of the SOC 2SM and is designed for public distribution.
In the position paper, the CSA highlights that for most cloud providers, the combination of leveraging the criteria in the CSA Cloud Controls Matrix with a SOC 2SM report is likely to meet the assurance and reporting needs of the majority of users of cloud services. The paper offers guidance to members on when a SOC 1SM report is necessary, when a SOC 2SM report is called for, and when both engagement types may be required.
“Technology-related compliance and operating integrity audits are becoming increasingly important as businesses now routinely adopt cloud-based services,” said Jim Reavis, executive director of the CSA. “The Cloud Controls Matrix is designed to be used in conjunction with existing standards, and this is one such example where the combination provides a comprehensive view that should suit most users reporting needs.”
“We’re delighted that the CSA recognizes our reporting framework as a mechanism to meet this critical reporting challenge, and complement the security principles in its Cloud Controls Matrix,” said Susan Coffey, CPA, CGMA, senior vice president for public practice and global alliances at the AICPA.
Reavis continued, “The CSA Security Trust & Assurance Registry (STAR) serves as the standard for demonstrating transparent alignment with CSA security best practices, and this paper is a major step forward in leveraging AICPA’s popular reporting framework to consolidate attestation requirements and layer third party trust on top of CSA STAR.”
The full position paper can be found at https://cloudsecurityalliance.org/research/collaborate/#_aicpa
About the CSA
The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders.
ZAG Communications for the CSA