Cloud Security Alliance (CSA) is a neutral, non-profit, global industry and standards organization dedicated to the full development of international cloud computing security.
CSA Security, Trust, Assurance, and Risk (STAR) is a certification program launched by CSA based on the Open Certification Framework (OCF) and Cloud Controls Matrix (CCM) for global, trusted, and independent assessment of cloud service providers.
CSA STAR certification is a new and targeted international professional certification program, jointly launched by the British Standards Institute (BSI) and CSA to help cloud computing vendors to demonstrate the implementation status of information security and management capabilities, which can more effectively increase the confidence in cloud computing users in cloud computing services.
CSA STAR certification is an enhanced version of the ISO/IEC 27001 information security management system that incorporates the requirements of the CCM and uses a maturity model and assessment methodology to comprehensively assess an organization's cloud security management and technical capabilities.
National FinTech Evaluation Center (NFEC, also well-known as Bank Card Test Center or BCTC) carries out comprehensive evaluations of infrastructure security, operational security, data security, management security and risk, cloud applications and customers in a total of five dimensions, covering the basic security principles of 17 domains, including 197 control objectives, to comprehensively assess the overall security risk of cloud computing services.
The infrastructure security dimension is mainly evaluated through the requirements of 2 control domains of business continuity management and operational resilience, infrastructure & virtualization security, covering 20 control objectives.
The operational security dimension is assessed through the requirements of the following 3 control domains: 1) supply chain management, transparency, and accountability; 2) governance, risk and compliance; and 3) cryptography, encryption & key management. These requirements cover 43 control objectives.
Cloud Applications and Users
The cloud application and user dimension are evaluated primarily through the requirements of four control domains: identity & access management, interoperability & portability, application & interface security, and universal endpoint management, covering 41 control objectives.
The data security dimension is mainly evaluated through the requirements of 2 control domains: data center security, data security and privacy lifecycle management, covering 34 control objectives.
Managing Security and Risk
The management security and risk dimension is mainly assessed through the requirements of the following 6 control domains: 1. audit & assurance; 2. change control and configuration management; 3. human resources; 4. logging and monitoring; 5. security incident management, e-discovery and cloud forensics; and 6. threat & vulnerability management. These requirements cover 59 control objectives.
1. Promote high-quality development of the cloud computing industry
2. Strengthen the technical foundation of cloud computing development
3. Safeguard the safety and reliability of cloud services procured by customers
4. Helping cloud computing service vendors improve information security protection capabilities
1. Self-assessment: Fill out the Consensus Assessment Initiative Questionnaire (CAIQ)
2. Submit CAIQ: Submit your completed CAIQ to the STAR Registry
3. Implement control measures: Prepare for the ISO/IEC 27001 Audit against the Cloud Controls Matrix(CCM)，comply with the CCM controls to earn your CSA STAR certification.
4. Third-party audit: Third-party conducts STAR certification audit
5. Submission of information: Submit the assessment information to CSA
6. Obtain Certificate: Obtain the certificate and promote it on the official website