SAN FRANCISCO, CA — (Marketwire) — 02/25/13 — The today released a position paper on the reporting framework, as a means of educating its members and providing guidance on selecting the most appropriate reporting option. The position paper is the latest step in CSA-s previously announced and STAR Attestation initiatives.
The AICPA-s reporting framework, known as , consists of three major document types. The first — the SOC 1(SM) report — deals with controls over financial reporting. The SOC 2(SM) report focuses on controls that bear on a service provider-s security, processing integrity and operating availability, as well as the confidentiality and privacy of data moving through its systems. A third report, SOC 3(SM), is a compressed version of the SOC 2(SM) and is designed for public distribution.
In the position paper, the CSA highlights that for most cloud providers, the combination of leveraging the criteria in the with a SOC 2(SM) report is likely to meet the assurance and reporting needs of the majority of users of cloud services. The paper offers guidance to members on when a SOC 1(SM) report is necessary, when a SOC 2(SM) report is called for, and when both engagement types may be required.
“Technology-related compliance and operating integrity audits are becoming increasingly important as businesses now routinely adopt cloud-based services,” said Jim Reavis, executive director of the CSA. “The Cloud Controls Matrix is designed to be used in conjunction with existing standards, and this is one such example where the combination provides a comprehensive view that should suit most users reporting needs.”
“We-re delighted that the CSA recognizes our reporting framework as a mechanism to meet this critical reporting challenge, and complement the security principles in its Cloud Controls Matrix,” said , CPA, CGMA, senior vice president for public practice and global alliances at the AICPA.
Reavis continued, “The CSA Security Trust & Assurance Registry (STAR) serves as the standard for demonstrating transparent alignment with CSA security best practices, and this paper is a major step forward in leveraging AICPA-s popular reporting framework to consolidate attestation requirements and layer third party trust on top of CSA STAR.”
The full position paper can be found at
The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders.
Kari Walker
ZAG Communications for the CSA
You must be logged in to post a comment Login