The AICPA recently announced SOC 2+ for CSA STAR Attestation.
CSA STAR program provides security assurance in the cloud. A STAR certification ensures a validation of security posture of cloud offerings.
STAR encompasses key principles of transparency, rigorous auditing, and harmonization of standards. STAR certification provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings.
Because of the new AICPA reporting framework, a report can be issued for cloud providers, a type II SOC 2 attestation examination which is conducted in accordance with AT section 101 of the AICPA attestation standards. This type of report will help meeet the needs of users of cloud services. The criteria used for this type of engagement are supplmented by the criteria in the CSA Cloud Controls Mattrix.
In recent times, many cloud providers are currently undergoing a SOC 1 report which is specifically intended on controls over financial reporting. The services provided by a cloud provider do not have a direct impact on financials or financial reporting. Therefore a SOC 2 report, which covers controls specific to security, availability, processing integrity, confidentiality, and privacy of information processed by the in-scope system, is more suitable for cloud providers.
There may be some instances where a cloud provider may impact financial reporting for a customer, especially if the cloud provider has any responsibilities with processing customer transactions. In this case, a cloud provider could receive both a SOC 1 (SSAE-18) or SOC 2 (AT 101) report to address the needs of their customers.
Additional Criteria based on CSA STAR include:
- Application and Interface Security
- Audit Assurance and Compliance
- Business Continuity Management and Operational Resilience
- Change Control and Configuration Management
- Data Security and Information Life Cycle Management
- Datacenter Security
- Encryption and Key Management
- Governance and Risk Management
- Human Resources
- Identity and Access Management
- Infrastructure and Virtualization Security
- Interoperability and Portability
- Mobile Security
- Security Incident Management, E‑Discovery and Cloud Forensics
- Supply Chain Management, Transparency and Accountability
- Threat and Vulnerability Management