4.9 [DETAILS] Details about the Accountability Maturity Model
This section reports in detail the analysis of mapping the CSA CCM version 3.01 to the accountability attributes proposed by the A4Cloud project. In order to start with the proposed analysis, criteria were developed to find out the relationship among individual controls from the CSA CCM and the accountability attributes proposed by A4Cloud [1]. The proposed criteria are shown in Table 18.
|
General rule: If the control does not concern data stewardship practices, it is ignored. |
||
|
|
To whom information is provided? |
|
|
Internal stakeholders (I) |
External stakeholders (E) |
|
|
Transparency Does the control require or enable the dissemination of information describing how the organisation conforms to governing norms, behaviour and compliance of behaviour to the norms ? Note: the fact that a control requires the definition of rules, policies and requirements is not enough. Some provision must be included in the control to make sure that info is made available to stakeholders. |
Only to internal stakeholders |
Also to external stakeholder |
|
Verifiability Does the control require an assessment, test or enable the construction of a proof of norm compliance (i.e. checking the behaviour of a system, service or processing against norms)? Note: the adoption of standards, or the documentation of policies & requirements may facilitate verifiability, but is not enough. An actual test or proof must be enabled by the control. |
A test or proof examined by internal stakeholder |
A test or proof examined by external stakeholder |
|
Remediability Does the control enable corrective action and/or providing a remedy for any party harmed in case of failure to comply with its governing norms? Note: Detective and preventive controls are not enough. We target corrective controls here. |
Measures involve internal stakeholders |
Measures explicitly involve external stakeholders, through compensation, punishment and/or information |
|
Responsibility Does the control require an analysis resulting in the assignment of a task, or the oversight of a task, to an individual, group, or organisation? Or does the control participate in the enforcement of the assignment of a task to an individual, group or organisation? The tasks here contribute towards norm compliance (and together should enable norms compliance).
Notes: -The fact that a control says X shall do Y is not enough. The control must describe a process that results in the determination of responsibilities. -One of the difficulties is that some processes implicitly involve the determination of responsibilities, without making this explicit in the wording of the control. For example, if a control suggests the creation of an Information Security Management framework normally this also means that relevant responsibilities will assigned within the organisation. This allows some space for interpretation. |
With assignments disclosed internally |
With assignments disclosed to external stakeholder |
|
Responsiveness Does the control take into account input from external stakeholders and respond to queries of these stakeholders?
|
Not applicable |
With scope including all involved external data subjects |
Table 18: Criteria for mapping the CSA CCM to A4Cloud's accountability attributes.
At a glance, the applied criteria considered that the goal of accountability is to provide information to external stakeholders. In consequence, a gap was identified if the analysis finds out that only information to internal stakeholders is provided. The results of the analysis are shown in the table below.
|
No. |
Control name (CCM v3.01) |
Control code |
V |
T |
R |
Rem |
|
1 |
Business Continuity Management & Operational Resilience |
BCR-02 |
||||
|
2 |
Business Continuity Management & Operational Resilience |
BCR-09 |
||||
|
3 |
Business Continuity Management & Operational Resilience |
BCR-10 |
||||
|
4 |
Change Control & Configuration Management |
CCC-04 |
||||
|
5 |
Change Control & Configuration Management |
CCC-05 |
||||
|
6 |
Data Security & Information Lifecycle Management |
DSI-01 |
||||
|
7 |
Data Security & Information Lifecycle Management |
DSI-02 |
||||
|
8 |
Datacentre Security |
DCS-01 |
||||
|
9 |
Encryption & Key Management |
EKM-01 |
||||
|
10 |
Encryption & Key Management |
EKM-02 |
||||
|
11 |
Governance and Risk Management |
GRM-05 |
||||
|
12 |
Identity & Access Management |
IAM-02 |
||||
|
13 |
Identity & Access Management |
IAM-08 |
||||
|
14 |
Identity & Access Management |
IAM-09 |
||||
|
15 |
Identity & Access Management |
IAM-10 |
||||
|
16 |
Identity & Access Management |
IAM-11 |
