C-STAR
-
Overview
-
介紹
-
Auditors
-
Pricing and Policy
-
Questions
<
>
About
|
The CSA C-STAR Assessment is part of the OCF level2 scheme, and mainly used in the Greater China region. C-STAR is a rigorous third party independent assessment of the security management of a cloud service provider. The technology-neutral assessment leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, a specified set of criteria that measures the capability levels of the cloud service, plus 29 related controls selected from China’s national standard GB/T 22239-2008(Information security technology — Baseline for classified protection of information system) and GB/Z 28828-2012(Information security technology – Guideline for personal information protection within information system for public and commercial services).
|
Organizations that outsource services to cloud service providers have a number of concerns about the security of their data and information. By passing the C-STAR Assessment, cloud providers, regardless of the size of their operation, will be able to give prospective customers a greater understanding of their security management status.
The C-STAR Assessment is based on GB/T 22080-2008 and the specified set of criteria outlined in the Cloud Controls Matrix, plus related requirements of GB/T 22239-2008 and GB/Z 28828-2012. The independent assessment by an accredited CSA certification body, such as CEPREI Certification Body (http://www.ceprei.org/), will assign a ‘Management Capability’ score to each of the CCM security domains (including requirements selected from GB/T 22239-2008 and GB/Z 28828-2012). Each domain will be scored on a specific maturity and will be measured against the assessors’ grid. The assessment report will show organizations how mature their processes are and what areas they need to consider improving on to reach an optimum level of maturity. Certified organizations will be listed on the CSA STAR Registry as “C-STAR Assessed”. C-STAR Assessment enables effective comparison across other organizations in an applicable sector and it is focused on strategic and operational business benefits as well as effective partner relationships. C-STAR Assessment enables the assessor to assess a company’s performance in long-term sustainability and risks management, in addition to ensuring that the company is SLA-driven, allowing senior management to quantify and measure improvement year on year. To be consistent with China national requirements, the C-STAR Assessment scheme is designed to comply with:
|
Strategic Benefits |
A 360º enhanced assessment giving senior management full visibility to evaluate the effectiveness of both their management system and the roles and responsibilities of personnel within the organization.
|
Operational Benefits |
|
C-STAR评估介绍 |
CSA C-STAR评估是OCF框架下Level2方案的一部分,主要用于大中华地区。C-STAR是针对云服务提供商安全管理的一种严格的第三方独立评估。该 评估主要参考GB/T 22080-2008管理体系标准及CSA云控制矩阵(Cloud Control Matrix)的要求,以及29个选自中国国家标准GB/T 22239-2008(信息安全技术—信息系统安全等级保护基本要求)和GB/Z 28828-2012(信息安全技术—公共及商用服务信息系统个人信息保护指南)的相关控制措施
|
使用云服务外包业务的组织往往对其数据和信息的安全有很多担忧。通过C-STAR评估后,不同规模的云服务提供商将能更好的向其潜在客户展示其安全管理情况。
C-STAR评估依据GB/T 22080-2008和云控制矩阵中的控制措施,以及GB/T 22239-2008和GB/Z 28828-2012中的部分相关要求。 C-STAR的评估将由CSA认可的评估机构(如赛宝认证中心)开展,评估机构将依据评估的发现对每个CCM安全领域(包括选自GB/T 22239-2008和GB/Z 28828-2012的29条要求)进行评价,并给予一个“管理能力”成熟度分数。 评估报告将体现组织云计算安全管理的成熟度以及为了达到最佳成熟度需要考虑的改进控制域。获证的组织将在CSA STAR注册表中列为“已通过C-STAR评估”。 C-STAR评估结果可用于与相关领域的其它组织之间开展比较,有益于战略和商业运营及合作伙伴关系的评估。 C-STAR评估师对组织的评估将考虑组织的云安全管理的长期可持续性及风险管理的绩效情况,并确保它们以SLA作为改进的动力,以供高管逐年进行量化考核和测量改进情况。 为了与中国的国家要求保持一致,C-STAR评估方案满足以下要求:
|
战略效益 |
|
运营效益 |
|
CSA Corporate Members Providing
C-STAR Assessment Service
The following CSA corporate members have qualified employees to carry out C-STAR assessment
Certified Auditors |
Contact Information |
CEPREI HQ No.110 Dongguan Zhuang RD. Guangzhou, P.R.China Telephone: +86-20-87236606 [email protected] As a leading provider of management system certification body in China and the first Executive Member of CSA in Asia, CEPREI Certification Body Provides information security related professional services such as ISO20000 & ISO27001 certification, risk assessment, IT governance, Business Continuity Management etc. Also, newly launched C-STAR assessment scheme is provided to help our client fully understand cloud security issues they’re facing and how to put the appropriate controls in place.CEPREI Certification Body with unique legal status is a registrar authorized and accredited by national department and/or accreditation bodies home and abroad, to conduct third-party certification. It grew out of Inspection Division of China Electronic Product Reliability and Environmental Research Institute (the Fifth Electronic Institute) established in 1956, which is the first scientific research organization at national level engaged in product quality and reliability research in China.As early as 1979, CEPREI Certification Body introduced the concept of Certification into China. Ever since then CEPREI has issued more than ten thousand certificates of various types to its clients. It sets foot in all administrative regions in mainland China and other countries and regions including Hongkong Special Administration Region, Taiwan, USA, German, Holland, Denmark, Australia, Japan, Korea, Malaysia, Thailand and Singapore.As one of the most authoritative accreditation bodies in the world, America National Standard Institute-Registrar Accreditation Board (ANAB) has authorized CEPREI Certification Body to issue ISO9000, ISO14000 and ISO27001 certificates with ANAB logo since 2001. The certificate will be helpful for your products and services in improving reputation and enhancing competitiveness home and abroad. |
Assessment
|
|
Registration Pricing |
|
CSA will apply a 20% price reduction for CSA Corporate Members.
|
Explanation
|
The revenues from the assessments go to the Cloud Security Alliance that is the governing body of the Open Certification Framework and Level2 STAR Program.
The Cloud Security Alliance is a not for profit organization that covers its cost though memberships, sponsorships and royalties generated by the third party commercial exploitation of CSA’s Intellectual Properties and brand. Through the C-STAR Assessment fee, the Cloud Security Alliance will:
|
Have questions? |
Please direct them to [email protected]
|