CSA STAR — CLOUD SECURITY ALLIANCE¶
OWNER: julian
UPDATED: 2026-03-24
SCOPE: CSA STAR compliance for GE as a cloud-based software development agency
STANDARD: CSA Security, Trust, Assurance, and Risk (STAR) Program
REFERENCE: Cloud Controls Matrix (CCM) v4.0
WHAT_IS_CSA_STAR¶
CSA STAR is a cloud security assurance programme from the Cloud Security Alliance.
It provides a framework for cloud providers and consumers to assess and demonstrate cloud security posture.
STAR builds on the Cloud Controls Matrix (CCM) — a set of cloud-specific security controls.
WHY_IT_MATTERS_FOR_GE:
- GE delivers cloud-based SaaS to enterprise clients
- Enterprise clients often require CSA STAR as part of vendor assessment
- CSA STAR maps to ISO 27001 and SOC 2 — efficient to pursue alongside existing certifications
- STAR Level 1 (self-assessment) is FREE and provides immediate credibility
STAR_LEVELS¶
LEVEL_1 — SELF-ASSESSMENT¶
WHAT: organization completes the Consensus Assessments Initiative Questionnaire (CAIQ)
COST: free
EFFORT: moderate (completing CAIQ thoroughly)
RESULT: published on CSA STAR Registry (public)
VALUE: demonstrates transparency and willingness to be assessed
VALIDITY: updated annually
GE_TARGET: Level 1 as first step — achievable with existing ISO 27001 controls
LEVEL_2 — THIRD-PARTY_AUDIT¶
WHAT: independent audit against CCM controls
OPTIONS:
- STAR Attestation (based on SOC 2 + CCM) — CPA firm audit
- STAR Certification (based on ISO 27001 + CCM) — certification body audit
COST: audit fees (varies by scope, typically EUR 15K-50K)
RESULT: published on CSA STAR Registry
VALIDITY: 2 years (with annual surveillance for certification)
GE_TARGET: Level 2 Certification alongside ISO 27001 certification — efficient combined audit
LEVEL_3 — CONTINUOUS_MONITORING (CSA STAR Continuous)¶
WHAT: continuous, automated monitoring of cloud security controls
STATUS: programme under development by CSA
RESULT: real-time assurance of security posture
GE_FUTURE: align continuous compliance infrastructure (compliance-automation.md) with STAR Continuous when available
CONSENSUS_ASSESSMENTS_INITIATIVE_QUESTIONNAIRE (CAIQ)¶
WHAT_IS_CAIQ¶
CAIQ is a questionnaire of YES/NO questions organized by CCM domain.
Each question maps to a specific CCM control.
The completed CAIQ is published on the CSA STAR Registry.
HOW_TO_COMPLETE¶
FOR_EACH_QUESTION:
1. Determine if the control is applicable (YES/NO/N/A)
2. IF YES: describe how GE implements the control
3. Provide evidence reference where available
4. Note any gaps for remediation
RULE: be HONEST — CAIQ is public, and inaccurate claims damage credibility
RULE: N/A is acceptable with justification (e.g., physical controls for pure cloud provider)
GE_APPROACH: julian completes CAIQ, amber validates accuracy
CLOUD_CONTROLS_MATRIX_V4 — RELEVANT_DOMAINS¶
CCM v4 has 17 domains and 197 controls. Below are the domains most relevant to GE as a cloud-based software agency.
