What is the Cloud Security Alliance (CSA) and how is it related to the American Institute of Certified Public Accountants (AICPA)? Long story short, these two organizations have no direct connection to one another. Indirectly, both organizations have a responsibility to the public and that is where their objectives converge. These organizations have programs in place that evaluate the internal controls in place at a service organization and specifically the security of data in the cloud. In this post, we will dive deeper into what the CSA is and how it’s objectives overlap with those of the AICPA.
What is the Cloud Security Alliance?
The Cloud Security Alliance (CSA) is, “the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment” (source). It’s an excellent and well-respected organization that helps cloud providers and users of cloud services have more secure experiences. The CSA was founded in December 2008, and in 2009, it issued its first best practices for cloud computing. Since then, the CSA has continued to grow all over the world and build on it’s best practices for cloud computing with the help of its members, subject matter experts, and other associations. The CSA offers training, research, events, programs, and program tools to its members and other external users in search of information regarding cloud security.
What is the CCSK?
The Certificate of Cloud Security Knowledge (CCSK) is a certification offered by the CSA. The CCSK is a computer based exam which evaluates the students’ understanding of security issues and best practices as they relate to cloud computing. According to the CSA, the CCSK is useful to practitioners in the cloud computing and security fields, including IT auditors. The CCSK is also required for portions of the Security Trust Assurance and Risk (STAR) Program. The CCSK covers how users should assess the security of cloud providers using the CSAs Cloud Controls Matrix (CCM), which is a cloud specific governance and compliance tool created by the CSA. According to the CSA, the CCSK can assist users in various different areas, whether it be evaluating their own organization, assessing another organization, or deciding which cloud service provider to use.
What is the CSA STAR Program?
STAR stands for Security Trust Assurance and Risk (STAR). The STAR is a control framework issued by the CSA that covers the security of data in the cloud. It is applicable to Cloud Service Providers and the CSA maintains a registry that lists the providers that are STAR certified. The STAR registry documents the Companies, the levels of the STAR Program which they have completed, and the controls related to security and privacy provided by their cloud computing offerings. The CSA website offers various different resources or “tools” on the STAR program, including the Cloud Controls Matrix (CCM), which is the framework used to evaluate security controls related specifically to the cloud.
The STAR program has different levels that can be achieved by companies, which include the following:
- Level One: Self Assessment – Consists of an assessment completed and submitted by the organization covering the security and/or privacy assessments provided by the CSA.
- Level Two: Third Party Audit – Consists of various different security and privacy third-party audits in which an organization can choose to undergo based regulations and standards they are subject to.
- Level Three: Continuous Auditing – Consists of automating security practices which increases transparency.
- All Levels: Star Continuous – Can be obtained by building upon the three levels listed above, in which all levels are performed continuously.
Companies can determine which STAR level is right for them based on the risks present in their environment.
What does the CSA have to do with the AICPA?
The answer is, nothing directly. Indirectly, both organizations have a responsibility to the public and this is where their objectives converge. As cloud services have grown over the years, user organizations have come to demand that service organizations provide some independent representations on the internal controls related to the services they are providing to others. This is where the AICPA and SOC reports come in to play. These reports are designed to report on the controls—ICFR for SOC 1 (formerly SSAE 16) and Non-ICFR for SOC 2—within the service organization. These reports provide a certain level of assurance that is beneficial for users of their services as well as user auditors.
The CSA STAR certification Level 2, Third Party Audit, specifically STAR Attestation, aligns with a SOC 2 report. This level, CSA STAR Attestation, “is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA and the CSA Cloud Controls Matrix” (source).
In practice, this means that if an organization is undergoing a SOC 2, they can typically leverage the controls tested to also obtain STAR Attestation in the STAR Program. For this kind of assessment, the CSA recommends using a CSA STAR Auditor who has experience in building on a SOC 2 or other existing auditing standards.
While the CSA and the AICPA aren’t directly related, they both have programs, SOC 2 and STAR Attestation, that overlap. The CSA helps cloud providers and users of cloud services have more secure experiences. The CSA facilitates training, certificates and security programs such as the CCSK and the STAR Program. Additionally, the CSA and AICPA have collaborated for the CSA STAR Attestation which overlaps with the SOC 2.
With all of the commerce and other types of transactions and information that traverses the Internet, it is useful that there are organizations such as the CSA, AICPA, and many others, which are focused on serving the public’s interests. While nothing will ever give complete assurance as to the internal controls in place at a service organization, SOC audit reports go a long way to providing a level of assurance that is acceptable to most people and organizations.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.