CSA STAR Attestation

The Cloud Security Alliance (CSA) designed the Security, Trust, Assurance, and Risk (STAR) program as an assurance framework for cloud service providers (CSPs.) Combining the principles of transparency, rigorous auditing, and harmonization of standards, it provides organizations with cloud-specific structure and detail for their information security programs. The voluntary self-assessments, attestations, and certifications allow CSPs to validate their security posture and demonstrate their commitment to best practices.

Our CSA STAR Services

As a Certified Auditor for CSA Star Attestations, 360 Advanced can help you navigate the world of CSA STAR compliance. We provide:

 

CSA STAR Readiness Assessments

For organizations that are new to the CSA STAR framework, our auditors can perform a CSA STAR readiness/gap assessment. This helps you determine how your current efforts measure up to the program’s requirements, and which areas need additional remediation to be CSA STAR-compliant. After the readiness assessment, we provide a prioritized list of recommendations for your management team to address before a CSA STAR audit.

 

CSA STAR Attestations

Through the formal attestation process, 360 Advanced provides independent validation that your security controls meet the appropriate requirements. With a team of auditors that hold the CSA’s Certificate in Cloud Security Knowledge, we have a deep understanding of cloud technologies and the associated risks. Leveraging this experience, we can guide you through your Level 2 Attestation.

What are the Levels of the CSA STAR Program?

The CSA STAR program is organized into three levels. CSPs can decide which tier is most appropriate based on their risk profile, resources, and the level of responsibility they have in the shared responsibility model.

Cloud Security Alliance CSA STAR Attestation

STAR Level 1 is designed for low-risk environments. The simplest option, it allows organizations to self-certify their compliance. Each CSP’s documentation is made public on the CSA Register.

Level 1 self-assessments can be completed with the Cloud Controls Matrix (CCM) or the Consensus Assessments Initiative Questionnaire (CAIQ.) Companies can choose to complete a self-assessment for privacy, security, or both.

For standard Level 1 compliance, CSPs need to update their self-assessments each year. For STAR Continuous Level 1, CSPs must update their documentation every 30 days.

STAR Level 2 is recommended for medium-risk and medium-maturity environments, as well as organizations that wish to provide a higher level of assurance for their products or services.

At Level 2, organizations can pursue either STAR Certification or STAR Attestation. Both of these efforts require an independent third-party audit.  Attestations must be performed by a licensed CPA firm like 360 Advanced; Certifications must be performed by authorized certification bodies.

CSA STAR Attestation

STAR Attestation is based on an AICPA Type 1 or Type 2 SOC examination and supplemented by the Cloud Controls Matrix. As with SOC examinations, STAR attestations can use any combination of AICPA Trust Services Criteria, including Security, Availability, Confidentiality, Processing Integrity, and Privacy.

STAR attestations demonstrate the suitability of the design (for a Type 1 report) or the operating effectiveness of an organization’s controls over a period of time (for a Type 2 report). Attestation based on a SOC 2 Type 1 report lasts for six months; attestation based on a SOC 2 Type 2 report lasts for one year.

Providers can pair their CSA STAR Attestation with a self-assessment every 30 days to achieve STAR Level 2 Continuous.

STAR Level 3 is designed for high-risk environments and full-service providers. It provides the highest level of transparency into an organization’s cloud security controls.

Level 3 is based on the concept of continuous effort. Organizations must monitor and validate their controls at all times (often through the use of automated monitoring tools). This eliminates the gap between periodic “point in time” audits, allowing CSPs to communicate the most up-to-date status regarding their compliance.

Level 3 results in a certificate.

What Are the Benefits of CSA STAR Attestation?

CSA STAR Attestation allows organizations to assure clients that they have taken appropriate steps to secure their cloud offerings. This increases trust and transparency, while allowing CSPs to position themselves as leaders in the industry.

Organizations that actively maintain CSA STAR compliance (at any level) are included in the CSA STAR registry. This searchable database allows prospective clients to find vendors that meet the most stringent privacy and security requirements. For providers, this opens the doors to new business and reduces the number of security concerns that prospects may introduce during the sales cycle.

Additionally, third-party CSA STAR audits help organizations evaluate and improve their own processes. Attestations result in robust third-party reports that provide a narrative on a provider’s system and controls. This allows management to evaluate their security efforts and identify areas in need of maturation.

Connect With a CSA STAR Auditor

Request More Information About Our CSA STAR Services: