STA-06: SSRM Control Implementation

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Implement, operate, and audit or assess the portions of the SSRM which the organization is responsible for.

Implementation Guidance

Both the CSP and CSC should implement the finalized SSRM and then thoroughly document and test it to validate proper operation of security control implementations—including integration testing where there are interdependencies. Once implemented, both the CSP and CSC should operate, monitor and audit, and/or assess their service performance according to the finalized SSRM and remain engaged with their supply chain and customers to understand, implement and manage SSRM changes over time. Particular areas that require proactive supply chain SSRM engagement with corresponding levels of (secure) transparency include:

  1. Incident and vulnerability management
  2. Change and configuration management
  3. Periodic SSRM-aligned audit reviews and security assessments with appropriate risk management

Auditing Guidance

  1. Examine the policy related to addressing security in third-party agreements and determine if organizations employ formal contracts.
  2. Determine if written procedures exist for addressing security in third-party agreements and whether or not the procedure(s) address(es) each element of the policy/control requirement(s) stipulated in the policy level.
  3. Examine relevant documentation, observe relevant processes, and/or interview the control owner(s), and/or relevant stakeholders, as needed, for addressing security in third-party agreements and determine if the policy/control requirements stipulated in the policy level have been implemented.
  4. Examine measure(s) that evaluate(s) the organization's compliance with the third-party management policy and determine if the measure(s) address(es) implementation of the policy/control requirement(s) as stipulated in the policy level.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.