STAR Submission Guide Level 2

Level 2 Submissions: Attestation

Note: You must have completed a Level 1 Self-Assessment submission prior to submitting a STAR Attestation.

Name and Email: We require that you use your name and your company email for these fields in order to keep the submissions for your organization secure. The email needs to be legitimate. Please note that the domain of your personal account and the company you are submitting for have to match.

Note: Your STAR account will be created within Cloud Security Alliance’s STARWatch tool. If you already have an account under the provided name and email, your preexisting account will be associated with your submission.

Type of Registry Entry: Select the type of submission you are making (Attestation).

Specification: Select the specification for your type of registry entry (CCM).

Number of Employees in the Scope of the Audit: The number of employees in the scope of the audit is required for invoicing purposes. Select the appropriate range for the auditee organization.

Document Upload: The primary document must be the CSA STAR Attestation Intake Form, available for download at https://cloudsecurityalliance.org/artifacts/csa-star-attestation. You must fill out this form to completion. Please note the CPA must be CCSK certified. We require the email address that was used to attain their CCSK as well as their certificate number in order to verify their certificate. If the CPA provides a certificate for the attestation, this may be posted as a supporting document.

Level 2 Submissions: Certification Bodies

Please fill out each section to completion.

Note: You must have completed a Level 1 Self-Assessment submission prior to submitting a STAR Certification.

Certification Body: This information pertains to you, the submitter and employee of the certification body.

Name, Phone, and Email: We require that you use your name and your company email for these f ields in order to keep the submissions for organizations secure. The email needs to be legitimate in order to receive a confirmation email from CSA. You will need to respond to the confirmation email in order for the entry to be posted to the registry.

Title: This is your official title within your organization (e.g. Information Security Officer).

Organization: This information pertains to the organization whom you are submitting on behalf of. 

Please request an adequate organization name, website, and description from the company before submitting.

Organization Name: This is the name of the organization you are making the submission for.

Organization Contact Name and Email: You must provide a point of contact for the organization for whom you are making the submission. The contact is the person who will “own” the registry entry and be contacted for any future questions concerning the entry. Their email needs to be a valid company email in order to receive a confirmation email from CSA.

Organization Website: This should be the URL of the main website of the organization you are making the submission for.

Organization Description: Please request an adequate organization description from the company before submitting. The description should be a brief summary of the organization itself. For example: “The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products.”

Cloud Service: Please request an adequate cloud service name, website, and description from the company before submitting.

Cloud Service Name: This is the name of the cloud service provided by the organization you are submitting for. The name can be the same as the company, but if the organization has a specific name for the service, we recommend using this instead.

Cloud Service Website (optional): This should be the URL for a page specific to the cloud service of the organization you are making the submission for. If there is not a specific site or page for the cloud service, this field can be left empty.

Cloud Service Description: The description should be a brief summary of the cloud service itself. For example, for CSA’s STARWatch: “Cloud Security Alliance STARWatch is a Software as a Service (SaaS) application to help organizations manage compliance with CSA STAR (Security, Trust and Assurance Registry) requirements. STARWatch delivers the content of the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ) in a database format, enabling users to manage compliance of cloud services with CSA practices.”

Specification: The specification for the type of registry entry you are submitting (i.e. STAR Certification or CSTAR Certification).

Number of Employees in the Scope of the Audit: The number of employees in the scope of the audit is required for invoicing purposes. Select the appropriate range for the auditee organization.

Primary Document: The primary document for Level 2 submissions must be the CSA STAR (https:// cloudsecurityalliance.org/artifacts/csa-star-certification/) or CSTAR Intake Form. It must be filled out to completion. Be sure to use MM/DD/YYYY date formatting.

Supporting Document(s): We recommend that you attach your company STAR or CSTAR Certificate as a supplement to the CSA Intake Form. However, the certificate is not required in order for the entry to be posted to the registry.

Certification Body and Organization Confirmation: Once you have made your submission, both yourself and the point of contact from the organization will receive a confirmation email. You must respond to this email to confirm that this entry may be posted to the registry.

CSA Confirmation: Once all of these steps have been completed, your submission will be sent to the CSA STAR team for review. The STAR team will ensure that you have submitted using valid company emails, your submission has adequate descriptions of the organization and cloud service, and that your primary CSA STAR Certification Intake Form document complies with the outlined standards. If there are any issues with your submission, you will receive an email from a member of the STAR team with requested changes. Once the team has received your submission, your entry will typically be reviewed and posted within five business days, barring any errors with the submission.