||||
|
17 |
Identity & Access Management |
IAM-12 |
||||
|
18 |
Identity & Access Management |
IAM-13 |
||||
|
19 |
Infrastructure & Virtualisation Security |
IVS-01 |
||||
|
20 |
Security Incident Management, E-Discovery & Cloud Forensics |
SEF-02 |
||||
|
21 |
Security Incident Management, E-Discovery & Cloud Forensics |
SEF-03 |
||||
|
22 |
Security Incident Management, E-Discovery & Cloud Forensics |
SEF-04 |
||||
|
23 |
Supply Chain Management, Transparency and Accountability |
STA-01 |
||||
|
24 |
Supply Chain Management, Transparency and Accountability |
STA-02 |
||||
|
25 |
Supply Chain Management, Transparency and Accountability |
STA-04 |
||||
|
26 |
Supply Chain Management, Transparency and Accountability |
STA-05 |
||||
|
27 |
Supply Chain Management, Transparency and Accountability |
STA-06 |
||||
|
28 |
Supply Chain Management, Transparency and Accountability |
STA-07 |
||||
|
29 |
Supply Chain Management, Transparency and Accountability |
STA-08 |
||||
|
30 |
Supply Chain Management, Transparency and Accountability |
STA-09 |
||||
|
31 |
Threat and Vulnerability Management |
TVM-01 |
Table 19: Mapping between CSA CCM and A4Cloud accountability attributes Legend: (V)erifiability, (T)ransparency, (R)esponsibility, (Rem)ediability
The mapping between the accountability controls shown in Section 3.3 and the CSA CCM v3.01 controls is shown in Table 20 below:
|
Control Domain |
CCM V3.01 Control ID |
Governance |
Lifecycle |
|
Application & Interface Security |
AIS-02 |
3.01 |
|
|
Audit Assurance & Compliance |
AAC-01 |
1.09 |
6.01 |
|
Audit Assurance & Compliance |
AAC-02 |
1.09 |
6.01 |
|
Audit Assurance & Compliance |
AAC-03 |
1.01 |
6.01 |
|
Business Continuity Management & Operational Resilience |
BCR-01 |
1.08 |
5.04 |
|
Business Continuity Management & Operational Resilience |
BCR-02 |
1.08 |
|
|
Business Continuity Management & Operational Resilience |
BCR-07 |
1.10 |
|
|
Business Continuity Management & Operational Resilience |
BCR-08 |
5.07 |
|
|
Business Continuity Management & Operational Resilience |
BCR-09 |
5.07 |
|
|
Change Control & Configuration Management |
CCC-01 |
3.05 |
|
|
Change Control & Configuration Management |
CCC-02 |
3.04 |
|
|
Data Security & Information Lifecycle Management |
DSI-01 |
3.01 |
|
|
Data Security & Information Lifecycle Management |
DSI-02 |
1.10 |
3.01 |
|
Data Security & Information Lifecycle Management |
DSI-04 |
1.10 |
|
|
Data Security & Information Lifecycle Management |
DSI-06 |
1.04 |
3.05 |
|
Governance and Risk Management |
GRM-01 |
1.01 |
3.01 |
|
Governance and Risk Management |
GRM-02 |
1.02 |
|
|
Governance and Risk Management |
GRM-03 |
1.01 |
3.05 |
|
Governance and Risk Management |
GRM-04 |
1.04 |
4.01 |
|
Governance and Risk Management |
GRM-05 |
1.01 |
|
|
Governance and Risk Management |
GRM-08 |
1.02 |
6.03 |
|
Governance and Risk Management |
GRM-09 |
1.04 |
|
|
Governance and Risk Management |
GRM-10 |
1.02 |
3.02 |
|
Governance and Risk Management |
GRM-11 |
3.03 |
|
|
Human Resources |
HRS-03 |
1.06 |
|
|
Human Resources |
HRS-07 |
1.04 |
|
|
Human Resources |
HRS-08 |
1.06 |
|
|
Human Resources |
HRS-09 |
1.06 |
|
|
Human Resources |
HRS-10 |
1.06 |
|
|
Identity & Access Management |
IAM-02 |
1.14 |
|
|
Identity & Access Management |
IAM-04 |
1.14 |
|
|
Identity & Access Management |
IAM-05 |
1.14 |
|
|
Infrastructure & Virtualisation Security |
IVS-01 |
1.14 |
4.03 |
|
Interoperability & Portability |
IPY-03 |
3.01 |
|
|
Interoperability & Portability |
IPY-04 |
3.01 |
|
|
Security Incident Management, E-Discovery & Cloud Forensics |
SEF-01 |
1.08 |
5.05 |
|
Security Incident Management, E-Discovery & Cloud Forensics |
SEF-02 |
1.08 |
4.02 |
|
Security Incident Management, E-Discovery & Cloud Forensics |
SEF-03 |
1.08 |
4.04 |
|
Security Incident Management, E-Discovery & Cloud Forensics |
SEF-04 |
1.08 |
3.04 |
|
Security Incident Management, E-Discovery & Cloud Forensics |
SEF-05 |
1.08 |
|
|
Supply Chain Management, Transparency and Accountability |
STA-01 |
1.11 |
3.06 |
|
Supply Chain Management, Transparency and Accountability |
STA-02 |
3.04 |
|
|
Supply Chain Management, Transparency and Accountability |
STA-04 |
6.02 |
|
|
Supply Chain Management, Transparency and Accountability |
STA-05 |
3.05 |
|
|
Supply Chain Management, Transparency and Accountability |
STA-06 |
3.04 |
|
|
Supply Chain Management, Transparency and Accountability |
STA-07 |
3.04 |
|
|
Supply Chain Management, Transparency and Accountability |
STA-08 |
1.11 |
|
|
Supply Chain Management, Transparency and Accountability |
STA-09 |
1.11 |
3.04 |
Table 20: Mapping between the CCM and the cloud accountability control frameworks.