AIS — APPLICATION_AND_INTERFACE_SECURITY¶
AIS-01: Application Security
REQUIRES: define and implement application security baseline aligned with industry standards
GE_IMPLEMENTATION: CODEBASE-STANDARDS.md, semgrep rules (OWASP), code review (koen/eric), adversarial testing (ashley)
GE_OWNER: julian (policy), koen/eric (implementation)
EVIDENCE: coding standard, semgrep config, code review records
AIS-02: Application Security Metrics
REQUIRES: establish, monitor, and report application security metrics
GE_IMPLEMENTATION: vulnerability counts per severity, mean time to remediate, code review coverage
GE_OWNER: victoria
EVIDENCE: security dashboard, metrics reports
AIS-03: Application Security Verification
REQUIRES: verify security of applications before deployment
GE_IMPLEMENTATION: anti-LLM pipeline — ashley (adversarial) + marije/judith (testing) + jasper (reconciliation)
GE_OWNER: ashley, marije
EVIDENCE: pre-deployment security test results
AIS-04: Secure Application Design and Development
REQUIRES: security requirements defined and integrated into SDLC
GE_IMPLEMENTATION: anna (Formal Specification) includes security requirements, antje (TDD) writes security tests
GE_OWNER: anna, antje
EVIDENCE: specifications with security requirements, security test suites
AIS-05: Automated Application Security Testing
REQUIRES: automate application security testing in CI/CD
GE_IMPLEMENTATION: semgrep in pipeline, trivy dependency scanning, automated test suites
GE_OWNER: alex/tjitte (CI/CD integration)
EVIDENCE: CI/CD pipeline configuration, automated scan results
AIS-06: Automated Secure Application Deployment
REQUIRES: automate secure deployment processes
GE_IMPLEMENTATION: CI/CD pipeline, container image building, k8s deployment, rollback capability
GE_OWNER: leon (Deployment Coordinator), alex/tjitte
EVIDENCE: deployment pipeline configuration, deployment logs
AIS-07: Application Vulnerability Remediation
REQUIRES: define and implement vulnerability remediation process
GE_IMPLEMENTATION: patch SLAs (critical=24h, high=72h, medium=2w, low=next release), vulnerability tracking
GE_OWNER: victoria
EVIDENCE: vulnerability remediation records with SLA compliance
DSP — DATA_SECURITY_AND_PRIVACY¶
DSP-01: Security and Privacy Policy and Procedures
REQUIRES: establish data security and privacy policies
GE_IMPLEMENTATION: information security policy, privacy policy, constitution.md, GDPR framework
GE_OWNER: julian
EVIDENCE: policy documents, review records
DSP-02: Secure Disposal
REQUIRES: secure disposal of data and assets
GE_IMPLEMENTATION: retention policies, automated deletion, secure wipe procedures
GE_OWNER: boris (DBA), otto (Backup)
EVIDENCE: deletion logs, disposal records
DSP-03: Data Inventory
REQUIRES: create and maintain inventory of data with classification
GE_IMPLEMENTATION: data classification scheme (PUBLIC/INTERNAL/CONFIDENTIAL/RESTRICTED), asset inventory
GE_OWNER: julian
EVIDENCE: data inventory with classification labels
DSP-04: Data Classification
REQUIRES: classify data according to organizational requirements
GE_IMPLEMENTATION: four-tier classification scheme
GE_OWNER: julian
EVIDENCE: classification policy, applied labels
DSP-05: Data Flow Documentation
REQUIRES: document data flows including cross-border
GE_IMPLEMENTATION: data flow diagrams per client project, ROPA (Art. 30 GDPR)
GE_OWNER: julian, anna
EVIDENCE: data flow diagrams, ROPA
DSP-06: Data Ownership and Stewardship
REQUIRES: assign data ownership and stewardship
GE_IMPLEMENTATION: data owners per dataset, AGENT-REGISTRY.json role assignments
GE_OWNER: julian
EVIDENCE: data ownership register
DSP-07: Data Protection by Design and Default
REQUIRES: implement data protection by design and default
GE_IMPLEMENTATION: GDPR Art. 25 framework, privacy by design checklist in delivery pipeline
GE_OWNER: julian, anna
EVIDENCE: privacy by design implementation records
SEE_ALSO: gdpr-implementation.md PRIVACY_BY_DESIGN section
DSP-08: Personal Data Protection
REQUIRES: protect personal data with appropriate measures
GE_IMPLEMENTATION: encryption, pseudonymization, access controls, audit logging
GE_OWNER: boris, piotr
EVIDENCE: encryption configuration, access controls, audit logs
SEE_ALSO: gdpr-technical-measures.md
DSP-09: Sensitive Data Protection
REQUIRES: additional protection for sensitive data categories
GE_IMPLEMENTATION: enhanced encryption, restricted access, DPIA for special categories
GE_OWNER: julian, boris
EVIDENCE: sensitive data handling procedures, DPIA records
DSP-10: Data Location
REQUIRES: document and control data storage locations
GE_IMPLEMENTATION: all GE data in Netherlands (Hetzner), EU-only policy
GE_OWNER: arjan, julian
EVIDENCE: infrastructure documentation, data location register
DSP-11 to DSP-17: Data Retention, Transfer, Privacy Notice, Consent, etc.
