The Cloud Security Alliance (CSA) has established the CSA Security Trust & Assurance Registry (STAR) Attestation, a specification for rigorous third-party assessments of cloud providers.
The CSA developed it in conjunction with the American Institute of CPAs (AICPA), and is aimed at CPAs who are conducting Service Organization Controls (SOC) 2 engagements with the CSA’s Cloud Controls Matrix (CCM).
“The AICPA is pleased to collaborate with CSA on STAR Attestation, which brings together best practices for Security Organization Control reporting,” said Amy Pawlicki, AICPA director of business reporting, assurance and advisory services, in a statement. Security is of paramount importance in cloud computing, and the complementary frameworks put forth by AICPA and the CSA provide a comprehensive foundation for practitioners to follow in performing engagements in this space.”
STAR Attestation provides a framework for a CPA to express an opinion of several key factors related to service description, control suitability and control effectiveness within the cloud provider’s systems. It’s the latest offering of Level 2 of the CSA STAR Program, a comprehensive set of offerings for cloud provider trust and assurance. STAR includes Level 1 Self-Assessment, which focuses upon transparency of security practices and Level 3 Continuous Monitoring. I will be available in 2015.
“Consumers have long looked to the CPA community as important stewards of trust as it relates to IT service providers,” said Jim Reavis, CEO of CSA. “As a result of our collaboration with the AICPA, both consumers and providers can count upon their CPAs to conduct SOC 2 engagements with leading edge security best practices for the cloud. STAR Attestation is a critical milestone in our effort to provide comprehensive trust in cloud computing.”
The objective and mission of CSA STAR Attestation is to improve trust in the cloud and in the information and communication technology (ICT) market by offering transparency and assurance.
“SOC 2 has become a necessity for cloud providers serving enterprise customers," said Mark Lundin, KPMG LLP's global SOC 2/SOC 3 leader. "The combination of SOC 2 reporting with the industry-recognized CCM represents a powerful option that cloud providers can now use to demonstrate the effectiveness of their controls as well as build fundamental trust with their customers. In working with some of the world’s largest cloud providers, we recognize that thorough SOC 2 reports represent a best practice, effectively showcasing the provider’s strategy to meet its customers' evolving security and compliance needs.”