An online bank relying solely on internet banking intends to increase customer’s confidence and plans to engage in security assurance. Which of the following is the least practical approach to assuring customers?
A. Provide the SOC 3 report attested by a certified public accountant (CPA)
B. Present a certificate of information security management system of ISO 27001
C. Conduct and demonstrate self-assessment against the NIST cybersecurity framework
D. Complete the CSA STAR assessment conducted by an independent certification body
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Complete the CSA STAR assessment conducted by an independent certification body.
The bank is not a cloud service provider and primarily provides banking services instead of cloud services, so there is no need to pursue CSA STAR Certification (Level 2), a rigorous third-party independent assessment of the security of a cloud service provider.
However, you can justify the bank’s seeking CSA STAR Certification because it builds a private cloud to serve internal customers. If so, the answer will be C. Conduct and demonstrate self-assessment against the NIST cybersecurity framework.
- CSA STAR Level 1: Self-assessment
- CSA STAR Level 2: Third-Party Certification
- CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix.
- The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider.
- CSA STAR Level 3: Full Cloud Assurance and Transparency
The Cloud Security Alliance is a non-profit organization whose mission is to “promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
The CSA’s Security, Trust & Assurance Registry Program (CSA STAR) is designed to help customers assess and select a Cloud Service Provider through a three-step program of self-assessment, third-party audit, and continuous monitoring.
System and Organization Controls (SOC)
According to the AICPA, “System and Organization Controls (SOC) is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations.” (AICPA)
SOC 3 refers to “system and organization controls (SOC) for service organizations: trust services criteria for general use report.” SOC 3 reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2® Report. Because they are general use reports, SOC 3® reports can be freely distributed. (AICPA: SOC3)
“ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.” (ISO)
Self-assessment and NIST CSF
Self-declaration based on self-assessment seems silly. However, it is a legitimate means and does provide some extent or low degree of assurance. Moreover, and it is a common practice. NIST Cybersecurity Framework (CSF) is a voluntary framework, initiated by Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. There is no certification program to assess the compliance of NIST CSF so far, so it’s reasonable to use self-assessment and self-declaration.
What is Assurance?
For security engineering, “assurance” is defined as the degree of confidence that the security needs of a system are satisfied. … Confidence is realized by reviewing the assurance evidence gained through assessment processes and activities during development, deployment and operation and through experience gained in using the IT system. Any activities that can reduce uncertainty by producing evidence attesting to the correctness, effectiveness and quality of the IT system’s attributes are useful in determining security assurance.
Source: Haris Hamidovic
The International Federation of Accountants (IFAC) definition of an assurance engagement:
An engagement in which a practitioner aims to obtain sufficient, appropriate evidence in
order to express a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the subject matter information.
Assurance methods produce specific types of assurance depending on their technical and life-cycle focus. Some of the more widely known assurance methods for a given focus include:
ISO/IEC 21827—Assurance focus on quality and development process
Developer’s pedigree—Assurance focus on branding; recognition that a company produces quality deliverables (based on historical relationship or data)
Warranty—Assurance focus on insurance, supported by a manufacturer’s promise to correct a flaw in a deliverable
Supplier’s declaration—Assurance focus on self-declaration
Professional certification and licensing—Assurance focus on personnel expertise and knowledge
ISO/IEC 14598-1 Information technology—Software product evaluation—Part 1: General overview—Assurance focus on direct assessment of deliverable
ISO/IEC 27001—Assurance focus on security management
Source: Haris Hamidovic
- CSA STAR Levels
- Security, Trust and Assurance Registry (STAR)
- CSA STAR Certification
- Cloud Security Alliance (CSA) STAR certification
- CSA STAR
- Who Can Perform a SOC 2 Audit?
- Fundamental Concepts of IT Security Assurance
- Learn What Attestation, Assurance and Auditing Means in the CPA Industry
- What Is Assurance & Attestation Part I
- Audit and Assurance
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
A. 提供經過註冊會計師(CPA)認證的SOC 3報告
B. 呈現ISO 27001資訊安全管理系統證書
D. 完成由獨立認證機構進行的CSA STAR評鑑