The elastic and dynamic nature of cloud computing often creates challenges to perform risk and compliance management adequately. One of the reasons for this is that the methods that allowed risk and compliance management for the traditional, on$-$premise infrastructure do not always translate to the cloud.

The CSA$$s CCM is a framework for governance, risk management, and security compliance. It helps both cloud vendors and business organizations grow and use their cloud ecosystem securely by having the required controls to meet security and risk management objectives.

In addition to CCM$,$ another powerful tool that CSA provides is the Security, Trust, Assurance, and Risk $($STAR$)$ Registry, which comprises a self$-$assessment, audit, and certification to identify cloud providers who adhere to the CCM framework. The results of the STAR assessment are public and available on CSA's website under two levels:

STAR Level $1$: Organizations submit a self$-$assessment.

STAR Level $2$: Organizations earn a certification or third$-$party attestation.

For this assignment, assume you are looking for a cloud provider with the proper security and data privacy level for your organization. Then, use the CSA's STAR Registry Links to an external site. to filter the various CSP and select one to answer the following questions:

Provide an overview of the CSA and its STAR Registry, including its benefits.

Explain what CSA's CCM is$,$ including a brief description of each of its categories.

Introduce the CSP you have selected from the STAR registry. This includes a background on the organization and a summary of the particular product on which STAR is performed.

How well is your CSP prepared to communicate with stakeholders should any problems arise?

What kind of documentation does the CSP have in place around policies and procedures for certain security situations?

How knowledgeable and skilled are the CSP$\text{'}$s security staff?

What kind of monitoring and measurement tools are in place?

Does your CSP leverage another cloud provider $($i$.$e$.,$ AWS$)?$ If so$,$ for which control domains?

How satisfied are you with the level of notes the CSP provided for the various control domains?

How likely are you to recommend this CSP$?$ Please explain.

Note: The level of detail in the self$-$assessment may vary between different CSPs$.$ In the case where your selected $$CSP does not have enough information to answer the questions above,$$ you have the option to choose a different CSP or perform additional research outside of the CSA registry. However, please cite any resources besides the CSA registry.

Resources

CSA's STAR Registry