CCM: A company wants to use the IaaS offering of some CSP. Which of the following options for using CCM is NOT suitable for the company as a cloud customer?
CCM: A company wants to use the IaaS offering of some CSP. Which of the following options for using CCM is NOT suitable for the company as a cloud customer?
Submitting the CCM on behalf of the CSP to the CSA Security, Trust & Assurance Registry (STAR) is not suitable for the company as a cloud customer. The CSA STAR registry is intended for cloud service providers (CSPs) to document and demonstrate their security controls and practices to customers and the public. It is not the responsibility or role of the cloud customer to submit this information on behalf of the CSP. Instead, the CSP is responsible for accurately and appropriately submitting their own security controls and documentation to the registry.
I don't believe a customer can submit the CCM on behalf of the CSP to CSA Security. As a result I marked A for answer.
In https://cloudsecurityalliance.org/star/, you can ask your CSP to submit to the registry.
The option that is NOT suitable for the company as a cloud customer when using the Cloud Control Matrix (CCM) is: A. Submit the CCM on behalf of the CSP to CSA Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry that documents the security controls provided by CSPs. Submitting the CCM on behalf of the cloud service provider (CSP) to CSA STAR is not a suitable option for the company as a cloud customer. The CSA STAR registry is intended for CSPs to document and demonstrate their security controls and practices to customers and the public. It is not meant for cloud customers to submit the CCM on behalf of their CSP.
This option is NOT suitable for the company as a cloud customer. The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a framework that provides a structured set of controls that can be used by customers to assess the security posture of their cloud providers. It's designed for customers to use when evaluating potential cloud service providers (CSPs) and their offerings. Submitting the CCM on behalf of the CSP to the CSA STAR registry would involve the cloud customer submitting information about the CSP's security controls and practices. However, the CCM is typically intended for customers to evaluate the CSP's security, rather than for the CSP to submit their own information. The responsibility for submitting accurate and up-to-date security information to the STAR registry lies with the CSP themselves. Therefore, option A is not suitable as a use of CCM by the company as a cloud customer.