Integrate with STAR continuous

[pritikin]

We need to understand how our work will (soon!) be integrated into STAR continuous

To do this we think:

• understand current proof-of-concept work and milestones
• understand current leadership plans / vision / strategy / milestones
• make a proposal (how to insert our work) (this will influence our dashboard discussions)

[pritikin]

(Mosi will work on this; and we'll assign the issue once github accounts are added)

[pritikin]

Discussion 1/19/22

• targeting an external push around RSA (~may) timeframe to drive interest

• the machine readable format of the catalog (e.g. the yaml metric catalog)

• initial architecture docs cleaned up

• and articulating the (possible) integration w other work at CSA
  ** we need a high level roadmap

• we need to collect some community feedback. show that we're responding and paying attention. (from the PoC?)
  ** perhaps has a survey? can CSA do one or another one?
  ** can team members put together their feedback (its a little selective but better than nothing?)

• scope is of course a key problem
  ** the metrics are defined for a particular scope
  ** STAR expects the manual audit to ensure the 'scope' is correct "fit for purpose"
  ** dimaria: the audit guidelines outline 'fit for purpose'. We could look at that and figure out how use that work to provide the denominator for many of our metrics. (this would be something of a broader 'metric implementation guidelines')
  ** what/where do we discuss this for our users? Is this part of our target for may?

conclusion:
focus on the machine readable and the implelemention guidelines behind it.

[mosi-k-platt]

@pritikin Here is scoping guidance from the CCMv4 audit guidelines:

1.2. CCM Compliance Audit Documentation

The scope of the audit should include the controls that are, in whole or in part, under the responsibility of the auditee (for reference see STA-06).

CCM compliance audits should start by assembling evidence of the process flow; Security, privacy, data integrity, contractual clarity and protections, business continuity, process and system reliability, effectiveness/efficiency of new business processes, configuration management, compliance with cross-jurisdictional for privacy and regulations, etc. as well as the SSRM control applicability and implementation summary documentation as appropriate for the specific audit subject and their role, e.g., as a CSP or CSC.

Control ID: STA-06
Control Title: SSRM Control Implementation
Control Specification: Implement, operate, and audit or assess the portions of the SSRM which the organization is responsible for.

Auditing Guidelines

1. Examine the policy related to addressing security in third-party agreements and determine if organizations employ formal contracts.
2. Determine if written procedures exist for addressing security in third-party agreements and whether or not the procedure(s) address(es) each element of the policy/control requirement(s) stipulated in the policy level.
3. Examine relevant documentation, observe relevant processes, and/or interview the control owner(s), and/or relevant stakeholders, as needed, for addressing security in third-party agreements and determine if the policy/control requirements stipulated in the policy level have been implemented.
4. Examine measure(s) that evaluate(s) the organization’s compliance with the third-party management policy and determine if the measure(s) address(es) implementation of the policy/control requirement(s) as stipulated in the policy level.