In order to elicit the accountability metrics corresponding to the AMM controls, A4Cloud contributed with the following methodological approach:
- Conceptual analysis. The first step is the modelling and decomposition of accountability attributes into simpler properties. In order to do this we use the A4Cloud Metamodel for Accountability Metrics, which enables for a top-down decomposition of attributes and the identification of practices and mechanisms that support accountability.
- Analysis of control frameworks. The goal of this step is to select the controls from relevant control frameworks that can influence accountability. This analysis allows us to identify assessable factors.
- Definition of metrics. The assessable factors identified by the analysis of the controls leads us to define metrics for them.
Applying the previously described approach, the A4Cloud project elicited a total of 39 accountability metrics (cf. Table 21).
|
Metric |
Name |
T |
V |
Rem |
R |
|
Verifiability and Compliance |
|||||
|
1 |
Authorised collection of personal data |
X |
|||
|
2 |
Privacy Program Budget |
X |
|||
|
3 |
Privacy Program Updates |
X |
X |
||
|
4 |
Periodicity of Privacy Impact Assessments for Information Systems |
X |
|||
|
5 |
Number of privacy audits received |
X |
X |
||
|
6 |
Successful audits received |
X |
X |
||
|
7 |
Record of Data Collection, Creation, and Update |
X |
|||
|
8 |
Data classification |
X |
|||
|
9 |
Coverage of Privacy and Security Training |
X |
|||
|
10 |
Account of Privacy and Security Training |
X |
|||
|
11 |
Level of confidentiality |
X |
|||
|
12 |
Key Exposure Level |
X |
|||
|
13 |
Data Isolation Testing Level |
X |
|||
|
Transparency, Responsibility and Attributability |
|||||
|
14 |
Type of Consent |
X |
|||
|
15 |
Type of notice |
X |
|||
|
16 |
Procedures for Data Subject Access Requests |
X |
|||
|
17 |
Number of Data Subject Access Requests |
X |
|||
|
18 |
Responded data subject access requests |
X |
|||
|
19 |
Mean time for responding Data Subject Access Requests |
X |
|||
|
20 |
Readibility (Flesch Reading Ease Test) |
X |
|||
|
21 |
Rank of Responsibility for Privacy |
X |
|||
|
22 |
Certification of acceptance of responsibility |
X |
|||
|
23 |
Frequency of certifications |
X |
X |
||
|
24 |
Log Unalterability |
X |
|||
|
25 |
Identity Assurance |
X |
|||
|
26 |
Mean time to revoke users |
X |
|||
|
Remediability and Incident Response |
|||||
|
27 |
Mean time to respond to complaints |
X |
X |
||
|
28 |
Number of complaints |
X |
X |
||
|
29 |
Reviewed complaints |
X |
X |
||
|
30 |
Number of privacy incidents |
X |
|||
|
31 |
Coverage of incident notifications |
X |
X |
||
|
32 |
Type of incident notification |
X |
X |
||
|
33 |
Privacy incidents caused by third parties |
X |
X |
||
|
34 |
Number of Business Continuity Resilience (BCR) plans tested |
X |
X |
||
|
35 |
Maximum tolerable period for disruption (MTPD) |
X |
|||
|
36 |
Sanctions |
X |
X |
||
|
37 |
Incidents with damages |
X |
X |
||
|
38 |
Total expenses due to compensatory damages |
X |
X |
||
|
39 |
Average expenses due to compensatory damages |
X |
X |
||
Table 21: Catalogue of accountabiliy metrics. Legend: (V)erifiability, (T)ransparency, (R)esponsibility, (Rem)ediability
Based on the developed accountability metrics, in Table 22 is shown the specific set associated to the elicited CSA CCM controls that map to the Accountability Attributes.
