Introducing CAIQ-Lite (Beta Version)
We are excited to announce the creation and launch of the Consensus Assessments Initiative Questionnaire (CAIQ) Lite. CAIQ-Lite can be accessed by CSA members for free on CSA as well as from our industry partner Whistic.
Based upon months of analyzing feedback, conducting research & testing, and applying proper weighting and selection; CSA & Whistic are collaboratively releasing CAIQ-Lite.
In order to accommodate the shift to cloud procurement models, CSA and Whistic identified the need for a streamlined assessment questionnaire to better arm cybersecurity professionals to efficiently engage their cloud vendors. CAIQ-Lite was developed to match the rapid pace inherent within the cybersecurity environment, placing increased importance on vendor security questionnaire adoption.
The whitepaper providing further detail on CAIQ-Lite is available for download here.
Below is a brief CAIQ-Lite overview:
- 73 Questions
- 16 Control Domains remain (CCM 3.0.1)
- Leveraged panel of hundreds of IT security professionals
- CSA Member testing & feedback
- Whistic Customer testing & feedback
- Utilization of proprietary scoring algorithm
- Free CSA Member Access
Additionally, If you already have a CAIQ on STAR, a CAIQ-Lite will automatically be created on the Whistic Platform.
STAR for Cloud Service Providers
The Security, Trust, Assurance and Risk (STAR) registry is a cost effective solution that decreases complexity while increasing trust and transparency. Demonstrate your adherence to security and privacy best practices to future and current customers by submitting to the registry.
Benefits for Cloud Service Providers
- Accelerate sales cycle
- Solidify position as a trusted provider of cloud services
- Better build, establish and maintain a robust security program
- Expand business by helping customers navigate secure cloud adoption
- Be part of a global database that is becoming the marketplace for providers used by cloud users
Enhance Industry Standards
Demonstrate increased cloud computing maturity via additional certification. If your organization is already compliant with one of the following you can use STAR to add on to previous compliance initiatives to make them specific to the cloud:
- SOC 2
- GB/T 22080-2008n
Which Level of STAR is Right for Your Organization?
The level you should pursue depends on the level of responsibility you have in the shared responsibility model and the levels of assurance and transparency you need to provide.
- Operating in a low-risk environment
- Want to offer increased transparency into the security controls in place
- Looking for a cost-effective way to improve trust and transparency
- Operating in a medium-high risk environment
- Already hold the following: ISO27001, SOC 2, or GB/T 22080-2008
- Looking for a cost-effective way to increase assurance for cloud security and privacy
- Operating in a high risk environment
- Want to offer a high-level of transparency
- Your organization is full service CSP
Your requirements may change depending on your risk level,
along with associated regulations, contracts and mandates.
If you need additional help, please feel free to contact us.
How to Get Started
- Download the Cloud Control Matrix (CCM) and read it; understand the content and requirements.
- Discover information on our website, including the CSA Cloud Controls Matrix (CCM), Consensus Assessments Initiative Questionnaire (CAIQ) and Open Certification Framework.
- Utilize the self-assessment (CAIQ) tool to analyze where you are relative to the STAR requirements .
- Contact us to discuss next steps and how to best improve your business and obtain the benefits for CSA and the STAR Registry.
- Submit to the STAR Registry.
STAR for Cloud Customers
Improve the security and privacy program within your organization. STAR lets you gain insight into the controls in place to protect your data. Assess both your internal level of assurance, and the level of assurance offered by your cloud providers. Whether you moved to the cloud or are considering migrating in the near future, STAR can help you manage your security and privacy programs more effectively.
With STAR you can leverage:
- The STAR registry as a trusted source of information on the security and privacy posture of CSPs. It enforces accountability and lets you build a coherent GRC program.
- The STAR compliance program which lets you select the level of transparency and assurance you require from CSPs.
- The STAR Foundation tools (CCM, CAIQ, GDPR CoC) to support your own GRC approach and ensure language alignment between you and your CSP.
STAR offers different levels of transparency & assurance. After you've selected the appropriate level for your organization you can check your cloud service provider's status in the STAR registry.
How to Get Started with STAR
Determine Level of Trust & Transparency Required
- Low-Risk Organizations: Level 1 is a good place to start. If it is decided later that you require greater assurance from your provider you can request them to complete level 2.
