STAR Submission Guide Level 1 – CloudSecurityAlliance

Level 1 Submissions: Self-Assessments

Submission Form

All STAR submissions, including CAIQ forms, Certifications, Attestations and others are submitted through our STAR Intake form here.

Please fill out each section to completion

Name and Email: We require that you use your name and your company email for these fields in order to keep the submissions for your organization secure. The email needs to be legitimate. Please note that the domain of your personal account and the company you are submitting for have to match. For further information please see section: First STAR Registry Submission.

Type of Registry Entry: Select the type of submission you are making (i.e. Level 1: STAR Self-Assessment, STAR Continuous Self-Assessment, GDPR CoC Self-Assessment).

Specification: Select the specification for your type of registry entry. For example, is your self-assessment a CAIQ self-assessment? Or is it a CoC for GDPR self-assessment?

DOCUMENT UPLOAD SPECIFICATIONS:

CAIQ Questionnaire Self-Assessment:

CAIQ is the questionnaire associated with the Cloud Control Matrix. The CAIQ provides a set of questions to determine if the CCM controls have been implemented.

All self-assessments must be submitted in the original format that Cloud Security Alliance provides. CCM self-assessments will not be accepted. Do not add or remove any columns or rows. The primary document must be submitted with the .xlsx extension. If you would like to submit an assessment in a modified PDF format, you may do so as a supporting document in addition to the required XLSX primary document.

Note: The information reported self-assessment must be truthful and not misleading.

CoC for GDPR Self-Assessments:

The primary document must be the CSA PLA Code of Practice Template Annex 1. The supporting document must be the CSA PLA Code of Conduct (CoC): Statement of Adherence Self-Assessment. More information about CoC for GDPR can be found here: https://gdpr.cloudsecurityalliance.org/.

To ensure completeness of critical sections of the CoC and to facilitate the approval process, please make sure you have read through Part 2 of the CoC and the Q&A document, and ensure that your answers meet the recommendations made within. It is important that you not only call out that you comply with that section of the CoC and reference a standard, certification, or procedure, but that you also provide objective evidence. In particular when addressing the security requirements (Data Security Measures) it is important that sophistication levels are declared, and that the submitter explains – if only at a high level – the measures the organization has put in place to meet the sophistication level they have identified, covering the points listed in the corresponding tables within the ENISA Technical Guidelines.

First STAR Registry Submission:

Email Validation: Once you have submitted the primary submission form, you will receive an email to confirm your email address. By confirming your email, you agree to the creation of a STAR user account with the name and email provided. Once confirmed, you will be redirected to an organization selection form. If you choose to reject this email, your entry will not be submitted, and the account will not be created.

Create/Select Organization: You will notice a drop-down menu from which you can select your organization. Since you have never submitted to our registry before, it is likely that your organization will not be listed on the drop-down. Select the option to create a new organization.

Please completely fill the organization form. The description should be a brief summary of your organization itself (max 300 characters). For example:

“The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products.”

Service Selection: Once you have created and/or selected your organization, you will be redirected to a cloud service selection form. Please completely fill the cloud service form. The name can be the same as your company, but if you have a specific name for the service, we recommend using this instead. The description should be a brief summary of the cloud service itself. For example, for CSA’s STARWatch:

“Cloud Security Alliance STARWatch is a Software as a Service (SaaS) application to help organizations manage compliance with CSA STAR (Security, Trust and Assurance Registry) requirements. STARWatch delivers the content of the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ) in a database format, enabling users to manage compliance of cloud services with CSA practices.”

Organization Confirmation: You must complete all of these steps in order to submit your entry. Since this is your first submission to our registry, you will be automatically added to your organization’s employment record, and your entry will continue through to CSA confirmation.

CSA Confirmation: Once all of these steps have been completed, your submission will be sent to the CSA STAR team for review. The STAR team will ensure that you have submitted using a valid name and company email, your submission has adequate descriptions of your organization and cloud service, and that your self-assessment document complies with the outlined standards. If there are any issues with your submission, you will receive an email from a member of the STAR team with requested changes. Once the team has received your submission, your entry will typically be reviewed and posted within five business days, barring any errors with the submission.

CoC for GDPR Review: If your submission is a CoC for GDPR self-assessment, the posting of these documents will take longer than five business days. You must complete payment upon submission. Once payment has been received, these assessments will be passed on to our review team. You will be contacted with requested changes once the review has been completed.

Update Existing Entry:

Email Validation: Once you have submitted the primary submission form, you will receive an email to confirm your email address. By confirming your email, you agree to the creation of a STAR user account with the name and email provided. If you already have an account under the provided name and email, your preexisting account will be associated with your submission. Once confirmed, you will be redirected to an organization selection form. If you choose to reject this email, your entry will not be submitted, and the account will not be created.

Create/Select Organization: If you are updating a preexisting entry, you will be able to select your organization from the drop-down menu. You will not have the option to update your organization description through the submission process at this time. If you would like to update your organization information, please send an email to star-support@cloudsecurityalliance.org with your requested changes.

Service Selection: Once you have selected your organization, you will be redirected to a cloud service selection form. If you are updating a cloud service that is already listed on the registry, you can select it from the drop-down menu. Please note this means you are submitting a self-assessment that, once approved by CSA, will replace and delete the self-assessment currently displayed. You will not have the option to update your cloud service description through the submission process at this time. If you would like to update your cloud service information, please send an email to support@cloudsecurityalliance.org with your requested changes.

If you are updating your entry with a self-assessment for a cloud service other than the service already listed on the registry, create a new cloud service. Please completely fill the cloud service form. The name can be the same as your company, but if you have a specific name for the service, we recommend using this instead. The description should be a brief summary of the cloud service itself. For example, for CSA’s STARWatch:

Organization Confirmation: You must complete all of these steps in order to submit your entry. Since you have selected an organization already included within the registry, your submission will go through an organization confirmation process. If you have already successfully posted an entry for your organization in the past, you will not need to undergo this process. If this is your first submission for a preexisting entry, an email will go to those who have submitted for the organization in the past, and they will need to approve you as a valid submitter for the organization before your request is submitted for approval. If those on the employment record are no longer with the company, please email support@cloudsecurityalliance.org with the details of your situation for assistance.

CSA Confirmation: Once all of these steps have been completed, your submission will be sent to the CSA STAR team for review. The STAR team will ensure that your submission has adequate descriptions of your organization and cloud service, and that your self-assessment document complies with the outlined standards. Once the team has received your submission, your entry will typically be reviewed and posted within five business days, barring any errors with the submission.

Continuous Self-Assessment

Please see the instructions for a Level 1 Submission: CAIQ Self-Assessment. The process is identical but should be repeated monthly rather than annually

Related articles