CSA Star CCM
The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud service providers and to assist prospective cloud customers to perform a security risk assessments of a cloud provider.
LoginRadius complies with CSA CCM Level 1 and Level 2.
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
The CSA CCM provides a controls framework that gives a detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum, and NERC CIP and will augment or provide internal control direction for service organization control reports attestations provided by cloud providers.
As a framework, the CSA CCM provides organizations with the needed structure, detail, and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements; reduces and identifies consistent security threats and vulnerabilities in the cloud; provides standardized security and operational risk management; and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.
As a controls framework, the CSA CCM provides organizations with the needed structure, detail, and clarity relating to information security tailored to cloud computing. See more about CCM at https://cloudsecurityalliance.org/research/ccm/.
The CCM is mapped to these regulations:
- AICPA SOC 2 2014 Trust Services Criteria
- Canada PIPEDA (Personal Information Protection Electronic Documents Act)
- COBIT 5.0
- COPPA (Children’s Online Privacy Protection Act)
- CSA Enterprise Architecture
- ENISA (European Network Information and Security Agency)
- Information Assurance Framework
- European Union Data Protection Directive 95/36/EC
- FERPA (Family Education and Rights Privacy Act)
- HIPAA/HITECH Act and the Omnibus Rule
- ISO/IEC 27001:2013
- ITAR (International Traffic in Arms Regulation)
- Mexico—Federal Law on the Protection of Personal Data Held by Private Parties
- NIST SP 800-53 Rev 3 Appendix J
- NZISM (New Zealand Information Security Manual)
- ODCA (Open Data Center Alliance) Usage Model PaaS Interoperability Rev. 2.0
- PCI DSS v3
LoginRadius uses the CCM as the central control set for our information security program. These controls are called “Matrix” because they are mapped to many other compliance program control frameworks.
As indicated, the compliance frameworks discussed in detail in this document, which are of primary focus to LoginRadius, can easily be rationalized as needed in the future because of our use of the CSA CCM. LoginRadius has published our complete responses, based on the CCM Controls, in the form of the CSA CAIQ, by officially registering them with the CSA STAR program.