How to Submit Level 1 Self-Assessment Submissions to the STAR Registry
These are the detailed instructions on how to submit your Level 1 Self-Assessment to the STAR Registry. This guide is intended for STAR Registry users who are submitting their Self-Assessment information on behalf of their Organization.
In this document we will give you the following information:
- Preparation for submitting the Level 1 Self-Assessment
- Instructions for submitting the Level 1 Self-Assessment
- Troubleshooting tips
A simplified version of this document can be found here.
For instructions on how to submit a STAR Level 2 Certification or Attestation, please see this page.
The Self-Assessment process must be completed by the organization being assessed and not the Auditor firm.
Preparing information to use to complete your Level 1 Self-Assessment
Step 1: Create an account on the STAR submission system. It is recommended that you use the social account options (Google, Microsoft, or LinkedIn) to complete the sign-up process, but you can use an email and password. Using an email address and password to sign up will require that you confirm the email address by email before you can continue to sign into the registry.
Be sure to use your work email, as submissions will only be accepted from users with emails that align with the Organization's domain.
Step 2. Find the confirmation email (for the email and password sign-in option).
If you use the email and password sign-in option, a confirmation notice will come from the email support@auth0.cloudsecurityalliance.org. Check your email for the confirmation notice, and follow the link to confirm your submission. If your confirmation email doesn’t arrive within 30 minutes and you are unable to find it in your spam folder, then reach out to us at support@cloudsecurityalliance.org (or click the Support button on the below right of this page), and our support team will assist you with the confirmation step.
If you used the social login option, then confirmation of the account is not required.
Step 3. You will want to ensure that you have the correct information collected before you start the submission process. The following fields are required when using the STAR Submission form to submit your Level 1 Self-Assessment to the STAR Registry:
- Backup PoC (Someone inside the organization who can serve as backup PoC)
- Backup PoC Email
- Region (North America, Central/South America, EMEA, or APAC)
It is ideal, but not required to prepare the Self-Assessment information by completing a downloadable version of the primary document (The CAIQ 4.0.2 which can be downloaded here.) The Self-Assessment CAIQ Lite document version is another option. (The CAIQ Lite can be downloaded here.)
In addition to this, you will need to know the following:
- the name of your Organization and Cloud Service that is to be listed on your STAR Registry listing,
- the URL of the Organization and Cloud Service,
- and the Description of the Organization and Cloud Service.
Note: The Cloud Service is the endpoint used by your users who will access your services and is not meant to represent the service you use to host your Cloud Service. (This isn’t meant to be AWS, Google, Azure or other CSP.)
Pro Tip: To determine if you have an existing service on the STAR Registry you can look up your listing on the STAR Registry to see the Organization and Cloud Service. This can help you to determine the correct information to list in the following steps, however, if you have had an unsuccessful or expired listing, the Organization and Cloud Service may be already available to select on the confirmation step (below) but not visible yet in the registry. Please visit our STAR Registry to check your listing and review the drop-down lists to select your Organization and Cloud Service carefully to avoid creating a duplicate listing
Step 1. Fill out the CAIQ Document
Note: There are two methods to start your Self-Assessment process. You can fill in the Self-Assessment using the Manage Assessments function or you can complete the CAIQ document and use the Import function to complete the submission.
You can also import a partly completed CAIQ document to the platform and complete the process using the Manage Assessments option.
It is recommended to have a CAIQ Spreadsheet filled in no matter which method you choose to submit your Self-Assessment.
Please be aware that you cannot use this method to upload your CAIQ-Lite. The CAIQ Lite must be uploaded using the Submission form here.
While you can fill out the Assessment without the CAIQ being filled in first, having a CAIQ will allow you to share the responses with various teams involved in the process of your security control settings to ensure a smooth entry process and without having to go through extra work to gather the needed information while in the middle of the process of completing the assessment.
Download your CAIQ 4.0.2 document here.
The CAIQ Lite can be downloaded here.
Instructions for Submitting the Level 1 Self-Assessment Using the Manage Assessment Functionality
- From your Home Workspace, click on Manage Assessments.
- Click Create.
- Enter a unique name for this Self-Assessment and select the CAIQ Version.
- Click Create.
- Fill in all of the questions in the Manage Assessment section carefully and ensure that you have completed explanations of the “Not Applicable” responses before you proceed.
You can only submit your Assessment after all of the questions have been completed.
Instructions for Submitting the Level 1 Self-Assessment Using the Import Assessment Functionality
The CAIQ document can be imported into the STAR system regardless of the response state of the answers, but you cannot change the formatting or order of the assessment spreadsheet or it will be rejected by our automated system and become un-submittable. Only select from the available options on columns C and D, and if needed, fill in columns E and F.
- From your Home Workspace, click on Manage Assessments.
- Click Import.
- Fill in a unique Service Name that will identify this Assessment.
- Select the CAIQ version.
- Attach the CAIQ using the Choose File button.
- Click Import
Submit your responses
After you have prepared your Self-Assessment responses, you will be presented with a “Submit” button at the top of your Assessment. This will allow you to submit your Assessment to our STAR system.
