SOURCE: Cloud Security Alliance

Cloud Security Alliance

February 25, 2013 09:00 ET

CSA Continues Campaign to Improve Transparency and Assurance in the Cloud Market With Position Paper on AICPA Reporting Framework

SAN FRANCISCO, CA--(Marketwire - Feb 25, 2013) -  The Cloud Security Alliance today released a position paper on the American Institute of CPA's reporting framework, as a means of educating its members and providing guidance on selecting the most appropriate reporting option. The position paper is the latest step in CSA's previously announced Open Certification Framework and STAR Attestation initiatives.

The AICPA's reporting framework, known as Service Organization Control Reports, consists of three major document types. The first -- the SOC 1(SM) report -- deals with controls over financial reporting. The SOC 2(SM) report focuses on controls that bear on a service provider's security, processing integrity and operating availability, as well as the confidentiality and privacy of data moving through its systems. A third report, SOC 3(SM), is a compressed version of the SOC 2(SM) and is designed for public distribution.

In the position paper, the CSA highlights that for most cloud providers, the combination of leveraging the criteria in the CSA Cloud Controls Matrix with a SOC 2(SM) report is likely to meet the assurance and reporting needs of the majority of users of cloud services. The paper offers guidance to members on when a SOC 1(SM) report is necessary, when a SOC 2(SM) report is called for, and when both engagement types may be required.

"Technology-related compliance and operating integrity audits are becoming increasingly important as businesses now routinely adopt cloud-based services," said Jim Reavis, executive director of the CSA. "The Cloud Controls Matrix is designed to be used in conjunction with existing standards, and this is one such example where the combination provides a comprehensive view that should suit most users reporting needs."

"We're delighted that the CSA recognizes our reporting framework as a mechanism to meet this critical reporting challenge, and complement the security principles in its Cloud Controls Matrix," said Susan Coffey, CPA, CGMA, senior vice president for public practice and global alliances at the AICPA.

Reavis continued, "The CSA Security Trust & Assurance Registry (STAR) serves as the standard for demonstrating transparent alignment with CSA security best practices, and this paper is a major step forward in leveraging AICPA's popular reporting framework to consolidate attestation requirements and layer third party trust on top of CSA STAR."

The full position paper can be found at

About the CSA
The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders.

Contact Information

  • Media Contact
    Kari Walker
    ZAG Communications for the CSA
    Email Contact