Improving Security While Enabling Market Access With a CCF

James Huang
Author: James Huang, CISA, ISA, PCIP
Date Published: 19 September 2023

Software-as-a-Service (SaaS) providers continue to face increasing customer demand to attain security compliance certifications that demonstrate commitment to security, privacy, confidentiality and more. A major challenge when trying to achieve these certifications is understanding what each framework requires while managing time and cost. Another obstacle faced by multinational organizations specifically is contending with the ever-growing labyrinth of geocompliance certifications. As each country or region introduces its own information security requirements and practices (e.g., the Information Security Registered Assessors Program [IRAP] in Australia, the EU Cloud Code of Conduct [CoC], the BSI Cloud Computing Compliance Controls Catalog [C5] in Germany, the Information System Security Management and Assessment Program [ISMAP] in Japan, Esquema Nacional de Seguridad [ENS] in Spain), there is a growing expectation for enterprises to conform to several information security standards before gaining or continuing to have access to these particular markets. In many cases, these compliance certifications are no longer nice to have, but rather must-haves to do business. Each standard shares commonalities with a system and organization controls (SOC) 2 report and/or the International Organization for Standardization (ISO) standard ISO 27001, but also has its own built-in nativist characteristics that set it apart.

Pursuing every national and international certification individually results in a repetitive cycle of ongoing walkthroughs, interviews, testing and evidence requests (i.e., audits). As teams go through these assessments, a lack of clear responsibility and ownership over certain domains and controls often occurs, resulting in an unnecessary waste of time and effort for engineering resources and eventually leading to compliance fatigue. To resolve this, cloud service providers (CSPs) should consider creating a common cloud controls framework (CCF)—a central information security compliance and certification methodology that can include certifications such as SOC 2, ISO 27001, C5, ENS, ISMAP, IRAP, and more. A common CCF, such as the Cisco Cloud Controls Framework,1 helps engineering teams accelerate most certification efforts to efficiently gain market access while improving their security postures as a whole.

A common CCF… helps engineering teams accelerate most certification efforts to efficiently gain market access while improving their security postures as a whole.

A central CCF can be considered a one-stop shop response to the complex alphabet soup of compliance standards on the market today. Having a central CCF can help various product engineering teams meet their security compliance needs and understand the level of effort required for each compliance certification. CSPs with many different types of SaaS offerings working in silos and evaluating every security framework at face value can often result in confusion and burnout among engineering teams. Having a common CCF provides a clear and central framework that teams can consult going forward. Coupled with a clear delineation of control responsibility, this helps engineering teams understand their responsibilities and their roles in compliance and security for each certification. In addition to helping teams decipher various compliance requirements, a CCF can clearly illustrate control overlap between different certifications, which results in less control set redundancy.

A central CCF can also be made agile, with the ability to adhere to and address newer versions of certification requirements as they appear and evolve in the market. This can be done by enabling a CCF to have version histories while capturing all the changes of new and/or existing certifications, resulting in less maintenance from various teams trying to understand the differences of each framework as they go through new releases. Rather, teams can simply reference a CCF to understand all framework changes and adjustments. 

Another beneficial aspect of having a CCF is the standardization of central security tooling. If a CSP can correctly optimize and implement central security tooling across different engineering teams, it can reduce the engineering team’s operational maintenance overhead. For example, instead of each team purchasing or building its own vulnerability assessment tool and running its own vulnerability assessments, why not consolidate all efforts into 1 central tool for all teams to leverage from a central repository? By consolidating and maintaining a central set of security tools, CSPs can simplify and provide swift responses to security incidents, thereby increasing the organization’s compliance and security posture.

Having a cross-compliance controls framework is an important tool for any enterprise to make sense of the geocompliance puzzle. CCF is not a one-and-done solution, but rather, is an active, ever-evolving, and adaptive solution to help CSPs attain security certifications. If designed correctly, organizations with a central CCF can streamline market access and improve security.

Endnotes

1 Cisco, Cisco Cloud Controls Framework (CCF) Public Release V2.0, USA, 2022

James Huang

Is a senior manager on the global cloud compliance team at Cisco. He leads the commercial and federal execution of Cisco’s cloud offering certifications. Huang has experience in privacy, global cloud security, trust and compliance, and risk management for mitigating industry security challenges while enabling market access across various global markets. Prior to his time at Cisco, he was a senior risk consultant with Ernst & Young.