You will be prompted to enter a Backup PoC, Backup PoC Email, and Region.
This step will be followed with the selection or creation of your Organization and Cloud Service to be attached to your submission. This is required before your submission will be reviewed and published by our STAR Team.
Keep in mind that while the submission will be linked to the Registry Entry that is created for the Organization and Cloud Service, the Self-Assessment in your Workspace is not. This allows you to submit the same Self-Assessment for multiple Cloud Services within your Organization and to edit and resubmit the Self-Assessment when any updates are needed.
Each time you submit your Self-Assessment, you will need to complete the following steps of selecting the Organization and Cloud Service.
Step 2. Select your Organization
On the first confirmation page you should find your existing Organization listed on the Dropdown menu of available organizations. If this is the first time submitting this Organization, then it won’t be listed in the dropdown menu. In that case, you can create it with the “Create New Organization” button.
If your organization already exists in the registry, you will select it from the dropdown menu. Otherwise, you will click the orange “Create New Organization” button. |
Pro Tip: You will want to make sure to check for your Organization carefully from the dropdown list so that you don’t duplicate your listing. New organizations will be listed exactly as they are submitted by you here, so be careful to select your existing Organization from the menu so as not to duplicate your listing by adding a new one with a different spelling or format. If you need to make changes to your organization information, contact support@cloudsecurityalliance.org.
Step 3. Select your Cloud Service
After you have created or selected your Organization, you will be presented with another page to select or create your Cloud Service. Your Cloud Service listing should be exactly as your user-accessible Cloud Service is given to the consumers of your service. The listing here should be selected from the dropdown menu. If your cloud service doesn’t exist in the STAR Registry yet, click the Create New Cloud Service button to add your Cloud Service information. This should be your cloud service and not the service provider that you use to host your service on.
Pro Tip: You will want to make sure to check for your Cloud Service carefully from the dropdown list so that you don’t duplicate your listing. New Cloud Services will be listed exactly as they are submitted by you here, so be careful to select your existing Cloud Service from the menu so as not to duplicate your listing by adding a new one with a different spelling or formatting. If you need to make changes to your Cloud Service information, contact support@cloudsecurityalliance.org.
Step 4. Await your Listing to be posted to the STAR Registry
Your STAR Registry entry will often be posted within one business day; however, in some cases, it can take up to 5 business days for our team to manually review a listing and get it posted for you. If you have any questions about this process, please feel free to contact us by the support link or to drop an email to support@cloudsecurityalliance.org for more information.
About your CAIQ Self-Assessment Document:
A CAIQ is the questionnaire associated with the Cloud Control Matrix. The CAIQ provides a set of questions to determine if the CCM controls have been implemented. You can find out more about the CCM here.
Troubleshooting tips for submitting your Level 1 Self-Assessment when using the Import method and manually filling out the CAIQ:
If your Level 1 Self-Assessment is rejected for any reason related to the formatting of the CAIQ, you can use this list to troubleshoot the problem.
- All CAIQ documents must be submitted in the original format that Cloud Security Alliance provides.
- CCM self-assessments will not be accepted.
- Do not add or remove any columns or rows. Do not rename tabs or change the arrangement of any elements.
- The primary document must be submitted with the .xlsx extension.
- The only changes allowed are to select from the existing drop-down items on columns C & D and fill in columns E & F.
- Fill in the items on columns E and F if the columns on C were marked “No” or “Not Applicable”.
- If you would like to submit an assessment in a modified PDF format, you may do so as a supporting document in addition to the required XLSX primary document.
- Only the CAIQ is accepted as a primary document for the Level 1 Self-Assessment submissions.
- Note: The information reported in your CAIQ must be truthful and not misleading.
Information About STAR Registry Submissions:
Create/Select Organization: You will notice a drop-down menu from which you can select your organization. If you have never submitted to our registry before, it is likely that your organization will not be listed on the drop-down. Select the option to create a new organization.
Please completely fill out the organization form. The description should be a brief summary of your organization itself. For example:
“The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events, and products.”
Service Selection: Once you have created and/or selected your organization, you will be redirected to a cloud service selection form. Please completely fill out the cloud service form. The name can be the same as your company, but if you have a specific name for the Cloud Service, we recommend using this instead. The description should be a brief summary of the cloud service itself. For example, for CSA’s STARWatch:
“Cloud Security Alliance STARWatch is a Software as a Service (SaaS) application to help organizations manage compliance with CSA STAR (Security, Trust and Assurance Registry) requirements. STARWatch delivers the content of the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ) in a database format, enabling users to manage compliance of cloud services with CSA practices.”
Organization Confirmation: You must complete all of these steps in order to submit your entry. Since this is your first submission to our registry, you will be automatically added to your Organization’s employment record, allowing you to submit for your Organization.
Continuous Self-Assessment
Please see the instructions for a Level 1 Submission: CAIQ Self-Assessment. The process is identical but should be repeated monthly rather than annually.
Comments
0 comments
Article is closed for comments.