|
Control group |
Control name (CCM v3.01) |
Control code |
Accountability Metric |
|
Business Continuity Management & Operational Resilience |
Business Continuity Testing |
BCR-02 |
Metric 34. Number of Business Continuity Resilience (BCR) plans tested |
|
Impact Analysis |
BCR-09 |
Metric 35. Maximum tolerable period for disruption (MTPD) |
|
|
Management Program |
BCR-10 |
n/a |
|
|
Change Control & Configuration Management |
Unauthorised Software Installations |
CCC-04 |
n/a |
|
Production Changes |
CCC-05 |
n/a |
|
|
Data Security & Information Lifecycle Management |
Classification |
DSI-01 |
Metric 8. Data classification |
|
Data Inventory / Flows |
DSI-02 |
n/a. Metric 7. Record of Data Collection, Creation, and Update |
|
|
Datacentre Security |
Asset Management |
DCS-01 |
n/a |
|
Encryption & Key Management |
Entitlement |
EKM-01 |
Metric 11. Level of confidentiality
Metric 12. Key Exposure Level |
|
Key Generation |
EKM-02 |
n/a |
|
|
Governance and Risk Management |
Management Support/Involvement |
GRM-05 |
n/a |
|
Identity & Access Management |
Credential Lifecycle / Provision Management |
IAM-02 |
Metric 25. Identity Assurance
Metric 26. Mean time to revoke users |
|
Trusted Sources |
IAM-08 |
n/a |
|
|
User Access Authorisation |
IAM-09 |
n/a Metric 16 Procedures for Data Subject Access Requests Metric 17 Number of Data Subject Access Requests Metric 18 Responded data subject access requests Metric 19 Mean time for responding Data Subject Access Requests |
|
|
User Access Reviews |
IAM-10 |
n/a |
|
|
User Access Revocation |
IAM-11 |
Metric 26. Mean time to revoke users |
|
|
User ID Credentials |
IAM-12 |
n/a |
|
|
Utility Programs Access |
IAM-13 |
n/a |
|
|
Infrastructure & Virtualisation Security |
Audit Logging / Intrusion Detection |
IVS-01 |
n/a |
|
Security Incident Management, E-Discovery & Cloud Forensics |
Incident Management |
SEF-02 |
n/a |
|
Incident Reporting |
SEF-03 |
Metric 22. Certification of acceptance of responsibility
Metric 23. Frequency of certifications Metric 27 Mean time to respond to complaints Metric 28 Number of complaints Metric 29 Reviewed complaints |
|
|
Incident Response Legal Preparation |
SEF-04 |
Metric 31. Coverage of incident notifications
Metric 32. Type of incident notification
Metric 33. Privacy incidents caused by third parties
Metric 39. Average expenses due to compensatory damages |
|
|
Supply Chain Management, Transparency and Accountability |
Data Quality and Integrity |
STA-01 |
n/a |
|
Incident Reporting |
STA-02 |
Metric 36. Sanctions
Metric 37. Incidents with damages
Metric 38. Total expenses due to compensatory damages |
|
|
Provider Internal Assessments |
STA-04 |
n/a |
|
|
Supply Chain Agreements |
STA-05 |
Metric 31. Coverage of incident notifications
Metric 32. Type of incident notification
Metric 33. Privacy incidents caused by third parties |
|
|
Supply Chain Governance Reviews |
STA-06 |
n/a |
|
|
Supply Chain Metrics |
STA-07 |
n/a |
|
|
Third Party Assessment |
STA-08 |
n/a |
|
|
Third Party Audits |
STA-09 |
n/a |
|
|
Threat and Vulnerability Management |
Anti-Virus / Malicious Software |
TVM-01 |
n/a |
Table 22: Metrics associated with the CSA CCM controls related to accountability
As a final step, the CSA EA (Cloud Reference Architecture developed by CSA) can be also mapped to the resulting set of CSA CCM v3.01 controls related to accountability attributes. The results are presented in the following table.
