CSA Security, Trust & Assurance Registry (STAR)

Validating Authenticity of STAR Registry Files

File attachments in the CSA STAR Registry are compressed and digitally signed with gpg (GnuPG) 2.2.3. The below key can be used to verify each file’s authenticity.

Signature Details

Username: "CloudSecurityAlliance STARWatch"
Fingerprint: 0795 5495 94D1 0ACF 2F9B 3EC1 D9C7 ECF0 7A82 41C6

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFod07wBEAChQ3eB9svmqUhjJQ1wSwvS0sXETxrXev3leQmbEUYZrnxNnjKK
uEtry31C23JGLqUuSWV+bTrJL8xaas/xz7vaQPS+tW7jpaEsZCOiHZAml+cSwhIn
+/rDgf8zmFqblTfzaP9Ewl1+vVq1sPCNrOXoq4pyr6potDm186dqv/yZCJCjfm+r
5GoEmnrE1iKvGhDXVQsf16EdpvE/XQrpha6vHwNPwOFeiSJE/bLwut49cmx62YLI
Ny8m/zkgeM0Ayrr7H6WDXvb9DGasdIM1RhG7Y4+LAY59Av22ahBdPfaQ++7divR9
2D5SN0um9CCVSyxA8N3TG6SxaxRmwn30N2jY5ilv/sUqeXVqnwcHOHWgPfvHJNQU
PQE8fRxdJQP5tg3A2SsMySHXsoZkRJo6P+LFz0Xv+l+frKS5e81iGjaW1LxgCIaS
N1sFznkqU65u79Vc+5W7DjVb9vmd6ZvxvmOiY7rDp0+IEEoUEaLxOnRFV5JYfNgz
ik5TL8yw5IjSnkJzxWMmCuMQlyQJJk5SBI90qxSXHERcVYDIRLPJEagG9plWi9Ko
YdhPlKJVnES6pMXWKOBszpuzPx7RgpctoZ2Nf49oSba25Z1am326RX+ihXhnXVTn
GU5+/ByTk2sK8tyiqgfzRILiAZSY7X9NJpY8QcHh4OkW+4Rp7C+9zchUQwARAQAB
tDZDbG91ZFNlY3VyaXR5QWxsaWFuY2UgU1RBUldhdGNoIDxzdGFyd2F0Y2hAc3Rh
ci53YXRjaD6JAk0EEwEKADcCGwMCHgECF4AWIQQHlVSVlNEKzy+bPsHZx+zweoJB
xgUCWi7y4QULCQgHAgYVCAkKCwIDFgIBAAoJENnH7PB6gkHGax0P/RYubxCxZYVn
QOYERVoJQaMpPjs3Tk9saFki8TArTSTmi/SK9xVa0qxLjWkHNmBoaaKBsY+ItkZX
6OEjel6otpcrGTOyKdkNPcEKwYU+ZIhSsVt7gKcyL93seTPdL2xO4wQn6MHEAiGc
WqYGdY7LN/hYzS3irdXnoW6gM8E4qZvMfNekRng+ogsseELMqndJ9+p2mjkKzf7F
c7e0FicQ5eo2RbhRxz2EHDM5j5vjVSDBj7UFs9JakQ3icIuAEk81eAAwOQjqqzzC
NzYpn22p4pre42YIUQRSKNF+qRP8IKPN44mbNIgPzMnqviNHnL5DYPWqzNeoo6WY
nNpFUmXAPZZrnV0TdSlOuD+f+m/2YL/dME5q1XWqJH7oNtGRD27gjoeiq62rgrYI
ogZqR6sbbi4VH7GRRkrv5gxuM7PjGv/nZbSWQp1tPgrZT5zIQZlrqdgiqwgjz4C8
BzUj9oZvb079sl1E0WxN+xD+aut+kvhTmUbrkRoByJBwyIDf8s+r0JF+qnwOgbQL
mpBmEDvdLlGlklkmUofeXCHj/26XQd7xoDqv3j7BWjXkn9UlWGqyTLr48VCV3/kW
qi89EcIIibBG4vB8qstEU6gVz7qadz/4ZwwoCMtC/P1ibTldp5qMDnTOfSh40n1D
Crn1cXb9GK5648z97+jSZpHT4JYs60VUiQIzBBMBCgAdFiEE85F0PGUsUNrwia/Z
HhZeN36KVM8FAlod1DkACgkQHhZeN36KVM+EoA/9FgDnsnDa4YEBN5mgWkNa/iZ5
02niXPvqLIuDCkABQoZ/0W8o2Vwg5Wu1292bTz/B3Kjf0SVi1PSLJ9KKWlOvIGBA
