Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersCircleEventsBlog
Get early access to CSA’s Trusted AI Safety Certification Program—updates, resources & beta invites!

Implementing CCM: Human Resources Controls

Published 05/16/2025

Home
Industry Insights
Implementing CCM: Human Resources Controls

The Cloud Controls Matrix (CCM) is a framework of controls that are essential for cloud computing security. It is created and updated by CSA and aligned to CSA best practices.

You can use CCM to systematically assess and guide the security of any cloud implementation. CCM also provides guidance on which actors within the cloud supply chain should implement which security controls. Both cloud service customers (CSCs) and cloud service providers (CSPs) use CCM in many ways.

CSCs use CCM to:

  • Assess the cloud security posture of current or potential cloud vendors. If a cloud vendor isn’t transparent about their security controls, the risk of doing business with them can be quite high.
  • Compare vendors’ level of compliance with relevant standards like ISO 27001.
  • Clarify the security roles and responsibilities between themselves and the CSP.

CSPs use CCM to:

  • Assess, establish, and maintain a robust and internationally accepted cloud security program. CCM helps solidify CSPs' positions as trusted and transparent providers of cloud services.
  • Compare their strengths and weaknesses against those of other organizations.
  • Document controls for multiple standards in one place. CSA has mapped the controls in CCM against several industry-accepted security standards, regulations, and control frameworks.

CCM contains 197 control objectives structured into 17 domains that cover all key aspects of cloud technology:

CCM Domains

list of the 17 ccm domains

Today we’re looking at implementing the ninth domain of CCM: Human Resources (HRS). The HRS domain consists of 13 control specifications:

  1. Background Screening Policy and Procedures
  2. Acceptable Use of Technology Policy and Procedures
  3. Clean Desk Policy and Procedures
  4. Remote and Home Working Policy and Procedures
  5. Asset returns
  6. Employment Termination
  7. Employment Agreement Process
  8. Employment Agreement Content
  9. Personnel Roles and Responsibilities
  10. Non-Disclosure Agreements
  11. Security Awareness Training
  12. Personal and Sensitive Data Awareness and Training
  13. Compliance User Responsibility

Up to 74% of all security breaches and information leaks involved a human element last year. Therefore, the HRS controls help cloud organizations manage risks associated with insider threats. They define policies to train personnel that handle sensitive data, making sure they maintain the security posture of the organization. The HRS domain addresses the full employee lifecycle - from pre-employment to post-termination. 

 

A Closer Look at Some of the Controls

Security and Privacy Training

The HRS domain includes mindset awareness training controls. This is to ensure individuals understand the importance of information security in their role. Information training is an ongoing process. Employees need refresher training and recurring awareness initiatives to ensure it becomes second nature to protect data and systems. 

Types of training include security awareness, best practices, controls, personal data and sensitive data awareness, compliance, and user responsibility. 

 

Personnel Conduct Controls

The HRS domain also includes controls about background screening, employee agreement processes and content, and non-disclosure agreements. This includes defining and communicating policies for:

  • The acceptable use of technology
  • Clean desk
  • Remote and home working 

 

HRS Risks & Controls to Mitigate Them

Insider Risks 

Examples of insider risks include:

  • You employ someone who didn't disclose their criminal history
  • You employ someone that doesn’t have the required experience and knowledge to get the job done
  • You employ someone that doesn’t meet legal work requirements

To avoid these risks, it's important to look at background screening policies and procedures. Establish and execute a screening process before granting system access to a potential employee. Tailor the verification process to the level of access that the individual needs. Also consider the nature of the data that they'll be working with. 

 

Inappropriate Use of Technology

For example, remote employees might leave sensitive information unattended, which could result in a leak. 

To mitigate this risk, you need to define, develop, and communicate an acceptable use policy and information security policy. These policies provide the general do’s and don’t's to protect information and to secure systems. 

You also need to ensure secure workplaces. This includes locking away documents, clearing whiteboards, and implementing an automatic screen lock on devices. Make sure to work towards these controls becoming second nature. They must become part of the culture in your organization.

Finally, you must invest in constant awareness training about the risks and best practices for working remotely.

 

Lack of Control Over Assets 

For personnel termination, you need to make sure that you have non-disclosure and non-compete agreements in place. Remind personnel of these agreements during the exit interview.

Maintain an offboarding checklist to ensure that the terminated personnel returns any physical assets. The security team should make sure to protect and revoke data assets and tokens. Consider implementing the ability to remote wipe or lock devices. 

You also need to communicate the post-employment obligations to individuals. Misunderstandings and legal disputes could surface when you don't have a well-defined and understood employment agreement.

 

Leakage of Sensitive Information

To prevent the leakage of sensitive information, make sure to disallow employee access to systems and data without having signed agreements in place. Personnel must sign acknowledgement of these policies so you know they have made an effort to understand what is expected from them. Signed acknowledgement of the policies puts you in a good position from the get-go. 

For misconduct handling, you’ll want to define your disciplinary procedures in advance. The first (and most important) step is to revoke access as soon as there's a breach of agreement by an individual.

 

Applying the Shared Security Responsibility Model

The Shared Security Responsibility Model (SSRM) is a framework that clarifies the division of security responsibilities between CSPs and CSCs. This model is crucial for ensuring that both parties understand their roles for securing the environment. It reduces the risk of security breaches due to miscommunication and misunderstandings. 

Under the SSRM, both CSPs and CSCs independently implement HRS security controls. This means that both parties need to implement these controls effectively. Both parties should conduct background checks, provide continuous security training, and ensure employees are aware of cloud security risks and best practices.

 

A Final Word

Communicating and creating awareness of best practices is essential. The mishandling of sensitive information can occur because individuals simply didn't know what the best practices are. So you must implement constant training and constant reminders of the best practices.

Along with this, make sure to train new joiners in your organization and to refresh your trainer annually. Make sure the training is based on the role that the individual will fulfill and the type of information they'll access.

Remember, you can download and review the Cloud Controls Matrix and CCM Implementation Guidelines for free. These resources will be a great help in establishing your HRS policies.

Finally, learn more about implementing other CCM domains by checking out the other blogs in this ongoing series. Be on the lookout for the next installation: Identity and Access Management.

Cloud Controls MatrixEnterprise ArchitectureOperationalRemote Workforce SecurityRisk Management

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Register Now for CSA’s Free Virtual Summit on July 15–16
Subscribe to CSA On-Demand on LinkedIn
Watch Now: Trusted AI Certification by CSA & Northeastern University
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
The Rising Threat of Consent Phishing: How OAuth Abuse Bypasses MFA

Published: 05/20/2025

Open-Source Models vs. Closed-Source Models: A Simple Guide

Published: 05/19/2025

Applying NIST CSF 2.0 to Hypervisor Security: A Framework for Resilience in Virtualized Environments

Published: 05/16/2025

8 Questions to Ask Your Security Vendors About AI

Published: 05/15/2025

OSZAR »