|
A4Cloud AMM |
CSA EA |
|||
|
Control name (v3.01) |
Control code |
Domain |
Container |
Capability |
|
Business Continuity Testing |
BCR-02 |
BOSS |
Operational Risk Management |
Business Continuity |
|
Impact Analysis |
BCR-09 |
ITOS |
Service Delivery |
Information Technology Resiliency - Resiliency Analysis |
|
Management Program |
BCR-10 |
SRM |
Policies and Standards |
Operational Security Baselines |
|
Unauthorised Software Installations |
CCC-04 |
ITOS |
Service Support |
Configuration Management -Software Management |
|
Production Changes |
CCC-05 |
ITOS |
Service Support |
Release Management |
|
Classification |
DSI-01 |
BOSS |
Data Governance |
Data Classification |
|
Data Inventory / Flows |
DSI-02 |
BOSS |
Data Governance |
Handling / Labelling / Security Policy |
|
Asset Management |
DCS-01 |
ITOS |
Service Support |
Configuration Management - Physical Inventory |
|
Entitlement |
EKM-01 |
SRM |
Cryptographic Services |
Key Management |
|
Key Generation |
EKM-02 |
SRM |
Cryptographic Services |
Key Management |
|
Management Support/Involvement |
GRM-05 |
SRM |
Governance Risk & Compliance |
Compliance Management |
|
Credential Lifecycle / Provision Management |
IAM-02 |
SRM |
Policies and Standards |
n/a |
|
Trusted Sources |
IAM-08 |
Information Services |
User Directory Services |
Active Directory Services, LDAP Repositories, X.500 Repositories, DBMS Repositories, Meta Directory Services, Virtual Directory Services |
|
User Access Authorisation |
IAM-09 |
SRM |
Privilege Management Infrastructure |
Identity Management - Identity Provisioning |
|
User Access Reviews |
IAM-10 |
SRM |
Privilege Management Infrastructure |
Authorisation Services - Entitlement Review |
|
User Access Revocation |
IAM-11 |
SRM |
Privilege Management Infrastructure |
Identity Management - Identity Provisioning |
|
User ID Credentials |
IAM-12 |
SRM |
Policies and Standards |
Technical Security Standards |
|
Utility Programs Access |
IAM-13 |
SRM |
Privilege Management Infrastructure |
Privilege Usage Management - Resource Protection |
|
Audit Logging / Intrusion Detection |
IVS-01 |
BOSS |
Security Monitoring Services |
SIEM |
|
Incident Management |
SEF-02 |
ITOS |
Service Support |
Security Incident Management |
|
Incident Reporting |
SEF-03 |
BOSS |
Human Resources Security |
Employee Awareness |
|
Incident Response Legal Preparation |
SEF-04 |
BOSS |
Legal Services |
Incident Response Legal Preparation |
|
Data Quality and Integrity |
STA-01 |
SRM |
Governance Risk & Compliance |
Vendor Management |
|
Incident Reporting |
STA-02 |
ITOS |
Service Support - Incident Management |
Cross Cloud Incident Response |
|
Provider Internal Assessments |
STA-04 |
SRM |
Governance Risk & Compliance |
Vendor Management |
|
Supply Chain Agreements |
STA-05 |
BOSS |
Legal Services |
Contracts |
|
Supply Chain Governance Reviews |
STA-06 |
SRM |
Governance Risk & Compliance |
Vendor Management |
|
Supply Chain Metrics |
STA-07 |
ITOS |
Service Delivery |
Service Level Management - Vendor Management |
|
Third Party Assessment |
STA-08 |
SRM |
Governance Risk & Compliance |
Vendor Management |
|
Third Party Audits |
STA-09 |
BOSS |
Compliance |
Third-Party Audits |
|
Anti-Virus / Malicious Software |
TVM-01 |
SRM |
Infrastructure Protection Services |
Anti-Virus |
Table 23. Mapping the AMM to CSA's Cloud Reference Architecture (CSA EA)
Download the preliminary release of the Cloud Accountability Reference Architecture and the relevant A4Cloud Toolkit.
