Develop and implement an Information Security Program, which includes programs for all the relevant domains of the CCM.
The program should identify and assign roles, responsibilities, and management commitment. The CCM domains to address within the information security governance program include, but are not limited to:
- Audit and assurance
- Application and interface security
- Business continuity management and operational resilience
- Change control and configuration management
- Cryptography, encryption, and key management
- Datacenter security
- Data security and privacy lifecycle management
- Governance, risk management, and compliance
- Human resources
- Identity and access management
- Interoperability and portability
- Infrastructure and virtualization security
- Logging and monitoring
- Security incident management, e-discovery, and cloud forensics
- Supply chain management, transparency, and accountability
- Threat and vulnerability management
- Universal endpoint management
Management should promote coordination among organizational entities responsible for the different aspects of cloud security and privacy risks. Review the program as required to address threat landscape changes and substantial organization changes.
- Examine the policy and/or procedures related to the Information Security Program to determine whether the organization has developed and implemented a comprehensive strategy to manage Information Security across the organization.
- Review the details of the information security program and establish if this covers the CCMv4 relevant domains.
- Confirm that identified gaps/issues are being tracked, monitored, and remediated with appropriate escalation where required.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.