GE_IMPLEMENTATION: covered by GDPR compliance framework
SEE_ALSO: gdpr-implementation.md, gdpr-technical-measures.md
IAM — IDENTITY_AND_ACCESS_MANAGEMENT¶
IAM-01: Identity and Access Management Policy
REQUIRES: establish IAM policy and procedures
GE_IMPLEMENTATION: access control policy, RBAC framework, Vault policies
GE_OWNER: julian (policy), piotr (implementation)
EVIDENCE: IAM policy, RBAC configuration
IAM-02: Strong Password Policy
REQUIRES: implement strong authentication
GE_IMPLEMENTATION: WebAuthn (passwordless) for admin-ui, API tokens for agents, no password-based authentication
GE_OWNER: piotr, hugo
EVIDENCE: authentication configuration, WebAuthn setup
IAM-03: Identity Inventory
REQUIRES: maintain inventory of all identities
GE_IMPLEMENTATION: AGENT-REGISTRY.json (agent identities), k8s ServiceAccounts, human identity register
GE_OWNER: hugo (Identity Guardian)
EVIDENCE: identity inventory with lifecycle status
IAM-04: Segregation of Duties
REQUIRES: implement segregation of duties
GE_IMPLEMENTATION: anti-LLM pipeline separation, swimming lanes, DAG enforcement
GE_OWNER: julian
EVIDENCE: pipeline configuration, DAG definitions
IAM-05: Least Privilege
REQUIRES: restrict access to minimum necessary
GE_IMPLEMENTATION: k8s RBAC with namespace isolation, Vault path-based access, agent capability restrictions
GE_OWNER: piotr
EVIDENCE: RBAC configuration, Vault policies, capability configs
IAM-06: User Access Provisioning
REQUIRES: formal provisioning and deprovisioning process
GE_IMPLEMENTATION: AGENT-REGISTRY.json for agents, managed provisioning for humans
GE_OWNER: hugo, piotr
EVIDENCE: provisioning records, registry change history
IAM-07: User Access Review
REQUIRES: periodic review of access rights
GE_IMPLEMENTATION: quarterly access reviews (amber + piotr)
GE_OWNER: amber, piotr
EVIDENCE: quarterly access review reports
IAM-08: User Access Revocation
REQUIRES: timely revocation when no longer needed
GE_IMPLEMENTATION: agent decommissioning procedure, immediate revocation on departure
GE_OWNER: hugo, piotr
EVIDENCE: revocation records, decommissioning logs
IAM-09 to IAM-16: MFA, Privileged Access, Service Accounts, etc.