GdaxsRwGwUdjFCDBks/SpSWBQNhEUz1n/D7TFF9FVpNLToyH1mgyIIf/V2kM4W7y
fM7MOFAQoDrdFOaxK0XxUnvoD3zzt2WAc87w+gvWJjGcWnjkiNpdFhESHM4V+Jih
DbU5aAfEO1CA7mN2QBjwlIRE5cYCcSNjfg5B3zmxmZ/uAtrpj1CIj/4XGsAFVZDP
f4WwN08ixwFWSqMnm8AhrFvu2elEXKT9Ser1z9Ernnr9WVrfREcwIrgt6PLwuO/6
0WQu9PalKM88LnHCtYN+A9N0EXWg+8fMHBz1OJPdnvjLfbL5ZczdK3rX7SZd16LS
xoaKQf7a/zrXEDjiXNFtJV1WK2AGaVo/65aWGEZ+u5ozpbxo5bbafW/m8GfPYh1G
jf6Q0zWDEx6PbaJVjT6VHHbdr98r3aDJPWbxt3UqmB2PGHgoEwwhW8oUXv07ehGe
xchc8Dppmdh59q3HE8Qt5Ejte/SwwqWIXaLo7Xe0ft9lSRkb358MVD9slwly5QeN
KWS1baT4NvI8RqWm/AWjWzws58CFXYLwPGy6xORIWuQYc+c9RWX2EjuIfX22TBIt
IPvClGR44UjBPIe9t0eJAjMEEwEKAB0WIQSpC/mVc1AUj2a/dVQWDUVTXiZ5kwUC
Wh3URgAKCRAWDUVTXiZ5k/8tD/9a/pt0T4M/WWjuf504g8vsfQY3ZoR3og4PaXMh
kZsPdl6x7Ys+yHLh7InwlWIWY00edgYaO8YiyhtKY5OAzFoAJl3FkKBYtl9QqZNs
n1T2lGgZHNpdzUdZG7snIqrOiC7V93hC645x2UfYhaUqvcxv/vrPGcTVHS2FxqNL
js74rzc4MmhzDxzthyvLwFKpWDfntLH35VPLipr4ljFZIxPoux+dK7IRsyaYt1iJ
Zk7LRfjfoLnR4ApacAlo3WoTvQ7pXwGALeumNZkKdFXoER4gf/b+HMaFDen3rYSJ
8iL7EJIG4qyudvJUbMi/lT4M6Owdvec4jIDFa0LTgpLXLZ7eZ7Ap9UPUDUJl+UWn
FlrXqauf5RwWpCNj2gyVaOwnFVNOzZAjUE7HWJ9QUg0eWhKjByHiNcIQ0uXzLjCU
O2asaMKhAZ4MlKu0uT0Go7HFwxcryjaiTEQYyKJwZKzZnsGoEVGL+iCzoNdj+icS
9y+RIvMheqmmmdmU9d409ad0IM7173kUAe6kgLrAmsRf/FZ6DwsdLiGBQD0D3yOH
OArwK2bLI9/1lKFG/7p1erXC7h5uU/A7K7luQFY3W2eFBvSO2sJuClkEIjD6G5B6
914utWa3GeVaByOqNOYJCWwfLW0ZG2YxD3fNWZG/vfAvRFBVkVDGanLjIuidtajP
5r3quYkCMwQTAQoAHRYhBK3D1clviy7Qvs4crvFcrcSgD4F0BQJaHdRPAAoJEPFc
rcSgD4F0xDUQAL33nHwPk7b31hxCJcyuMY0RH6n76G/ikykoKjFzaW58xLp2yLy3
UNQHcojHIJHDFflSSZtp4xRin9Q0Ujd+8PD0D7AC0PjGjdBDa2LgO6zqEB/sZvNh
J8F45ZqO5oyOjc148/mVaTfw//zoPGf745dXn3pFqDI9OINjxherSae3rU77kr1g
c2Bx4139XX6bQ7DkCuCZUtVNrGVJudaFNBmV4km95SmdtgjJtAH7RVr6hr6qtqGx
pOpTe6zN7SwYNiKyIGoGflCjZWRU/6NKairs7jXI/S0wfsov1/GT6qRxN9vgn3fT
xA18bRfY3KAX/qTScV8s9FPLhO+lt1AjPt4Rg2Mvc0In+jwSroQX5IIM5d/VDsFc
KHH9P3rVCdexnJz9T8eyQXFrA5E6AvwkDP+ubFqi9EpmyZIGom0pOsbSY+WJ/edx
80jhd8zcjnk1rwDd+YPUiF5U+hXYdbbg/9DLtk1Rv33tfKNWpQTaLw63By0a+pOU
qnOQM03GxE/NUrP4CPBydNhKdYmUczIyphNbcNrKSll2ZIrVJUdnuJDXbldvTn5o
tBkoKfDU/J/16uDYQnDpADpG5kYqgxxAsItUBgJHrwHMGqIpRlkyV6EQ5eMK7pYr
pLEBAmxbiqlMm8ktySyUu6am7K309vi8paz5Ghgbvry+CfhGJ2dZAHw0iQIzBBMB
CgAdFiEEfc/tO+1eXKE5urAeHxemWAzi2roFAlod1FcACgkQHxemWAzi2rre6A/9