- Medium-Risk Organizations: Level 2 is good for organizations with a moderate amount of risk. You can request a self-assessment along with a 3rd-party certification to provide your management with both transparency and assurance.
- High-Risk Organizations: Level 3 is designed for organizations operating in high-risk environments (examples: finance, healthcare, government, etc.). Continuous auditing offers organizations the highest level of both transparency and assurance to keep your organization safe on the cloud. span for guidance).
Browse Registered Cloud Providers in the CSA STAR Registry
The CSA STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.
Resources & STAR Foundation Tools
STAR Foundation Tools
STAR is based upon the following CSA frameworks and tools. Click the links below to download these tools and start using them to improve your security and privacy program:
Free Vendor Risk Management Tool
The CSA-OneTrust VRM tool lets you automate the entire vendor management lifecycle, including onboarding and offboarding vendors, triaging vendors, populating vendor information and monitoring the vendor risk lifecycle, all while maintaining records for accountability and compliance purposes. It comes pre-populated with the STAR foundation tools.
Click the link below to submit a complaint for cloud service providers with inaccurate information listed on the STAR Registry.
STAR for Auditors & Consultants
With STAR you can grow your business as a leader in cloud-specific security and privacy assurance services. As a CSA STAR Auditor, you can build on existing auditing standards (SOC2, ISO/IEC 27001, GDPR) with a cloud specific overlay. As a CSA Global Consultant, you can help users and providers implement effective governance and compliance programs for the cloud.
Learn more about partnering with CSA
STAR Benefits for Auditors
- Build on existing certification and attestation standard (SOC2, ISO/IEC 27001) with a cloud specific overlay based on CSA best practices.
- Remain current on cloud best practices, regulations and standards.
- Build the future of compliance based on the continuous auditing approach.
STAR Benefits for Consultants
- Expand business by helping customers successfully navigate secure and privacy compliant cloud adoption.
- Extend offerings to include best practices that support trusted cloud environments.
- Collaborate with clients as they explore new business models to grow their business.
- Become a global consultant
Offer cloud providers a higher level of assurance through an independent third-party assessment.
A technology-neutral certification leveraging the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix.
Based on type 1 or type 2 SOC attestations supplemented by the criteria in the Cloud Controls Matrix (CCM).
A third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards.
GDPR Code of Conduct Certification
The GDPR CoC Certification is a third-party certification assuring compliance of a CSP’s services to GDPR.
Leveraging STAR for Privacy & Security
Guide your customers in adopting the STAR Program for both privacy and security. STAR offers a complete program that covers both operational security (CCM/CAIQ) and privacy legal compliance (GDPR CoC).
- Help your customer implement a governance, risk & compliance program based on CSA security and privacy best practices based on the CCM, CAIQ, and GDPR CoC.
- Use the STAR registry to help your customers improve their vendor management/procurement process.
- Offer your customers access to the free CSA-OneTrust Vendor Risk Management tool.
Learn more about partnering with CSA
Become a Security Assessment Firm
Are you interested in partnering with CSA to offer third-party certifications or attestations? Read the following documents to get started:
- Guidelines for CPAs Providing CSA STAR Attestation v2
- Requirements for Bodies Providing Star Certification
Then contact us to learn more about becoming a STAR approved auditor or certification body.
Become a GDPR Assessment Firm
Ensure your organization understands the principles of CSA GDPR CoC and the roles individuals in your organization will need to play. Then contact us to discuss the next steps in becoming a CSA GDPR assessment firm.
Validating Authenticity of STAR Registry Files
File attachments in the CSA STAR Registry are compressed and digitally signed with gpg (GnuPG) 2.2.3. The below key can be used to v erifyeach file’s authenticity.
