STA: Supply Chain Management, Transparency, and Accountability

Controls

STA-01: SSRM Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the application of the Shared Security Responsibility Model (SSRM) within the organization. Review and update the policies and procedures at least annually.

STA-02: SSRM Supply Chain

Apply, document, implement and manage the SSRM throughout the supply chain for the cloud service offering.

STA-03: SSRM Guidance

Provide SSRM Guidance to the CSC detailing information about the SSRM applicability throughout the supply chain.

STA-04: SSRM Control Ownership

Delineate the shared ownership and applicability of all CSA CCM controls according to the SSRM for the cloud service offering.

STA-09: Primary Service and Contractual Agreement

Service agreements between CSPs and CSCs (tenants) must incorporate at least the following mutually-agreed upon provisions and/or terms: Scope, characteristics and location of business relationship and services offered Information security requirements (including SSRM) Change management process Logging and monitoring capability Incident management and communication procedures Right to audit and third party assessment Service termination Interoperability…

STA-11: Internal Compliance Testing

Define and implement a process for conducting internal assessments to confirm conformance and effectiveness of standards, policies, procedures, and service level agreement activities at least annually.

STA-12: Supply Chain Service Agreement Compliance

Implement policies requiring all CSPs throughout the supply chain to comply with information security, confidentiality, access control, privacy, audit, personnel policy and service level requirements and standards.