The Cloud Controls Matrix (CCM) is a framework of controls that are essential for cloud computing security. It is created and updated by CSA and aligned to CSA best practices.

You can use CCM to systematically assess and guide the security of any cloud implementation. CCM also provides guidance on which actors within the cloud supply chain should implement which security controls. Both cloud service customers (CSCs) and cloud service providers (CSPs) use CCM in many ways.

CSCs use CCM to:

• Assess the cloud security posture of current or potential cloud vendors. If a cloud vendor isn’t transparent about their security controls, the risk of doing business with them can be quite high.
• Compare vendors’ level of compliance with relevant standards like ISO 27001.
• Clarify the security roles and responsibilities between themselves and the CSP.

CSPs use CCM to:

• Assess, establish, and maintain a robust and internationally accepted cloud security program. CCM helps solidify CSPs’ positions as trusted and transparent providers of cloud services.
• Compare their strengths and weaknesses against those of other organizations.
• Document controls for multiple standards in one place. CSA has mapped the controls in CCM against several industry-accepted security standards, regulations, and control frameworks.

CCM contains 197 control objectives structured into 17 domains that cover all key aspects of cloud technology:

CCM Domains

Today we’re looking at implementing the eighth domain of CCM: Governance, Risk and Compliance (GRC). The GRC domain consists of 8 control specifications:

1. Governance Program Policy and Procedures: Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for an information governance program, which is sponsored by the leadership of the organization. Review and update the policies and procedures at least annually.
2. Risk Management Program: Establish a formal, documented, and leadership-sponsored Enterprise Risk Management (ERM) program that includes policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks.
3. Organizational Policy Reviews: Review all relevant organizational policies and associated procedures at least annually or when a substantial change occurs within the organization.
4. Policy Exception Process: Establish and follow an approved exception process as mandated by the governance program whenever a deviation from an established policy occurs.
5. Information Security Program: Develop and implement an Information Security Program, which includes programs for all the relevant domains of the CCM.
6. Governance Responsibility Model: Define and document roles and responsibilities for planning, implementing, operating, assessing, and improving governance programs.
7. Information System Regulatory Mapping: Identify and document all relevant standards, regulations, legal/contractual, and statutory requirements, which are applicable to your organization.
8. Special Interest Groups: Establish and maintain contact with cloud-related special interest groups and other relevant entities in line with business context.

These controls are designed to help both CSPs and CSCs ensure that their governance, risk management, and compliance programs effectively address cloud-related concerns.

The GRC controls logically connect and build on each other. This means that organizations normally will start by defining their information security documentation, including their security policies, standards, and procedures. Then they will move to modifying their enterprise risk management to include cybersecurity and cyber risk. Then, they may create policies for an official way to have exceptions to published standards.

A key goal of GRC is to lead decision making, culture, and accountability throughout the organization. This helps achieve the outcomes that are consistently effective for the organization’s goals. Organizations can accomplish this leadership through intentional direction enablement, measurement, and reporting of activities and behavior and their effectiveness. This should also include activities for the oversight and operation of internal controls within the environment to avoid serious control gaps.

Good governance is accomplished (in part) by establishing responsibilities for the operation of internal controls within the environment, including those for third parties. This is a key aim of the Shared Security Responsibility Model (SSRM). 

Distribution of Responsibilities in GRC

In the SSRM, the ownership of security controls is explicitly defined. Security responsibilities can be shared between the cloud customer and the cloud provider. They can also be exclusive to one or the other. Typically, the CSP is responsible for the security of the cloud. The CSC is responsible for its security within the cloud.

For GRC specifically, the CCM views all eight controls as shared independent. The provider and customer are independently and separately responsible for implementing their own cloud GRC controls. The development of a GRC program is unique to each organization, tailored to its specific operations and needs.

However, it’s important to keep in mind that the SSRM is a rule of thumb. It indicates how the CSP and CSC typically divide their responsibilities. The guidance is descriptive, not prescriptive, and helps in planning and establishing a regional baseline of expectations.

The goal of working through the SSRM with your provider/customer is to validate these expectations. You make sure to define and mutually agree upon all relevant responsibilities. You make sure that there are no unintended omissions or surprises down the road.

GRC Risks & Best Practices

Non-Compliance with Regulations

Non-compliance with regulatory requirements can lead to serious financial impacts, legal actions, business disruptions, and reputational damage. You can use almost all GRC controls to mitigate this risk. A good place to start is Information System Regulatory Mapping.

Identify all regulations and applicable laws for the organization. Link them to their relevant assets and system. Then, create specific information security policies, standards, and procedures to cover all necessary controls (IAM, cryptography, key management, secure backups, etc.). 

The next step would be to update your risk management program to include cybersecurity compliance. 

And last but not least, the final step is to keep the documentation reviewed and updated when appropriate.

Operational Inefficiencies

Operational inefficiencies result in increased costs and decreased productivity. To mitigate these inefficiencies, you need to have clear documentation. The documentation should explain why a security control is needed, what needs to be implemented, and each step of that implementation. 

After defining the security controls, you also need to manage their implementation and measure their efficiency. To do that, you need to follow a risk-based approach that goes hand-in-hand with the business needs.

Ineffective Risk Management

Ineffective risk management leads to a poor decision making process. The key control for mitigation is including cybersecurity in your risk management process.

To be a risk-driven organization, you must use a risk-based approach. You must put risk into context and see the impact of the risks materialized on the organization. Without doing this, it will be almost impossible to make the right decision.

Remember that each organization has its own unique risk profile and risk tolerance. Therefore, you need to clearly define your own. 

Lack of Accountability and Transparency 

Lack of accountability can lead to reduced productivity and potential service disruptions. You must have a clear definition of what will be the full responsibility of the CSP versus the CSC, as well as what areas will need to be shared. Additionally, you must know who specifically will be responsible for performing the required actions.

Keep in mind that for the CSP, the adoption of a new client will not impact their security. Their whole purpose is to have clients. But if a CSC is adopting a new cloud service, that could indeed impact their security level.

The Cloud Controls Matrix: A Free Resource for All Professionals

The CCM framework helps organizations:

• Cover all key aspects of cloud technology
• Simplify compliance with mappings to various industry standards
• Identify and manage cloud computing risks 
• Implement and manage security measures consistently
• Ensure that both the CSP and the CSC understand their roles. 
• Show customers their commitment to robust cloud security practices
• Demonstrate compliance and security to both their own stakeholders and to regulators

You can download and review the Cloud Controls Matrix and CCM Implementation Guidelines for free. These resources will be a great help in securing the implementation, operation, and assessment of your cloud services. Whether you’re a cloud consumer, a cloud provider, or both, having proactive conversations with your counterparts about the responsibilities of your cloud governance programs will help you achieve transparency and manage risk.

Learn more about implementing CCM by checking out the other blogs in this ongoing series. Be on the lookout for the next installation: Human Resources.