|
Cloud Security Alliance GRC Stack |
Cloud Security Alliance Unveils Governance, Risk Management and Compliance (GRC) Stack.
CSA Governance, Risk Management and Compliance (GRC) Stack, offers a suite of enabling tools for GRC in the cloud.
Achieving GRC goals requires appropriate assessment criteria, relevant
control objectives and timely access to necessary supporting data.
Whether implementing private, public or hybrid clouds, the shift to
compute-as-a-service presents new challenges across the spectrum of GRC
requirements.
The CSA GRC Stack provides a toolkit for enterprises, cloud providers,
security solution providers, IT auditors and other key stakeholders to
instrument and assess both private and public clouds against industry
established best practices, standards and critical compliance
requirements.
The Cloud Security Alliance GRC Stack is an integrated suite of three
CSA initiatives: CloudAudit, Cloud Controls Matrix and Consensus
Assessments Initiative Questionnaire:
CloudAudit
CloudAudit is a volunteer cross-industry effort from the best minds and
talent in Cloud, networking, security, audit, assurance and architecture
backgrounds.
The goal of CloudAudit is to provide a common interface and namespace
that allows cloud computing providers to automate the Audit, Assertion,
Assessment, and Assurance (A6) of their infrastructure (IaaS), platform
(PaaS), and application (SaaS) environments and allow authorized
consumers of their services to do likewise via an open, extensible and
secure interface and methodology.
CloudAudit provides the technical foundation to enable transparency and trust in private and public cloud systems.
Cloud Controls Matrix (CCM)
The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically
designed to provide fundamental security principles to guide cloud
vendors and to assist prospective cloud customers in assessing the
overall security risk of a cloud provider.
The Cloud Controls Matrix provides a controls framework that gives
detailed understanding of security concepts and principles that are
aligned to the Cloud Security Alliance guidance in 13 domains.
The foundations of the Cloud Security Alliance Cloud Controls Matrix
rest on its customized relationship to other industry-accepted security
standards, regulations, and controls frameworks such as the HITRUST CSF,
ISO 27001/27002, ISACA COBIT, PCI, HIPAA and NIST, and will augment or
provide internal control direction for SAS 70 attestations provided by
cloud providers. As a framework, the CSA CCM provides organizations with
the needed structure, detail and clarity relating to information
security tailored to the cloud industry.
The CSA CCM strengthens existing information security control
environments by emphasizing business information security control
requirements, reduces and identifies consistent security threats and
vulnerabilities in the cloud, provides standardize security and
operational risk management, and seeks to normalize security
expectations, cloud taxonomy and terminology, and security measures
implemented in the cloud.
Consensus Assessments Initiative Questionnaire (CAIQ)
The Cloud Security Alliance Consensus Assessments Initiative (CAI) was
launched to perform research, create tools and create industry
partnerships to enable cloud computing assessments. We are focused on
providing industry-accepted ways to document what security controls
exist in IaaS, PaaS, and SaaS offerings, providing security control
transparency.
The initial deliverable of this project is the Consensus Assessments
Initiative Questionnaire (CAIQ). This questionnaire is available in
spreadsheet format, and provides a set of questions a cloud consumer and
cloud auditor may wish to ask of a cloud provider. It provides a series
of "yes or no" control assertion questions which can then be tailored
to suit each unique cloud customer's evidentiary requirements.
CSA GRC Stack Integration & Implementation
The three initiatives have been developed through a collaborative effort
and contain out-of-the-box integration. CloudAudit includes the Cloud
Controls Matrix as an included namespace, while the Consensus
Assessments Initiative Questionnaire was specifically designed to
identify the presence or lack of CCM controls and other key practices
identified in the CSA guidance.
Some of the uses of the GRC stack include the following:
Cloud Providers
• Assess your own systems with CAIQ to measure alignment with CCM.
• Implement CloudAudit to automate CCM assertions, enabling third
parties to independently analyze your GRC capabilities against their
needs. This generates significant cost savings in audit response,
reduces customer sales cycles and leads to increased trust of provider’s
solutions.
Enterprise Organizations
• Use CCM to align your information security program with emerging cloud security requirements
• Use CAIQ and CCM together to assess your cloud providers against industry supported criteria.
• Use Cloud Audit to instrument your own private cloud to simplify IT audits.
Solution Providers
• Integrate the CSA GRC stack into your own products and services,
including management consoles, reporting systems and system agents to
provide “out-of-the-box” compatibility and relevance to the leading
cloud security guidance.
Consultants and Independent Auditors
• Integrate the CSA GRC stack into your own processes and tool sets
to provide cloud assurance services aligned with customer and provider
requirements.
Source:
Cloud Security Alliance GRC Stack
http://www.cloudsecurityalliance.org/grcstack.html
Cloud Audit
http://cloudaudit.org/
Cloud Controls Matrix
http://www.cloudsecurityalliance.org/cm.html
Consensus Assessments Initiative
http://www.cloudsecurityalliance.org/cai.html
|
|
versión en español
