The high adoption rate of cloud computing services has created a dire need for industry wide standardization and consistency in providing on-going transparency and assurance that cloud service providers are effectively managing Security and Governance, Risk management and Compliance (GRC) expectations of their customers, particularly effective measurement and independent and objective validation of the cloud service provider’s Security and GRC posture.
The Cloud Assurance Assessor Program (CAAP) provides assurance of the qualifications for those purporting to have the necessary knowledge, skills and competencies as Cloud Security Assurance Assessors engaged to independently validate Cloud Service Provider’s scores derived from their self-assessments against the requirements of the CloudeAssurance rating system platform or another platform that has been accepted by the HISPI.
The Holistic Information Security Practitioner Institute (HISPI) is the oversight body of the Cloud Assurance Assessor Program (CAAP). The CAAP has been under development since November 2011, with the HISPI CAAP Oversight Board (CAAPOB) made up of leading holistic information security practitioners from across the globe and different industry verticals working tirelessly on the development of this program.
With the global cloud services revenue projected to reach $241 billion by 2020, Information Security can either become a nightmare or an enabler for cloud adoption, particularly with recent increases in highly publicized cloud security breaches.
With the increased rate of adoption of public, private, community and hybrid cloud deployment models, the need for holistic information security practitioners with the necessary experience, skills and competencies to perform independent cloud security assurance assessments has never been greater. The launch of CAAP fills a critical market gap by bringing this offering to market in a timely fashion.
HISPI managed CAAP addresses the need for industry wide standardization and consistency in providing this on-going transparency and assurance that cloud service providers are effectively managing Security and Governance, Risk management and Compliance (GRC) expectations of their customers.
Customers of Cloud Service Providers (Consumers)
Consumers may use a Cloud Service Provider’s “Provisional” or “Validated” CloudeAssurance Score to evaluate, select and negotiate new and existing contracts, Request For Information (RFI), Request for Quote (RFQ) and Request for Proposal (RFP) with their Cloud Service Providers.
Cloud Service Providers (CSPs)
Cloud Service Providers willing to demonstrate evidence that they are effectively managing customer Security and Governance, Risk management and Compliance (GRC) expectations by performing self-assessments against the CloudeAssurance Scoring system. The output of this self-assessment is a “Provisional” CloudeAssurance Score valid for a period of time stipulated in the CAAP Manual.
Their CloudeAssurance Score will move from “Provisional” to “Validated” once the cloud service provider’s CloudeAssurance Score has been independently and objectively validated by a company qualified by the HISPI managed Cloud Assurance Assessor Program (CAAP).
Cloud Services Brokers (CSBs)
External or Internal entities that play an intermediary role in cloud computing. CSBs make it easier for organizations to consume and maintain cloud services, particularly when they span multiple providers. CSBs include system integrators, big data platforms, cloud integrators, insurance brokers and insurance underwriters.
Cloud Auditors
External or Internal entities that perform standards based independent assessments and/or audits of cloud services such as HISPI Qualified Independent CAAP Assessors and FedRAMP Accredited 3PAOs.
Step 1 – Self-Assessment
- CSP performs CloudeAssurance Self-Assessment
- CSP obtains CloudeAssurance Provisional Score
Step 2 – CAAP Validation Assessment
- CSP hires HISPI Qualified Independent CAAP Assessor
- Independent CAAP Assessor Validates CSP’s CloudeAssurance Score
Step 3 – Validation Seal
- CAAP Oversight Board (CAAPOB) accepts Validated CloudeAssurance Score
- CSP publishes validated score in a Validation Seal
- CAAP Oversight Board (CAAPOB) rejects Validated CloudeAssurance Score
CSP repeats Steps 1 – 3 every period of time stipulated in the CAAP Manual.
Please click here to apply to become a HISPI Qualified Independent CAAP Assessor.
Please click here to access the CAAP Manual.
For more information regarding the CAAP Process, please e-mail questions@hispi.org