CSA STAR Attestation
The Cloud Security Alliance (CSA) designed the Security, Trust, Assurance, and Risk (STAR) program as an assurance framework for cloud service providers (CSPs.) Combining the principles of transparency, rigorous auditing, and harmonization of standards, it provides organizations with cloud-specific structure and detail for their information security programs. The voluntary self-assessments, attestations, and certifications allow CSPs to validate their security posture and demonstrate their commitment to best practices.
Our CSA STAR Services
As a Certified Auditor for CSA Star Attestations, 360 Advanced can help you navigate the world of CSA STAR compliance. We provide:
CSA STAR Readiness Assessments
For organizations that are new to the CSA STAR framework, our auditors can perform a CSA STAR readiness/gap assessment. This helps you determine how your current efforts measure up to the program’s requirements, and which areas need additional remediation to be CSA STAR-compliant. After the readiness assessment, we provide a prioritized list of recommendations for your management team to address before a CSA STAR audit.
CSA STAR Attestations
Through the formal attestation process, 360 Advanced provides independent validation that your security controls meet the appropriate requirements. With a team of auditors that hold the CSA’s Certificate in Cloud Security Knowledge, we have a deep understanding of cloud technologies and the associated risks. Leveraging this experience, we can guide you through your Level 2 Attestation.
What are the levels of CSA STAR?
The CSA STAR program is organized into three levels. CSPs can decide which tier is most appropriate based on their risk profile, resources, and the level of responsibility they have in the shared responsibility model.
CSA STAR Level 1 (STAR Self-Assessment)
STAR Level 1 is designed for low-risk environments. The simplest option, it allows organizations to self-certify their compliance. Each CSP’s documentation is made public on the CSA Register.
Level 1 self-assessments can be completed with the Cloud Controls Matrix (CCM) or the Consensus Assessments Initiative Questionnaire (CAIQ.) Companies can choose to complete a self-assessment for privacy, security, or both.
For standard Level 1 compliance, CSPs need to update their self-assessments each year. For STAR Continuous Level 1, CSPs must update their documentation every 30 days.
CSA STAR Level 2 (STAR Attestation and Certification)
STAR Level 2 is recommended for medium-risk and medium-maturity environments, as well as organizations that wish to provide a higher level of assurance for their products or services.
At Level 2, organizations can pursue either STAR Certification or STAR Attestation. Both of these efforts require an independent third-party audit. Attestations must be performed by a licensed CPA firm like 360 Advanced; Certifications must be performed by authorized certification bodies.
CSA STAR Attestation
STAR Attestation is based on an AICPA Type 1 or Type 2 SOC examination and supplemented by the Cloud Controls Matrix. As with SOC examinations, STAR attestations can use any combination of AICPA Trust Services Criteria, including Security, Availability, Confidentiality, Processing Integrity, and Privacy.
STAR attestations demonstrate the suitability of the design (for a Type 1 report) or the operating effectiveness of an organization’s controls over a period of time (for a Type 2 report). Attestation based on a SOC 2 Type 1 report lasts for six months; attestation based on a SOC 2 Type 2 report lasts for one year.
Providers can pair their CSA STAR Attestation with a self-assessment every 30 days to achieve STAR Level 2 Continuous.
CSA STAR Level 3 (STAR Continuous)
STAR Level 3 is designed for high-risk environments and full-service providers. It provides the highest level of transparency into an organization’s cloud security controls.
Level 3 is based on the concept of continuous effort. Organizations must monitor and validate their controls at all times (often through the use of automated monitoring tools). This eliminates the gap between periodic “point in time” audits, allowing CSPs to communicate the most up-to-date status regarding their compliance.
Level 3 results in a certificate.