Fingerprint: 0795 5495 94D1 0ACF 2F9B 3EC1 D9C7 ECF0 7A82 41C6
-----begin pgp public key block----- mqinbfod07wbeachq3eb9svmquhjjq1wswvs0sxetxrxev3leqmbeuyzrnxnnjkk uetry31c23jglquuswv+btrjl8xaas/xz7vaqps+tw7jpaeszcoihzaml+cswhin +/rdgf8zmfqbltfzap9ewl1+vvq1spcnroxoq4pyr6potdm186dqv/yzcjcjfm+r 5goemnre1ikvghdxvqsf16edpve/xqrpha6vhwnpwofeisje/blwut49cmx62yli ny8m/zkgem0ayrr7h6wdxvb9dgasdim1rhg7y4+lay59av22ahbdpfaq++7divr9 2d5sn0um9ccvsyxa8n3tg6sxaxrmwn30n2jy5ilv/suqexvqnwchohwgpfvhjnqu pqe8frxdjqp5tg3a2ssmyshxsozkrjo6p+lfz0xv+l+frks5e81igjaw1lxgcias n1sfznkqu65u79vc+5w7djvb9vmd6zvxvmoiy7rdp0+ieeouealxonrfv5jyfngz ik5tl8yw5ijsnkjzxwmmcumqlyqjjk5sbi90qxsxhercvydirlpjeagg9plwi9ko ydhplkjvnes6pmxwkobszpuzpx7rgpctoz2nf49osba25z1am326rx+ihxhnxvtn gu5+/bytk2sk8tyiqgfzriliazsy7x9njpy8qchh4okw+4rp7c+9zchuqwaraqab tdzdbg91zfnly3vyaxr5qwxsawfuy2ugu1rbuldhdgnoidxzdgfyd2f0y2hac3rh ci53yxrjad6jak0eewekadccgwmchgecf4awiqqhlvsvlnekzy+bpshzx+zweojb xgucwi7y4qulcqghagyvcakkcwidfgibaaojennh7pb6gkhgax0p/ryubxcxzyvn qoyervojqamppjs3tk9safki8tartstmi/sk9xva0qxljwkhnmboaakbsy+itkzx 6oejel6otpcrgtoykdknpcekwyu+zihssvt7gkcyl93setpdl2xo4wqn6mheaigc wqygdy7ln/hyzs3irdxnow6gm8e4qzvmfnekrng+ogsseelmqndj9+p2mjkkzf7f c7e0ficq5eo2rbhrxz2ehdm5j5vjvsdbj7ufs9jakq3iciuaek81eaawoqjqqzzc nzypn22p4pre42yiuqrsknf+qrp8ikpn44mbnigpzmnqvinhnl5dypwqzneoo6wy nnpfumxapzzrnv0tdsloud+f+m/2yl/dme5q1xwqjh7ontgrd27gjoeiq62rgryi ogzqr6sbbi4vh7grrkrv5gxum7pjgv/nzbswqp1tpgrzt5ziqzlrqdgiqwgjz4c8 bzuj9ozvb079sl1e0wxn+xd+aut+kvhtmubrkrobyjbwyidf8s+r0jf+qnwogbql mpbmedvdllglklkmuofexchj/26xqd7xodqv3j7bwjxkn9ulwgqytlr48vcv3/kw qi89eciiibbg4vb8qsteu6gvz7qadz/4zwwocmtc/p1ibtldp5qmdntofsh40n1d crn1cxb9gk5648z97+jszpht4jys60vuiqizbbmbcgadfiee85f0pgusunrwia/z hhzen36kvm8falod1dkacgkqhhzen36kvm+eoa/9fgdnsnda4yebn5mgwkna/iz5 02nixpvqliudckabqoz/0w8o2vwg5wu1292btz/b3kjf0svi1pslj9kkwlovigba gdaxsrwgwudjfcdbks/spswbqnheuz1n/d7tff9fvpnltoyh1mgyiif/v2km4w7y fm7mofaqodrdfoaxk0xxunvod3zzt2wac87w+gvwjjgcwnjkinpdfheshm4v+jih dbu5aafeo1ca7mn2qbjwlire5cyccsnjfg5b3zmxmz/uatrpj1cij/4xgsafvzdp f4wwn08ixwfwsqmnm8ahrfvu2elexkt9ser1z9ernnr9wvrfrecwirgt6plwuo/6 0wqu9palkm88lnhctyn+a9n0exwg+8fmhbz1ojpdnvjlfbl5zczdk3rx7szd16ls xoakqf7a/zrxedjixnftjv1wk2agavo/65awgez+u5ozpbxo5bbafw/m8gfpyh1g