C-STAR

CSA C-STAR评估介绍

CSA C-STAR评估是OCF框架下Level2方案的一部分,主要用于大中华地区。C-STAR是针对云服务提供商安全管理的一种严格的第三方独立评估。该评估主要参考GB/T 22080-2008管理体系标准及CSA云控制矩阵(Cloud Control Matrix)的要求,以及29个选自中国国家标准GB/T 22239-2008(信息安全技术—信息系统安全等级保护基本要求)和GB/Z 28828-2012(信息安全技术—公共及商用服务信息系统个人信息保护指南)的相关控制措施

C-STAR评估框架

图1 C-STAR评估框架

使用云服务外包业务的组织往往对其数据和信息的安全有很多担忧。通过C-STAR评估后,不同规模的云服务提供商将能更好的向其潜在客户展示其安全管理情况。

C-STAR评估依据GB/T 22080-2008和云控制矩阵中的控制措施,以及GB/T 22239-2008和GB/Z 28828-2012中的部分相关要求。

C-STAR的评估将由CSA认可的评估机构(如赛宝认证中心)开展,评估机构将依据评估的发现对每个CCM安全领域(包括选自GB/T 22239-2008和GB/Z 28828-2012的29条要求)进行评价,并给予一个“管理能力”成熟度分数。

评估报告将体现组织云计算安全管理的成熟度以及为了达到最佳成熟度需要考虑的改进控制域。获证的组织将在CSA STAR注册表中列为“已通过C-STAR评估”。

C-STAR评估结果可用于与相关领域的其它组织之间开展比较,有益于战略和商业运营及合作伙伴关系的评估。

C-STAR评估师对组织的评估将考虑组织的云安全管理的长期可持续性及风险管理的绩效情况,并确保它们以SLA作为改进的动力,以供高管逐年进行量化考核和测量改进情况。

为了与中国的国家要求保持一致,C-STAR评估方案满足以下要求:

  • CNAS CC01:2011 IDT ISO/IEC 17021:2011,管理体系审核和认证机构要求,
  • CNAS CC17:2012 IDT ISO/IEC 27006:2011,信息安全管理体系认证机构要求
  • CNAS SC18:2012,信息安全管理体系认证机构认可方案
  • GB/T 19011:2013 IDT ISO19011:2011 管理体系审核指南

战略效益

  • 为高管提供360º的强化评估结论,以便其评价组织的管理体系有效性及组织内部人员的角色职责的适宜性。
  • 评估的内容可通过适用性声明进行裁剪,以适应企业的情况。这样做可保证评估和测量结果与组织的情况相关,并且有助于组织的云计算安全管理。
  • 评估后会出具一份较全面的商业报告,力求较为准确地对组织的云安全管理绩效给出战略性的评价,使高管可了解需要改进的方面。
  • 为被评估组织提供一整套的改进目标建议,以鼓励组织将云安全管理的目标从合规向持续改进提升。

运营效益

  • C-STAR评估可适用不同规模的组织。提供信息让企业明白其云安全管理现状并对改进的情况进行量化评价;对内可建立云安全管理的基准,对外还为规范其供应链安全管理基准提供可能,以促进良性竞争。
  • 以可视化的形式展示企业的云安全管理情况,直观的体现出企业在云安全管理方面的优势和不足,帮助客户将资源利用最大化,改进运营效率,降低成本。
  • 以独立第三方的视角向高管说明组织存在风险、威胁和机会的环节。

About CSA C-STAR Assessment

The CSA C-STAR Assessment is part of the OCF level2 scheme, and mainly used in the Greater China region. C-STAR is a rigorous third party independent assessment of the security management of a cloud service provider. The technology-neutral assessment leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, a specified set of criteria that measures the capability levels of the cloud service, plus 29 related controls selected from China’s national standard GB/T 22239-2008(Information security technology — Baseline for classified protection of information system) and GB/Z 28828-2012(Information security technology – Guideline for personal information protection within information system for public and commercial services).

C-STAR Assessment Framework

Figure 1 C-STAR Assessment Framework

Organizations that outsource services to cloud service providers have a number of concerns about the security of their data and information. By passing the C-STAR Assessment, cloud providers, regardless of the size of their operation, will be able to give prospective customers a greater understanding of their security management status.

The C-STAR Assessment is based on GB/T 22080-2008 and the specified set of criteria outlined in the Cloud Controls Matrix, plus related requirements of GB/T 22239-2008 and GB/Z 28828-2012.

The independent assessment by an accredited CSA certification body, such as CEPREI Certification Body (http://www.ceprei.org/), will assign a ‘Management Capability’ score to each of the CCM security domains (including requirements selected from GB/T 22239-2008 and GB/Z 28828-2012). Each domain will be scored on a specific maturity and will be measured against the assessors’ grid.

The assessment report will show organizations how mature their processes are and what areas they need to consider improving on to reach an optimum level of maturity. Certified organizations will be listed on the CSA STAR Registry as “C-STAR Assessed”.

C-STAR Assessment enables effective comparison across other organizations in an applicable sector and it is focused on strategic and operational business benefits as well as effective partner relationships.

C-STAR Assessment enables the assessor to assess a company’s performance in long-term sustainability and risks management, in addition to ensuring that the company is SLA-driven, allowing senior management to quantify and measure improvement year on year.

