Your company is a cloud service provider. Which of the following provides the highest security assurance to customers? (Wentz QOTD)
A. SOC 2 attestation
B. ISO 27001 certification
C. Security Self-Assessment
D. STAR attestation or certification

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. STAR attestation or certification.

Level 1 of STAR

CSA STAR Self-Assessment, Level 1 of STAR, is a complimentary offering that documents the security controls provided by various cloud computing offerings.

Level 2 of STAR

STAR attestation or certification is the Level 2 of STAR, which requires a CSP to be compliant with SOC2 or ISO 27001, and the CSA Cloud Controls Matrix.

Level 2 of STAR allows organizations to build off of other industry certifications and standards to make them specific for the cloud.

STAR Attestation: For SOC 2

The CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. The STAR Attestation provides for rigorous third party independent assessments of cloud providers. Attestation listings will expire after one year unless updated.

STAR Certification: For ISO/IEC 27001:2013

The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. This technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix. Certification certificates follow normal ISO/IEC 27001 protocol and expire after three years unless updated.

Source: CSA

Reference

• Security, Trust, Assurance and Risk (STAR)
• Using CSA STAR to Improve Cloud Governance and Compliance

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

您的公司是服務雲提供商(CSP)。 以下哪項能為客戶提供了最高的安全保證(assurance)？ (Wentz QOTD)
A. SOC 2 attestation
B. ISO 27001 certification
C. Security Self-Assessment
D. STAR attestation or certification