jf6q0zwdex6pbajvjt6vhhbdr98r3adjpwbxt3uqmb2pghgoewwhw8ouxv07ehge xchc8dppmdh59q3he8qt5ejte/swwqwixalo7xe0ft9lsrkb358mvd9slwly5qen kws1bat4nvi8rqwm/awjwzws58cfxylwpgy6xoriwuqyc+c9rwx2ejuifx22tbit ipvclgr44ujbpie9t0ejajmeewekab0wiqspc/mvc1auj2a/dvqwduvtxiz5kwuc wh3urgakcrawduvtxiz5k/8td/9a/pt0t4m/wwjuf504g8vsfqy3zor3og4paxmh kzspdl6x7ys+yhlh7inwlwiwy00edgyao8yiyhtky5oazfoajl3fkkbytl9qqzns n1t2lggzhnpdzudzg7sniqroic7v93hc645x2ufyhauqvcxv/vrpgctvhs2fxqnl js74rzc4mmhzdxzthyvlwfkpwdfntlh35vplipr4ljfzixpoux+dk7irsyayt1ij zk7lrfjfolnr4apacalo3wotvq7pxwgaleumnzkkdfxoer4gf/b+hmafden3rysj 8il7ejig4qyudvjubmi/lt4m6owdvec4jidfa0ltgplxlz7ez7ap9upudujl+uwn flrxqauf5rwwpcnj2gyvaownfvnozzajue7hwj9qug0ewhkjbyhinciq0uxzljcu o2asamkhaz4mlku0ut0go7hfwxcryjaiteqyykjwzkzznsgoevgl+iczondj+ics 9y+rivmheqmmmdmu9d409ad0im7173kuae6kglramsrf/fz6dwsdligbqd0d3yoh oarwk2bli9/1lkfg/7p1erxc7h5uu/a7k7luqfy3w2efbvso2sjuclkeijd6g5b6 914utwa3gevabyoqnoyjcwwflw0zg2yxd3fnwzg/vfavrfbvkvdganljiuidtajp 5r3quykcmwqtaqoahryhbk3d1clviy7qvs4crvfcrcsgd4f0bqjahdrpaaojepfc rcsgd4f0xduqal33nhwpk7b31hxcjcyumy0rh6n76g/ikykokjfzaw58xlp2yly3 unqhcojhijhdfflssztp4xrin9q0ujd+8pd0d7ac0pjgjdbda2lgo6zqeb/szvnh j8f45zqo5oyojc148/mvatfw//zopgf745dxn3pfqdi9oinjxhersae3ru77kr1g c2bx4139xx6bq7dkcuczutvnrgvjudafnbmv4km95smdtgjjtah7rvr6hr6qtqgx popte6zn7swynikyigogflcjzwru/6nkairs7jxi/s0wfsov1/gt6qrxn9vgn3ft xa18brfy3kax/qtscv8s9fplho+lt1ajpt4rg2mvc0in+jwsroqx5iim5d/vdsfc khh9p3rvcdexnjz9t8eyqxfra5e6avwkdp+ubfqi9epmyzigom0posbsy+wj/edx 80jhd8zcjnk1rwdd+ypuif5u+hxydbbg/9dltk1rv33tfknwpqtalw63by0a+pou qnoqm03gxe/nurp4cpbydnhkdymucziyphnbcnrksll2zirvjudnujdxbldvtn5o tbkokfdu/j/16udyqndpadpg5kyqgxxasitubgjhrwhmgqiprlkyv6eq5emk7pyr plebamxbiqlmm8ktysyuu6am7k309vi8paz5ghgbvry+cfhgj2dzahw0iqizbbmb cgadfieefc/to+1exke5uraehxemwazi2rofalod1fcacgkqhxemwazi2rre6a/9 hwwc6nigxtt2crivxuzewb/kif+opadwatcs3mxqcrgyzgzpfpu140wzoi3ha4i5 dadyanzl8lw2a9rxzjli5elum+ehonnhou3mivz+jllfhf8xs1xohknuanewfjem 8gblrefzcz4ajqqfxe0vdagj7bd7xx8ix8yawhwtwpqugkux81xclxc/e+yoz79+ owfviqozzmfhthzlcf8hztyte/d78ckoe2ls5omlps9koomuym/wv1afep8+zgzv 0sxhxv7pegwhb4kag9b50/u+wdihytzn+wmemexj+xyxggviro1hv5plcjr4hznn idggeldijt8jgpdah8en4hdsi8wfitfbwxpgho5uz6xdj6d9ivzkqp6iqvouiyk7 