CSA Official Press Release
Cloud Security Alliance Publishes Guidelines for CSA STAR Attestation
Full specification for CPAs conducting independent cloud provider assessments using the AICPA SOC 2SM engagements plus CSA Cloud Controls MatrixSeattle, WA – July 29, 2014 – The Cloud Security Alliance (CSA) and American Institute of CPAs (AICPA), today announced the release of official guidelines for CPAs in conducting Service Organization Controls (SOC) 2 engagements with the CSA’s Cloud Controls Matrix (CCM). Officially known as CSA Security Trust & Assurance Registry (STAR) Attestation, this specification for rigorous third party assessments of cloud providers, as well as additional program information, is available at www.cloudsecurityalliance.org/star/attestation/. The CSA Attestation is the latest offering of Level 2 of the CSA STAR Program, a comprehensive set of offerings for cloud provider trust and assurance. STAR includes Level 1 Self-Assessment, which focuses upon transparency of security practices and Level 3 Continuous Monitoring, which will be available in 2015. STAR Attestation provides a framework for a CPA to express an opinion of several key factors related to service description, control suitability and control effectiveness within the cloud provider’s systems. . “The AICPA is pleased to collaborate with CSA on STAR Attestation, which brings together best practices for Security Organization Control reporting via CPA-performed SOC 2 engagements, in conjunction with best practices specific to cloud security as covered by the CSA Cloud Controls Matrix. Security is of paramount importance in cloud computing, and the complementary frameworks put forth by AICPA and the CSA provide a comprehensive foundation for practitioners to follow in performing engagements in this space,” said Amy Pawlicki, AICPA Director of Business Reporting, Assurance and Advisory Services. “Consumers have long looked to the CPA community as important stewards of trust as it relates to IT service providers,” said Jim Reavis, CEO of CSA. “As a result of our collaboration with the AICPA, both consumers and providers can count upon their CPAs to conduct SOC 2 engagements with leading edge security best practices for the cloud. STAR Attestation is a critical milestone in our effort to provide comprehensive trust in cloud computing.” “SOC 2 has become a necessity for cloud providers serving enterprise customers," said Mark Lundin, KPMG LLP's Global SOC 2/SOC 3 Leader. "The combination of SOC 2 reporting with the industry recognized Cloud Controls Matrix represents a powerful option that cloud providers can now use to demonstrate the effectiveness of their controls as well as build fundamental trust with their customers. In working with some of the world’s largest cloud providers, we recognize that thorough SOC 2 reports represent a best practice, effectively showcasing the provider’s strategy to meet its customers' evolving security and compliance needs.” The objective and mission of CSA STAR Attestation is to improve trust in the cloud and in the Information and Communication Technology (ICT) market by offering transparency and assurance. It is based upon applicable criteria in Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (TSP section 100, supplemented by the criteria in the Cloud Controls Matrix (CCM), and builds on the key strengths of SOC 2SM engagements performed in accordance with AT 101, Attest Engagements (AICPA, Professional Standards). The guidelines for CPA’s participating in the CSA Star Attestation Program address the following:
- Requirements for engagement and performance
- Competency requirements
- Scope of attestation
- Criteria establishment and selection
About Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.
For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.