According to the CSA, the new matrix - v1.2 - adds a number of features, including corporate governance, architectural relevance and scope applicability to the range of controls.
Becky Swain, co-chair of the matrix working group, said that the v1.2 update addresses the inter and intra-organisational challenges of persistent information security by clearly defining control ownership by not only the cloud provider type - SaaS, PaaS and IaaS – and whether the user is operating as a tenant or customer, but also by architectural relevance.
Using these definitions, she says, help to ensure that shared accountability is accurately identified at all layers of the stack and at the corporate governance level for those controls that are architecturally irrelevant or agnostic.
“Further[more], this update enhances the existing mapping of regulations, standards and control frameworks with the addition of Jericho Forum and NERC CIP”, she explained.
Delving into the new matrix makes interesting reading, Infosecurity notes, and helps to position cloud security alongside other frameworks such as ISACA's COBIT – v5 of which is currently in the final stages of discussion amongst members – and the ISO 27001/27002 standards.
The CSA says that the new matrix will also augment or provide guidance for SAS-70 attestations provided to businesses from their cloud providers.
SAS-70 is increasingly important to companies, and not just in the sphere of IT security. Short for `Statement on Auditing Standards No. 70,' it is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) and generally accepted in the UK plus Europe as a verifiable standard for companies providing IT services.
The statement also aims to provide guidance to auditors of financial statements for organisations that use one of more service organisations.
There are two types of service auditor reports. A Type I service auditor’s report includes the service auditor's opinion on the fairness of the presentation of the service organisation's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives.
A Type II service auditor’s report, meanwhile, includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review.
Back with the CSA and the new version of the cloud controls matrix is billed as strengthening existing IT security control environments by emphasising business information security control requirements, reducing and identifying consistent security threats and vulnerabilities in the cloud, as well as providing standardised security and operational risk management guidance.