qeblglosccaltb0qqflnaygnw5esrljmtxibsz9i2xho4/qmeo8z/pqurfmkfr2a 2fk72coproco1+lgnqd7obnlw1bq9jmj/2ibgov6kqaw2pl4/46wx+gaifz0fk1w rcpvdyw8mitzkzok2fmf+n2glm9ppew8aojsrxpl2fn/m19v2u4ndkfea1nttbem iwyjgys5m9vgnkwb4nwnly5xe8qeynb9ktfz6hd/egkwzyxy56+i/8jrmfrztk0p 2t5djaukj/dxk2xhigy9i4iuarpakqv4gw1xy7gtzyg5ag0ewh3tvaeqakw9q7mt 1vn53qbptod2xvyaycwfrh9z64kyidm5pcmqo/vtbz2ablzvfufxtuujaf7wirwa uebec/n8feramlwwjl7/t0bsiahjtfaijux0v09a/ehvjczfgqxiljghczfr6yyb xkc0eztb4/ayx+gz3otccotepctv3mcqplfoqkomvvvepsghc0e5wdmvigjxkty6 6qa1dazj6bkrvls5fmsl5wawrqm+qyxdqk5byokces40e7bkhzo4b6bp6o51xyhj niryauavvy8xniesiw5obpuubbgkvywmy1mmldxnbdbtomxw0c+9apqnjdrvnyrm dhksjavzby+as3fd5ytkx6qxpqfsbm1uq6lkigpaxhgzr2qksrn8o4g2avl6nm8f fhcjdpaipo/8v0eerk/tw34hki+xyidw6a0ilweeykkyxlelmdf8r+zd0yq9d49l 82omslzduvpnqg4clqhp0kaf8aecedw5bwqt8rupggj3rnzuofc0t1bbubcsoif+ mohsh/lbdd5clchw13o/bgarcp4rzz6hlunzdvn3bu+kezptgx+7racuck1ofwal ovoxp4vhim2zt7rmtma6djohbdhe5lgguf5hy6jfl1p4gpfqblvlq6dlzw9jcfw/ qhmczgceiltrarzqc4viv+nbp/mt33r3mbq/abebaagjajyegaekacawiqqhlvsv lnekzy+bpshzx+zweojbxgucwh3tvaibdaakcrdzx+zweojbxipwd/kb9yy1yngi gczic552gc08+srzdzurmwfn5d6yjsmmxf9qexrck4lbxi3rqewi1ahboyfters3 x7lji+ercpjwul2rkn4hwtippa5m2xrdnzt1r0ho2ym7ppmlel/uyjbapbsdi5d5 pxn3du76tv3cw2ld35+r+aepzd/kpxqbwhxlrlrrmk4zsnbb4sdxxqjgeurpgp2r jm/t2zw/s2eomyercvju+yyokkokz+2dde7qz+1tjxldq38hzkm39rrnbnxxzc9e 41zvefzyswx/xu2e3utdf56vs+edxekbjg90nwa0tbhrw4nequpxjwkbkenczbik 6o65vm5bgnqsawkhzn5tdfjoqmai40ufop6nvetpw039s2cphf3754k7g/rjvlye w6bhx9z6ic8ee2kjs/kok3iva6yxnlxmy2a+gdbtkuz3dizwyfwiyeev8ilb7tm3 2ao8mclc/rlm1u7lkd2kdk46crpe4tkthxajy9uk9dfygfjxlwkxdxaoinzupui7 oxtfhjzn5elee4aw4jvfxslpxv/nfcz4fvtbkhr7ec7tdrj+l27iyz2lzxelu0et l6a0cd3f621ohbmp7nejliylo3u0kpjpjwda9uclwotvqozmhpxtumfovhgueqgn fbpsxggasswysmovhfaj2j5oe7ma5thqta== =cyv6 -----end pgp public key block-----
The industry's most powerful program for security assurance in the cloud.
The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.
The STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.
STAR Continuous is the continuous compliance assessment program for cloud services. It promotes trust by ensuring that a cloud service’s necessary security and privacy requirements are continuously met.