HWWc6NIgXTt2cRiVXuZEwb/kiF+OpadwAtcs3MXQcrgYZgzPFPu140WZOI3hA4I5
DADyANzl8Lw2a9RxZJlI5eLum+EhOnnHou3mIvz+JLLfHf8xs1XoHkNuANEwfJeM
8GbLrEfzcZ4ajQQfXE0VdaGJ7bD7xX8IX8yawhWTWpQUgKuX81xCLxC/e+yoz79+
owFViQozZMFHthzlCf8HZtYTe/d78cKoe2LS5OMLPS9KOOmUym/Wv1AFeP8+zgZV
0sxHxV7pEgWHB4KAg9B50/u+wdiHYTzn+WmEMeXJ+xYXggviro1hv5Plcjr4HznN
IdGgELDijt8jgpdaH8EN4hDsi8wfitFBwXPghO5uz6xdj6D9iVZkqp6IQVOuIYK7
QeBLgLosCCALtb0QQFLnAygNW5esRLjMtXIbsz9I2XhO4/qMeo8Z/PqUrfmkfR2A
2Fk72coprocO1+LGNQD7ObnlW1bQ9JMj/2IBGOv6kQAW2pL4/46wx+gAifZ0fK1W
rCPvdYw8mITZKzOk2FMF+n2Glm9PpeW8AojsRXpl2fn/m19V2u4ndkFea1nTTBeM
iWYJGYs5M9VgnKwB4NWNLy5XE8qEYnb9kTfZ6hD/eGKWZYxy56+i/8JRMfRZTk0P
2t5djaukj/DXk2xhigy9I4iuARPakQv4gw1XY7GtZyG5Ag0EWh3TvAEQAKw9Q7MT
1vn53QbpTod2xVyAYcWfrh9z64KYidm5PcMQO/vtBZ2aBLzVfuFxTUUjAf7WiRwa
UEbEc/n8fERamLWWJl7/t0BSIAhJTfAIjux0V09A/eHVJCZFGqxILjghcZfR6YyB
xKc0eztB4/Ayx+GZ3otCcOtEpCTv3mcQPLFOqKOmvvvEpSGHc0E5wdMVigJXKtY6
6qa1DaZJ6BkRVLs5fMsL5WawRQM+QYxdqK5BYOkcEs40e7bKHZo4B6Bp6O51XYhj
NirYAUAvvY8xnIEsIw5oBPUUbBGKvywMY1MmldXnbdBtOMXW0c+9aPQnjDrVnYrM
dhKsjaVZBy+aS3fD5YtkX6QXPQFSbm1UQ6LkiGpaxHgZR2qKsrn8O4g2aVL6Nm8F
fhCJDpAIpo/8v0EERK/TW34HKi+xYIdw6A0IlWeEYKKYXLELmdf8r+Zd0yQ9D49L
82omSlZDUvpNQG4cLqhP0KaF8AeceDw5BWqT8rUPGgJ3rNZUoFC0T1bbUbcsoIf+
MOhsH/lBDd5cLChw13O/bgarCP4rzz6HlunzdvN3BU+kEzPtGX+7RacuCK1ofWAl
OVoXP4vhiM2ZT7RmTMA6djohbDHE5LGguf5HY6jfl1p4GpfqbLvlq6dLzw9jCfw/
QhMCzGCeILtrArzQc4VIv+nBp/mt33r3MBQ/ABEBAAGJAjYEGAEKACAWIQQHlVSV
lNEKzy+bPsHZx+zweoJBxgUCWh3TvAIbDAAKCRDZx+zweoJBxiPwD/kB9yy1YNGI
GCziC552Gc08+sRzDzuRMwFn5d6YjsMMXF9qexrck4lbxI3rQewI1AHBoYfTErS3
x7Lji+ErcPJwul2rKn4hwtippA5M2XRdnZt1r0hO2yM7pPMLEl/UyJBaPBsdi5D5
pXn3DU76TV3CW2Ld35+r+AePzD/kPxqbwHxLRLrrMK4ZSnBB4SdXxQJgeURpGp2r
jm/t2zw/s2eoMyeRcvjU+yYoKkokz+2Dde7qZ+1TjxLDq38hzkM39RrNbNXxZC9E
41zVEFzYsWx/XU2E3UTDF56vS+eDXekBJG90NWA0Tbhrw4neqUPXJWKbkeNCzbiK
6O65VM5bGnQSaWKhZn5TDFJoqMaI40uFoP6nVetPW039S2cphf3754k7G/RjvLye
W6bhX9Z6IC8EE2KJs/kOk3iVA6yxNlxMy2A+GdbTkuz3DizWyFWiYeEv8ILb7tm3
2aO8mcLc/RLm1U7lKD2kdK46crpe4tKtHXAjy9Uk9DfygFjxlwKxDxAOinZupuI7
oXtfHJZN5ElEe4Aw4JvFXsLPxv/NfCZ4fVtbkhR7Ec7TDrj+L27iyz2lzxElu0Et
L6A0CD3F621OHbmp7NEjlIylO3u0KPJPjwdA9UclWOTvQOZmhPXtUmFovHGUEqgN
fBpsXGgaSsWysMoVhFaj2J5oE7MA5THqTA==
=CyV6