GE_IMPLEMENTATION: WebAuthn (MFA equivalent), privileged access management via Vault, service account management via k8s
EVIDENCE: respective configurations and review records
SEF — SECURITY_INCIDENT_MANAGEMENT¶
SEF-01: Security Incident Management Policy
REQUIRES: establish incident management policy and procedures
GE_IMPLEMENTATION: incident response plan, playbooks, escalation matrix
GE_OWNER: mira (Incident Commander)
EVIDENCE: incident response plan, playbooks
SEE_ALSO: domains/incident-response/index.md
SEF-02: Service Management Policy
REQUIRES: establish service management procedures
GE_IMPLEMENTATION: monitoring, alerting, response procedures
GE_OWNER: mira, victoria
EVIDENCE: service management documentation
SEF-03: Incident Response Plans
REQUIRES: documented, tested incident response plans
GE_IMPLEMENTATION: playbooks per incident type, semi-annual tabletop exercises
GE_OWNER: mira
EVIDENCE: playbooks, exercise reports
SEF-04: Incident Response Testing
REQUIRES: regularly test incident response procedures
GE_IMPLEMENTATION: semi-annual tabletop exercises, monthly backup restore tests
GE_OWNER: mira
EVIDENCE: test results, exercise reports
SEF-05: Incident Response Metrics
REQUIRES: define and track incident response metrics
GE_IMPLEMENTATION: mean time to detect (MTTD), mean time to respond (MTTR), incident count by severity
GE_OWNER: mira
EVIDENCE: incident metrics reports
SEF-06: Event Triage Processes
REQUIRES: define event triage and prioritization
GE_IMPLEMENTATION: severity classification (3=warn, 5=escalate, 10=critical), documented triage criteria
GE_OWNER: mira, victoria
EVIDENCE: triage procedure, classification records
SEF-07: Security Breach Notification
REQUIRES: notify stakeholders and authorities of security breaches
GE_IMPLEMENTATION: GDPR breach notification (72h to AP), client notification per DPA
GE_OWNER: julian (notification), mira (detection)
EVIDENCE: breach notification records
SEE_ALSO: gdpr-implementation.md BREACH_NOTIFICATION section
SEF-08: Points of Contact for Applicable Regulation Authorities
REQUIRES: maintain contact points for authorities
GE_IMPLEMENTATION: authority contact register (AP, NCSC-NL, cert body)
GE_OWNER: julian
EVIDENCE: contact register
STA — SUPPLY_CHAIN_MANAGEMENT¶
STA-01: Supply Chain Policy
REQUIRES: establish supply chain security policy
GE_IMPLEMENTATION: supplier security policy, assessment criteria, contractual requirements
GE_OWNER: julian
EVIDENCE: supply chain policy document
STA-02: Supply Chain Risk Management
REQUIRES: assess and manage supply chain risks
GE_IMPLEMENTATION: supplier risk assessment per provider (Anthropic, OpenAI, Google, Hetzner)
GE_OWNER: julian
EVIDENCE: supplier risk assessments
STA-03: Supplier Assessment
REQUIRES: assess supplier security posture
GE_IMPLEMENTATION: annual supplier security review, DPA verification, certification check
GE_OWNER: julian
EVIDENCE: assessment records, DPAs, certification evidence
STA-04: Supply Chain Transparency
REQUIRES: maintain transparency about supply chain
GE_IMPLEMENTATION: sub-processor register (shared with clients per DPA), SBOM for software dependencies
GE_OWNER: julian (sub-processors), alex/tjitte (SBOM)
EVIDENCE: sub-processor register, SBOM reports
STA-05: Supply Chain Agreements
REQUIRES: include security requirements in supplier agreements
GE_IMPLEMENTATION: security clauses in contracts, DPAs, SLAs with security provisions
GE_OWNER: julian
EVIDENCE: signed agreements with security clauses
STA-06: Supply Chain Monitoring
REQUIRES: continuously monitor supply chain security
GE_IMPLEMENTATION: provider status page monitoring, API change monitoring, CVE tracking for dependencies