Improving on the traditional point-in-time certification, STAR Continuous increases both trust and transparency. A cloud security certification is granted to a cloud service relying on trust that the security posture between audits is maintained. However, point-in-time audits often contain a considerable time gap between audits, and by adopting continuous auditing with an increased audit frequency, chances of deviation of the security posture becomes less. This empowers cloud service providers to make precise statements on compliance status of their cloud services covered by the continuous audit process, achieving an “always up-to-date” compliance status.
A STAR Level 1 Self-Assessment has a validity of 12 months, after which the self-assessment documentation shall be re-submitted. All submissions of self-assessment documentation will be visible in the STAR Registry, and non-current documentation will be marked as “deprecated”.
Open Certification Framework
The STAR Program is founded on the Open Certification Framework displayed below. The framework provides a flexible, incremental and multi-layered cloud provider certification according to CSA’s industry leading security guidance and control objectives.
Self-assessment - CSA STAR Level 1
CSA STAR Self-Assessment
CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers either submit a completed Consensus Assessments Initiative Questionnaire (CAIQ), or submit a report documenting compliance with the Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices.
GDPR Code of Conduct Self-Assessment
The Code Self-Assessment consist in the voluntary publication on the STAR Registry of two documents:
- Code of Conduct Statement of Adherence
- PLA Code of Practice (CoP) Template - Annex 1 self-assessment results
The Code Self-Assessment covers the compliance to GDPR of the service(s) offered by a CSP. A company after the publication of the relevant document on the Registry will receive a Compliance Mark valid for 1 year. The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment.
Third Party Certification - CSA STAR Level 2
Level 2 of STAR allows organizations to build off of other industry certifications and standards to make them specific for the cloud.
CSA STAR Attestation
CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud providers. Attestation listings will expire after one year unless updated.
CSA STAR Certification
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix. Certification certificates follow normal ISO/IEC 27001 protocol and expire after three years unless updated.
CSA C-STAR Assessment
The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012. Certification certificates expire after three years unless updated.
GDPR Code of Conduct Certification
The GDPR CoC Certification is a third-party certification assuring compliance of a CSP’s services to GDPR based off of the CSA Code of Conduct for GDPR.
After the publication of the relevant document on the Registry a company will receive a Compliance Mark valid for 1 year. The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment.
Full Cloud Assurance and Transparency - CSA STAR Level 3
If your organization operates in high-risk environment, then we recommend pursuing STAR Level 3.
CSA STAR Continuous Monitoring
CSA STAR Continuous Monitoring enables automation of the current security practices of cloud providers. Each level of STAR has a continuous monitoring option to offer increased transparency on a regular basis. It provides the opportunity to frequently (monthly) update a self-assessment and supports a third party based certification (e.g. STAR Certification) with additional, regularly updated information on the CSP security posture. Providers publish their security practices according to CSA specifications, which customers and tool vendors can then retrieve and present in a variety of contexts.
Increasing reliability of results, transparency and ease of use of the CSP’s assurance reports is a competitive advantage in today’s environment. However, in the near future this will be a barrier to entry for those who have not made the investment. If you’re a cloud service provider that will hold sensitive corporate data, must be compliant with GDPR, or provide business critical applications, having a comprehensive story around how the data and systems are protected and having that story validated by an independent audit, will reduce the apprehension customers have to move their business to you.
If you have not been redirected after 3 seconds, please click here.
Add your Service to the CSA STAR Registry
CSA STAR is open to all Cloud Providers
Eligibility for listing on the STAR Registry requires an official and authorized submission of one or more documents asserting compliance to CSA-published best practices. The registry is intended to allow potential cloud customers to review the security and privacy practices of providers, accelerating their due diligence and leading to higher quality procurement experiences.
Companies can be listed on the STAR Registry by submitting their STAR Self-Assessment or Code of Conduct for GDPR Compliance Self Assessment (Level 1) and/or their Third Party based certification (Level 2).
For more information about the CSA STAR Program please see: https://cloudsecurityalliance.org/star/#_overview.
For more information about the Code of Conduct for GDPR Compliance please see: https://gdpr.cloudsecurityalliance.org.
Ready to Submit?
For Cloud Service Providers
- Proceed below to submit your
CSA STAR Level 1
CSA STAR Level 2 Attestation
requires completion of the
STAR Attestation Template