//
you're reading...
Information Security, IT & TECHNOLOGY

What You Need to Know About Changes to the STAR Program


The CSA recently announced that the STAR Program will now allow a one-time, first-year only, Type 1 STAR Attestation report. What is a Type 1 versus Type 2 examination and what are the benefits for starting with a Type 1 examination?

Type 1 versus Type 2
There are two types of System and Organization Control (SOC) 2 reports, Type 1 and Type 2. Both types of reports examine a service organization’s internal controls relating to one or more of the American Institute of CPAs’ (AICPA) Trust Services Principles and Criteria, as well as the Cloud Security Alliance’s (CSA) Cloud Controls Matrix (CCM). Both reports include an examination on the service organization’s description of its system.

A Type 1 report examines the suitability of the design of the service organization’s controls at a point in time, also referred to as the Review Date. A Type 2 report examines not only the suitability of the design of controls that meet the criteria but also the operating effectiveness of controls over a specific period of time, also referred to as the Review Period.

In Type 2 examination, the auditor is required to perform more detailed testing, request more documentation from the organization, and spend more time performing a Type 2 examination than with a Type 1 examination. The additional documentation and testing requirements can put a greater strain on an organization and require more resources to complete the audit.

A service organization that has not been audited against the criteria in the past may find it easier to complete a Type 1 examination during the first audit as it requires less documentation, less preparation, and the organization can respond quicker to gaps noted during the examination.

The cost for a Type 1 examination is less than for a Type 2 examination because the examination testing efforts are less than what is needed for a Type 2. Additionally, fewer organization resources will be utilized for a Type 1, resulting in additional cost savings.

If the service organization, or specific service line or business unit of the organization, was recently implemented, the organization would have to not only ensure that controls were put in place to meet the criteria, but also ensure the controls have been operating for a certain period of time prior to completing a Type 2 examination. In this situation, there would not be enough history or length of time for a service auditor to perform a Type 2 examination. A Type 1 examination would allow for a quicker report rather than waiting for the review period in a Type 2 examination.

Benefits of a Type 1
There are several benefits to starting with a Type 1 report that include:

  • Quicker report turn-around time and STAR Registry
  • Shorter testing period
  • Cost efficiencies
  • Easier to apply to new environment or new service line

An organization might be trying to win a certain contract or respond to a client’s request for a STAR Attestation in a short period of time. A Type 1 examination does not require controls to be operating for a period of time prior to the examination. Therefore, the examination and resulting report can be provided sooner to the service organization.

Starting with a Type 1 report has many benefits for a first-year STAR Attestation. The organization will find this useful when moving to a Type 2 examination in the following year.

It is important to note, though, that Type 1 shall be considered just as an intermediate and preparatory step prior to achieving a Type 2 STAR Attestation.

Debbie Zaller, CPA, CISSP, PCI QSA, Principal, Schellman & Co., LLC

[Cloud Security Alliance Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 116,951 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,132 other followers

Twitter Updates

Archives

May 2017
M T W T F S S
« Apr   Jun »
1234567
891011121314
15161718192021
22232425262728
293031  
%d bloggers like this: