Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
BASED ON EUROPEAN QUALITYVALUES FOR WORLDWIDE USAGE
INTERNATIONAL PARTNER PROGRAMME BY EUROCLOUD EUROPE
EUROCLOUD STAR AUDIT
WHO WE AREEuroCloud Europe is an independent non-profit organisation with a network of national EuroCloud country organisations.
EuroCloud Europe facilitates growth of cloud based services and innovations across Europe and worldwide.
EuroCloud fields of activities are: Trust in Cloud, Research and Innovation, Start Up Encouragement, Standards and Interoperability, Legal Framework Harmonisation.
ECSA MISSIONECE is offering the certification scheme “EuroCloud Star Audit” (ECSA) in orderto establish trust in cloud services both on the customer and the user side.
The purpose of the ECSA and auditing Cloud Services is to provide anaccountable quality rating of Cloud Services.
ECSA VISION• To deliver a framework, assessments and a certificate that are meaningful
selection tools for customers who want to use trustworthy cloud services.
• To reduce the necessity to perform costly individual assessments.
• To provide a valuable instrument with a high level of transparency and guidance for customers and providers alike.
ECSA VALUES• A mature certification scheme (ECSA) especially designed to assess cloud
services. Assessment levels fitting to various usecases and not only suitable for large enterprises but also for a SME-type of cloud provider.
• Evaluation procedures to perform assessments against requirements that cover all participants of the supply chain of a cloud service.
• Transparency and Awareness – single place of publishing.
• A global eco-system of partners for various business models. Training for partners as well as customers of cloud services.
THE CHALLENGE It is a challenge to select the best cloud provider for your needs from among the many offering cloud services in the market.
The way these services are provided is often highly complex and unrelated to the location of user and provider. For example, to keep data sovereignty, it may be necessary to check whether the software service of a provider in the same country as the user still has certain facilities (such as the computing and storage capacity) abroad and is thus subject to special data protection and fiscal requirements.
The ECSA evaluates Cloud Services according to a set and published catalogue of criteria. The result of this audit process shows the respective level maturity and compliance of a service.
The certification procedure is based on best practices and provides answers to the main questions managers are likely to ask when looking for a suitable
cloud service provider. Unlike purely security or data protection audits, it covers the entire range of cloud service functions and validates compliance
with the requirements in clearly understandable terms.
ECSA IN DETAIL The EuroCloud Star Audit (ECSA) is a mature certification scheme, especially designed to assess cloud services.
EuroCloud evaluates a cloud service against the requirements of the ECSA audit scheme and covers all participants of the specific supply chain of a cloud service.
The ECSA audit has a non-negotiable mandatory bandwidth of all important areas of a cloud service:
Provider‘s profile
Contract and compliance including data privacy protection against local law
Security
Operations
Environment and technical infrastructure
Processes
Relevant parts of the applicatition and implementatition
Interoperability and data portability
ECSA IN DETAIL ECSA has a modular structure and offers three maturity levels. Similar to the well-known hotel classification, the cloud service is assigned “EuroCloud stars” from *** up to ***** . Therefore ECSA is not only suitable for large enterprises but can also be achieved by a SME-type of cloud provider.
If a cloud service matches the ECSA audit criteria the ECSA certificate is granted.
As long as there are no changes made within the cloud service profile and assessment areas, the certificate is valid for two years.
The ECSA certificate is a meaningful selection tool for customers who want to use trustworthy cloud services and it reduces the necessity to perform costly individual audits.
The EuroCloud Star Audit is a joint activity performed by the ECSA partners within an eco-system.
With the ECSA, EuroCloud Europe delivers a valuable instrument with a high level of transparency and guidance for customers and providers alike.
WHAT NEEDS TO BE ADDRESSED BY A CLOUD CERTIFICATION?
Cloud Specific Assessment
Security Assessment
Legal Compliance Assessment
Data Privacy Assessment
Common Scope - no negotiations
Complete Cloud Supply Chain covered
WHAT IS REALLY IMPORTANT?All controls of the certification scheme must be publicly available.
Strict separation between the work of the Certification authority and the certification business (audit, training or consulting organisations).
Full independence of certification authority. Free of influence from industry, members, sponsors, government organisations.
ECSA HISTORY
Initial development started in 2010
First audits in 2011 at a local country level
Further streamlining as part of the ENISA and EU Cloud Selecet Industry Group in 2013
Officially listed in ENISA Cloud Certification Schemes Listing (CCSL)
International promotion started in 2014
Additional tools for Self Assessment, Training and Qualification
Special marketing campaign for the buyer market and scheme integration into various market places
ECSA PROCESS FOR CLOUD SERVICE PROVIDERS
STEP 1
Make yourself familiar with the ECSA control requirements
Perform a self-assessment against the scheme in one of the three quality levels as a Trusted Cloud Service Provider
STEP 2
Register as an ECSA partner with your public report and enhance your visibility in marketplaces with ECSA partnership
Use the report as a quality statement for your lead generation
STEP 3
Find an ECSA-AAO (Accredited Audit Organisation)
Start the full audit and provide evidence of the Self Assessment statements
Prepare yourself to provide submissions like company registration, contracts, data privacy statements where applicable, security and data protection measures, data centre specific information (connectivity, cooling, electricity, area security, emergency plans,…), process maturity, interfaces, data portability and service plans.
Provide transparency about all sub services, subcontractor and data locations
Follow the recommendations of the auditors during remote and onsite inspection.
Apply for an ECSA certification for official registration
Use the certification as evidence for the transparency and effectiveness to be seen as a fully Trusted Cloud Service Provider by your customers Register as an ECSA partner with your public certification and enhance further on your visibility in marketplaces with ECSA partnership
STEP 4
Follow the guidelines and recommendations of the ECSA to keep the service with the highest reputation
ECSA PROCESS FOR CLOUD SERVICE CUSTOMERS
STEP 1
Make yourself familiar with the ECSA control requirements and match them with internal compliance criteria
Use marketplaces with ECSA support to find a trustworthy cloud service provider
STEP 2
Request appropriate evidence with the provision of at least an ECSA self- assessment or, even more preferable,a public ECSA certification report
STEP 3
Share the results of the internal vendor choice process and use the ECSA assessment tool for individual assessment and reporting