-----END PGP PUBLIC KEY BLOCK-----
        

CSA STAR: The Future of Cloud Trust and Assurance

CSA STAR is the industry’s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, and harmonization of standards. The STAR program provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings.

STAR consists of three levels of assurance (Self Assessment, 3rd party certification and continuous auditing), based upon:

• The CSA Cloud Controls Matrix (CCM)
• The Consensus Assessments Initiative Questionnaire (CAIQ)
• The CSA Code of Conduct for GDPR Compliance

The CCM, the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing. CCM is currently considered a de-facto standard for cloud security assurance and compliance.

The CAIQ is based upon the CCM and provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix.

The CSA Code of Conduct for GDPR Compliance is a tool created in collaboration with industry experts and representatives from EU national data protection authorities to assist organizations in adhering to the European General Data Protection Regulation. The CSA’s Code include all the necessary requirements a Cloud Service Provider has to satisfy in order to comply with the EU GDPR.

One of most essential features of the STAR program is its registry that documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry is designed for users of cloud services to assess their cloud providers, security providers and advisory and assessment services firms in order to make the best procurement decisions.

CSA STAR is based upon two key research components of the CSA GRC Stack:

Cloud Controls Matrix (CCM) - As a controls framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing.

https://cloudsecurityalliance.org/research/ccm/

The Consensus Assessments Initiative Questionnaire (CAIQ) - Based upon the CCM , the CAIQ provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix and CSA best practices.

https://cloudsecurityalliance.org/group/consensus-assessments/

CSA STAR PROGRAM ASSESSMENT AND CERTIFICATIONS

LEVEL ONE: CSA STAR Self-Assessment

CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers either submit a completed The Consensus Assessments Initiative Questionnaire (CAIQ), or to submit a report documenting compliance with Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices.