To be consistent with China national requirements, the C-STAR Assessment scheme is designed to comply with:

  • CNAS CC01:2011 IDT ISO/IEC 17021:2011, Requirements for bodies providing audit and certification of management systems
  • CNAS CC17:2012 IDT ISO/IEC 27006:2011, Requirements for Information Security Management System Certification Body
  • CNAS SC18:2012, Accreditation Scheme for ISMS Certification Bodies
  • GB/T 19011:2013 IDT ISO19011:2011 Management System Audit Guidance

Strategic Benefits

  • A 360º enhanced assessment giving senior management full visibility to evaluate the effectiveness of both their management system and the roles and responsibilities of personnel within the organization.
  • A flexible assessment that can be tailored through the Statement of Applicability. This guarantees the results and measurements of assessments are both relevant and necessary in helping organizations manage their business.
  • A comprehensive business report that goes beyond a usual assessment report and gives a strategic and accurate overview of an organization's performance to enabling senior management to the identify action areas needed.
  • A set of improvement targets to encourage an organization to move beyond compliance toward continued improvement.

Operational Benefits

  • Scalable to organizations of all sizes. Provides information that allows you to know where they are now and measure any improvements, internally benchmark their sites and potentially externally benchmark their supply chain to stimulate healthy competition.
  • A visual representation of the status of a business and instantly highlights where the strengths, weaknesses, allowing clients to maximize resources, improve operational efficiencies and reduce costs.
  • Independent reassurance to prove to senior management where the risks, threats and opportunities lie within a business.

Example Certificate

C-STAR Example Certificate

CSA Corporate Members Providing C-STAR Assessment Service

The following CSA corporate members have qualified employees to carry out C-STAR assessment.

Certified Auditors Contact Info
CEPREI Certification Body
CEPREI Certification Body

CEPREI HQ No.110 Dongguan Zhuang RD. Guangzhou, P.R.China Telephone: +86-20-87236606 C-STAR@ceprei.org As a leading provider of management system certification body in China and the first Executive Member of CSA in Asia, CEPREI Certification Body Provides information security related professional services such as ISO20000 & ISO27001 certification, risk assessment, IT governance, Business Continuity Management etc. Also, newly launched C-STAR assessment scheme is provided to help our client fully understand cloud security issues they’re facing and how to put the appropriate controls in place. CEPREI Certification Body with unique legal status is a registrar authorized and accredited by national department and/or accreditation bodies home and abroad, to conduct third-party certification. It grew out of Inspection Division of China Electronic Product Reliability and Environmental Research Institute (the Fifth Electronic Institute) established in 1956, which is the first scientific research organization at national level engaged in product quality and reliability research in China. As early as 1979, CEPREI Certification Body introduced the concept of Certification into China. Ever since then CEPREI has issued more than ten thousand certificates of various types to its clients. It sets foot in all administrative regions in mainland China and other countries and regions including Hongkong Special Administration Region, Taiwan, USA, German, Holland, Denmark, Australia, Japan, Korea, Malaysia, Thailand and Singapore. As one of the most authoritative accreditation bodies in the world, America National Standard Institute-Registrar Accreditation Board (ANAB) has authorized CEPREI Certification Body to issue ISO9000, ISO14000 and ISO27001 certificates with ANAB logo since 2001. The certificate will be helpful for your products and services in improving reputation and enhancing competitiveness home and abroad.

Assessment pricing: rules and explanations

  1. The C-STAR Assessment price is based on the ‘effective number of employees’ in the scope of registration.
  2. The assessment fee covers the issuing of a certificate for a 3-year period. If a certificate is being issued for less than a 3-year period the certification fee will be prorated to the nearest whole month. This means that a client can join half way through a GB/T 22080 certification cycle without any penalty and allows us to align the client’s 22080 and C-STAR Assessment more easily
  3. If a client wishes to increase the number of people in the scope of registration the difference between the fee that would be levied for the existing number of employees and the fee due for the new number of employees will be levied, prorated on the remaining duration of the certificate.
  4. No refund will be given if the number of people in the scope of registration is reduced.

Registration Pricing

EFFECTIVE EMPLOYEES FEE
1 to 10 4275
11 to 25 8550
26 to 75 14963
76 to 250 25650
251 to 700 42750
701 to 1500 59850
1500 + 85500

CSA will apply a 20% price reduction for CSA Corporate Members.

Explanation on the C-STAR Assessment fee

The revenues from the assessments go to the Cloud Security Alliance that is the governing body of the Open Certification Framework and Level2 STAR Program.

The Cloud Security Alliance is a not for profit organization that covers its cost though memberships, sponsorships and royalties generated by the third party commercial exploitation of CSA’s Intellectual Properties and brand.

Through the C-STAR Assessment fee, the Cloud Security Alliance will:

  1. cover the cost already sustained in the development of the OCF – C-STAR Assessment,
  2. manage the STAR web site, which will be the portal where information related to C-STAR Assessment will be displayed. The STAR web site will be also the public window for organizations that will obtain the C-STAR Assessment Certificate,
  3. organize educational campaigns (conferences, educational material, etc.) to support the penetration of C-STAR Assessment in the market,
  4. support the improvement and update of Cloud Controls Matrix,
  5. support the development of OCF Level 3 - STAR Continuous.

Have questions?

Please direct them to c-star-questions@cloudsecurityalliance.org.