<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1977396509252409&amp;ev=PageView&amp;noscript=1">
Contact a Specialist
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
Compliance Reliance
Compliance Reliance
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
ROB TYLKA

By: ROB TYLKA on July 12th, 2016

Print/Save as PDF

Game Time: CSA STAR Certification vs. Attestation

Cloud Computing

The CSA Security, Trust and Assurance Registry (STAR) program was designed by the Cloud Security Alliance as a method for providing assurance regarding the security of a cloud service provider (CSP).  The program consists of the STAR Certification and the STAR Attestation, both of which utilize the Cloud Controls Matrix (CCM) as the control framework; however, there are important differences to note between the two.  So which is a better fit for your organization?  Perhaps the following information will help you decide, since there are important differences to note between the two.

STAR Certification

The STAR Certification is an independent, third party assessment of the security of a CSP that leverages the requirements of the ISO/IEC 27001:2013 (ISO 27001) management system standard in conjunction with the CCM.  In order to achieve the STAR Certification, a CSP must already have an active ISO 27001 certification or have the STAR Certification assessment performed in tandem with an ISO 27001 certification review.

Benefits of the STAR Certification Program

  • Complements ISO 27001 certification
  • Increased market confidence
  • Provides a base maturity level and process improvement opportunities

Challenges of the STAR Certification Program

  • ISO 27001 is a prerequisite
  • Focuses on management principles
  • No external deliverable highlighting the controls in place and their operating effectiveness
  • Scoring is subjective

STAR Attestation

The STAR Attestation is an independent, third party assessment of the security of a CSP that leverages the requirements of the SOC 2 framework (based on the AICPA Trust Services Principles (TSP)) in conjunction with the CCM.  To pursue the STAR Attestation allows organizations to demonstrate the suitability of the design and operating effectiveness of their controls over a period of time, rather than as of a point in time.  The deliverable consists of a detailed report that demonstrates the controls in place to meet both the CCM and SOC 2 criteria, thus allowing the reader to clearly delineate the level of security in place to meet their level of expectation.

Benefits of the STAR Attestation Program

  • Review of both the design and operating effectiveness of controls
  • Covers a review period of at least six months
  • A stand-alone/detailed report is provided
  • No prerequisites

Challenges of the STAR Attestation Program

  • Full disclosure of testing exceptions/deviations is listed within the report
  • The report is regressive-looking by design (i.e., covering a review period in the past)

In summary, the path that a service organization takes will be highly dependent upon their circumstances (industry-specific requirements, current examinations, customer demand, etc.); however, the information provided above should provide a solid baseline to assess the differences between each.

About ROB TYLKA

Robert Tylka is a Manager at Schellman & Company, LLC. Rob has over 13 years of experience in compliance and technology audits and assessments, including Service Organization Controls (SOC) reporting projects, Sarbanes-Oxley 404 compliance reviews and ERP controls evaluations. Rob currently oversees the Chicago market and is dedicated to providing Service Organization Controls (SOC) reporting projects for clients. To date, Robert has provided services to clients in the financial services, governmental, human resources, information technology, insurance, and manufacturing industries, among others. Robert has also provided professional services to companies of all sizes during his career, including Fortune 1000 and publicly traded companies.