GE_OWNER: julian (providers), victoria (CVEs)
EVIDENCE: monitoring logs, change impact assessments
STA-07 to STA-09: Component Inventory, Incident Response, Primary Service and Contractual Agreements
GE_IMPLEMENTATION: SBOM, incident notification procedures per supplier, contract register
EVIDENCE: respective records
OTHER_RELEVANT_CCM_DOMAINS¶
BRIEF_COVERAGE¶
A&A — Audit and Assurance:
- Internal audit programme (amber)
- External certification (ISO 27001, SOC 2)
- Continuous monitoring
BCR — Business Continuity Management:
- Business continuity plan (otto)
- Recovery testing
- Resilience architecture
SEE_ALSO: iso27001-annex-a.md A.5.29, A.5.30
CCC — Change Control and Configuration:
- GitOps change management (marta)
- CI/CD pipeline (alex/tjitte)
- Configuration baseline management
SEE_ALSO: iso27001-annex-a.md A.8.9, A.8.32
CEK — Cryptography, Encryption, and Key Management:
- TLS 1.3, AES-256
- Vault key management (piotr)
- Certificate management (jette)
SEE_ALSO: iso27001-annex-a.md A.8.24
DCS — Datacenter Security:
- Hetzner datacenter controls
- Physical security responsibility on Hetzner
SEE_ALSO: iso27001-annex-a.md A.7 Physical Controls
GRC — Governance, Risk, and Compliance:
- ISMS governance (julian)
- Risk management framework
- Regulatory compliance
SEE_ALSO: iso27001-overview.md
HRS — Human Resources:
- Agent profiling pipeline
- Constitution compliance
- Awareness and training
SEE_ALSO: iso27001-annex-a.md A.6 People Controls
IVS — Infrastructure and Virtualization Security:
- k8s pod security standards
- Network policies
- Container security
SEE_ALSO: domains/infrastructure/index.md
LOG — Logging and Monitoring:
- Centralized logging
- Falco runtime monitoring
- Monitoring agents
SEE_ALSO: iso27001-annex-a.md A.8.15, A.8.16
TVM — Threat and Vulnerability Management:
- Trivy scanning
- Semgrep SAST
- Patch SLAs
SEE_ALSO: iso27001-annex-a.md A.8.7, A.8.8
UEM — Universal Endpoint Management:
- Device management policy
- Remote working controls
SEE_ALSO: iso27001-annex-a.md A.8.1
CCM_TO_ISO27001_MAPPING (key controls)¶
| CCM Domain | ISO 27001 Annex A |
|---|---|
| AIS (Application Security) | A.8.25-A.8.29 |
| DSP (Data Security) | A.5.12-A.5.14, A.5.33-A.5.34, A.8.10-A.8.12 |
| IAM (Identity/Access) | A.5.15-A.5.18, A.8.2-A.8.5 |
| SEF (Incident Management) | A.5.24-A.5.28 |
| STA (Supply Chain) | A.5.19-A.5.22 |
| CCC (Change Control) | A.8.9, A.8.32-A.8.33 |
| CEK (Cryptography) | A.8.24 |
| LOG (Logging) | A.8.15-A.8.16 |
| TVM (Vulnerability) | A.5.7, A.8.7-A.8.8 |
| BCR (Continuity) | A.5.29-A.5.30, A.8.13-A.8.14 |
RULE: one set of controls, multiple framework mappings
GE_APPROACH: implement controls per ISO 27001, map to CCM for STAR, map to TSC for SOC 2
STAR_REGISTRATION_PROCESS¶
LEVEL_1 (SELF-ASSESSMENT)¶
STEPS:
1. Complete CAIQ questionnaire (julian, validated by amber)
2. Create CSA STAR Registry account
3. Submit completed CAIQ
4. CAIQ published on STAR Registry (public)
5. Update annually
TIMELINE: 2-4 weeks for initial completion
COST: free
GE_TARGET: complete CAIQ alongside ISO 27001 preparation
LEVEL_2 (CERTIFICATION)¶
STEPS:
1. Achieve ISO 27001 certification (prerequisite for STAR Certification)
2. Engage certification body with CCM audit capability
3. Combined audit: ISO 27001 + CCM controls
4. Certification issued and published on STAR Registry
5. Surveillance audits annually, recertification every 3 years
TIMELINE: aligned with ISO 27001 certification
COST: incremental cost on top of ISO 27001 audit
GE_TARGET: pursue STAR Level 2 Certification with ISO 27001 certification audit
SEE_ALSO: iso27001-overview.md, iso27001-annex-a.md, soc2-trust-criteria.md, compliance-automation.md