STA-04: SSRM Control Ownership

CSF v1.1 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Delineate the shared ownership and applicability of all CSA CCM controls according to the SSRM for the cloud service offering.

Implementation Guidance

Cloud service implementations involve an SSRM between the CSP and the CSC, which varies from service to service depending on the cloud service model and the specific implementation. Accordingly, CSPs should provide comprehensive SSRM guidance to facilitate secure CSC service implementations. Any CSP control responses should identify control applicability and ownership for their specific service.

  1. Cloud service provider-owned: CSP is fully responsible.
  2. Cloud service customer-owned: CSC is fully responsible.
  3. Third-party outsourced: The CSP has fully outsourced this control to a third party (e.g., a supporting CSP), but the CSP is fully accountable to the CSC for the third party's performance from a supply chain perspective.
  4. Shared CSP and CSC: Both the CSP and CSC have responsibilities (independent or dependent). If the CSP has partially outsourced control to a third party, that should be noted in the CSP implementation description.
  5. Shared CSP and third party: The CSP has partially outsourced control to a third party (e.g., a supporting CSP). Hence, the CSP and the third party have responsibilities—but the CSC has no responsibilities. The CSP is fully accountable to the CSC for the third party's performance from a supply-chain perspective.
  6. N/A: Not applicable to this specific cloud service offering (no SSRM responsibilities).

Cloud service providers should also describe the following for each control (as appropriate) for its service and the specific ownership classification:

  1. Cloud service provider implementation description: How the CSP meets (or doesn't meet) the controls they are responsible for, wholly or partially. This should explain why N/A controls are not applicable for the specific service and describe the extent to which responsibility for particular controls is outsourced to third parties.
  2. Cloud service customer responsibilities: A detailed description of CSC security responsibilities for the controls the customer is responsible for, wholly or partially, with references and external links (as appropriate).

The CSA's Consensus Assessments Initiative Questionnaire (CAIQ) should be used by CSPs to provide SSRM ownership and guidance to current and prospective CSCs. In cases where the CAIQ has multiple questions associated with a single control, CSPs should delineate SSRM ownership and describe how they meet their control requirements at the question level, aligned with the scope of the CSP CAIQ answer.

Auditing Guidance

  1. Examine the policy for assessing, demarcating, and documenting the interfaces at the edges of the organization’s responsibility.
  2. Determine if the delineation has been done, and is current.
  3. Examine the process for communicating the security responsibility boundaries to third-parties.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.