https://cloudsecurityalliance.org/star/self-assessment/

LEVEL ONE: CSA GDPR Code of Conduct Self-Assessment

The Code Self-Assessment consist in the voluntary publication on the STAR Registry of two documents:

• Code of Conduct Statement of Adherence, and
• Self-assessment results based on the PLA Code of Practice (CoP) Template - Annex 1

The Code Self-Assessment covers the compliance to GDPR of the service(s) offered by a CSP. A submission fee of €1495 euros is required to facilitate the publication. A company after the publication of the relevant document on the Registry will receive a Compliance Mark valid for 1 year. The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment.

https://cloudsecurityalliance.org/star/self-assessment/

LEVEL TWO: CSA STAR Attestation

CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud providers.

https://cloudsecurityalliance.org/star/attestation/

LEVEL TWO: CSA STAR Certification

The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard together with the CSA Cloud Controls Matrix.

https://cloudsecurityalliance.org/star/certification/

LEVEL TWO: CSA C-STAR Assessment

The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012.

https://cloudsecurityalliance.org/star/c-star/

LEVEL THREE: CSA STAR Continuous Monitoring

Currently under development, CSA STAR Continuous Monitoring enables automation of the current security practices of cloud providers. Providers publish their security practices according to CSA formatting and specifications, and customers and tool vendors can retrieve and present this information in a variety of contexts.

https://cloudsecurityalliance.org/star/continuous/

Key Links & Resources

CSA STAR Certification Intake Form

Download

Release Date: June 07, 2018

CSA STAR Attestation Intake Form

Download

Release Date: June 07, 2018

CSA STAR Attestation Type 1 Marketing Guidelines 2017

Download

Release Date: May 09, 2017

Guidelines for CPAs Providing CSA STAR Attestation v2

Download

Release Date: March 20, 2017

STAR Overview PDF

The CSA STAR Program is a publicly accessible registry designed to recognize the varying assurance requirements and maturity levels of providers and consumers, and is used by customers, providers, industries and governments around the world.

Download

Release Date: April 20, 2015

For More Information

General Inquiries: [email protected]

CSA STAR Certification Auditors: https://cloudsecurityalliance.org/star/certification/#_auditors

CSA STAR Attestation Auditors: https://cloudsecurityalliance.org/star/attestation/#_auditors

Redirecting...

If you have not been redirected after 3 seconds, please click here.

Add your Service to the CSA STAR Registry

CSA STAR is open to all Cloud Providers

Eligibility for listing on the STAR Registry requires an official and authorized submission of one or more documents asserting compliance to CSA-published best practices. The registry is intended to allow potential cloud customers to review the security and privacy practices of providers, accelerating their due diligence and leading to higher quality procurement experiences.

Companies can be listed on the STAR Registry by submitting their STAR Self-Assessment or Code of Conduct for GDPR Compliance Self Assessment (Level 1) and/or their Third Party based certification (Level 2).

For more information about the CSA STAR Program please see: https://cloudsecurityalliance.org/star/#_overview.

For more information about the Code of Conduct for GDPR Compliance please see: https://gdpr.cloudsecurityalliance.org.

The STAR Level 1 (Self-Assessment) is based on a report showing the adherence of a service and/or provider to one of the following CSA best practices:

• Consensus Assessments Initiative Questionnaire (CAIQ)
  Download here
• Cloud Controls Matrix (CCM)
  Download here
• CSA Code of Conduct for GDPR Compliance (new service as of June 2018)
  Download here

In order to streamline the process of performing and maintaining their CSA STAR Self-Assessment, companies are recommended to use CSA STARWatch. CSA STARWatch.

The STAR Level 2 (third-party-based certification) instead offers companies with the possibility to comply with CSA best practices according to three different auditing procedures:

• STAR Certification
• STAR Attestation
• STAR C-STAR

Submitting Reports to CSA is Simple

For STAR Certification the following intake form shall be completed and submitted by a STAR Certification Auditor: https://cloudsecurityalliance.org/download/csa-star-certification/

For STAR Attestation the following intake form shall be completed and submitted by a STAR Attestation Auditee: https://cloudsecurityalliance.org/download/csa-star-attestation/

For assistance with Level 2 requests, please contact us at [email protected].