Role Cards page 1

ROLE ROLE

CISO DEPUTY CISO

SALARY WORK CAPACITY SALARY WORK CAPACITY
$400k 5 hours $350k 10 hours

ADDITIONAL CONSIDERATIONS
ADDITIONAL CONSIDERATIONS
More than five mitigations requires
More than ten employees requires a CISO
a Deputy CISO

ROLE ROLE

PROJECT MGR SR ENGINEER

SALARY WORK CAPACITY
$100k 1 + team 50%
ADDITIONAL CONSIDERATIONS
Remediation work capacity of rest of
team increases by 50% (1.5x)
There may be only one project manager
Team size must be greater than 8
SALARY WORK CAPACITY
$200k 7 hours
ADDITIONAL CONSIDERATIONS
Adding additional tiers, such as a
Principal or Fellow should include
similar cost and capacity multiplier
with a 10% hourly discount

© Copyright 2023, Cloud Security Alliance. All rights reserved. 1

Role Cards page 1 backs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 2

Role Cards page 2

ROLE ROLE

JR ENGINEER INTERN

SALARY WORK CAPACITY SALARY WORK CAPACITY

$100k 3 hours $50k 1 hours

ADDITIONAL CONSIDERATIONS
This is the base level of an employee ADDITIONAL CONSIDERATIONS
when planning the gaming scenarios More than two interns require at least
one managing engineer
Each headcount should cover roughly
one product

ROLE

CONTRACTOR
SALARY WORK CAPACITY
$250k per use 8 hours

ADDITIONAL CONSIDERATIONS
Remediation work capacity may be
purchased in minimum blocks of 5, 10,
or 20-hour increments

© Copyright 2023, Cloud Security Alliance. All rights reserved. 3

Role Cards page 2 backs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 4

Risk Cards page 1

RISK RISK

1 12 2

Insufficient identity, credential,

access and key management,
Insecure interfaces
privileged accounts and APIs

RISK RISK

3 4

Misconfiguration and Lack of cloud security

Inadequate Change architecture and
Control strategy

© Copyright 2023, Cloud Security Alliance. All rights reserved. 5

Risk Cards page 1 backs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 6

Risk Cards page 2

RISK RISK

5 6

Insecure software Unsecure third party

development resources

RISK RISK

7 8

System Accidental cloud

vulnerabilities data disclosure

© Copyright 2023, Cloud Security Alliance. All rights reserved. 7

Risk Cards page 2 backs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 8

Risk Cards page 3

RISK RISK

9 10

Misconfiguration and Organized crime/

exploitation of serverless and
container workloads hackers/ APT

RISK

11

Cloud storage data

exfiltration

© Copyright 2023, Cloud Security Alliance. All rights reserved. 9

Risk Cards page 3 backs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 10

System Component Cards page 1
SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS

Register SaaS Yes

Cash Drawer PaaS Probably
Receipt Printer IaaS Possibly
Payment Encryption Hybrid No
Device

POINT OF REGULATED/ SENSITIVE POTENTIAL MITICATIONS

SALE INFORMATION (CCM CONTROLS)

PCI

Transaction
Information
PRODUCT EXAMPLES Revenue/Sales Data
Verifone, Toast, Clover
Customer Data

PII

SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS

SaaS Probably
HR Software
PaaS Probably
Database
IaaS Possibly
Directory Service
Hybrid Possibly

HUMAN REGULATED/ SENSITIVE POTENTIAL MITICATIONS

RESOURCES INFORMATION (CCM CONTROLS)

Employee Info
PRODUCT EXAMPLES
PII
WorkDay, SuccessFactors,
Internally Developed Salary & Bonus info

© Copyright 2023, Cloud Security Alliance. All rights reserved. 11

System Component Cards page 1 backs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 12

System Component Cards page 2
SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS

Web Server SaaS Yes

Database PaaS Probably

Operating System IaaS Possibly

Certificate Authority Hybrid Possibly

WEB SITE REGULATED/ SENSITIVE

INFORMATION
POTENTIAL MITICATIONS
(CCM CONTROLS)

PCI
PRODUCT EXAMPLES PII
WordPress, Drupal,
Transaction
Joomla, Magento Information

SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS

HVAC hardware SaaS Probably

Communications Platform PaaS Possibly

Thermostat IaaS Possibly

Temperature Sensors Hybrid No

HVAC REGULATED/ SENSITIVE

INFORMATION
POTENTIAL MITICATIONS
(CCM CONTROLS)

Network
PRODUCT EXAMPLES
Admin info
Honeywell, Allied, Amana,
Bosch, Bryant, Carrier Cost information

© Copyright 2023, Cloud Security Alliance. All rights reserved. 13

System Component Cards page 2 backs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 14

System Component Cards page 3
SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS

SaaS Yes
LMS Software
PaaS Probably
Database
IaaS Probably
Media Source
Hybrid Possibly

LEARNING
MANAGEMENT REGULATED/ SENSITIVE
INFORMATION
POTENTIAL MITICATIONS
(CCM CONTROLS)

SYSTEM
HR Info

PRODUCT EXAMPLES Progress

MindTickle, Noodle, PII
TalentLMS, SAP
Proprietary Info

SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS

Inventory System
SaaS Probably
Scanners
PaaS Probably
Distribution Equipment
IaaS Probably
Labeling Devices
Hybrid Probably
Industrial Control Systems

SUPPLY CHAIN REGULATED/ SENSITIVE

INFORMATION
POTENTIAL MITICATIONS
(CCM CONTROLS)

PRODUCT EXAMPLES
NetSuite, Katana, Soho, Product Info
Perpetual Inventory System, Proprietary Data
Periodic Inventory System, Contract Info
Barcode System, RFID
System

© Copyright 2023, Cloud Security Alliance. All rights reserved. 15

System Component Cards page 3 backs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 16

System Component Cards page 4
SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS

Customer Interface SaaS Yes

Database PaaS Probably
Trading Plattform IaaS Probably
Financial Transactions Hybrid Probably
Interface

RETIREMENT REGULATED/ SENSITIVE POTENTIAL MITICATIONS

SYSTEM INFORMATION (CCM CONTROLS)

PII

PRODUCT EXAMPLES Earnings Info

Fidelity, NetBenefits, HR Info
Merril Lynch, ADP
Trading Info

SYSTEM
COMPONENT
EXTERNAL
SUB-COMPONENTS SPIH
ACCESS

IoT Devices
SaaS Probably
Communications Platform
PaaS Probably
Storage
IaaS Probably
Dashboard
Hybrid Probably
Reporting Structure

INTERNET OF REGULATED/ SENSITIVE POTENTIAL MITICATIONS

THINGS (IOT) INFORMATION (CCM CONTROLS)

Sales Info

PRODUCT EXAMPLES Network Information

Microsoft Sphere, Apple, Telemetry Data
Motorola, Samsung
Cost information

© Copyright 2023, Cloud Security Alliance. All rights reserved. 17

System Component Cards page 4 backs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 18

Mitigation Tool Cards page 1
MITIGATION
TOOL
SETUP/ EASE
SPIH COST EFFECTIVENESS
OF USE

SaaS 80K 8 8

PaaS 40K 3 3

IaaS 70K 4 8

Private 60K 7 9

SECURITY &
INCIDENT EVENT Logging within cloud environments varies drastically between ease
of use and cost of storage. Off-line storage and/or accessibility

MONITORING limitations define the cloud SIEM space. SaaS solutions incentivize
tiered pricing increases, where the difference entails operational
expenses (OpEx). While PaaS solutions boast of covering
multi-cloud effectively, the current reality entails the CSP vendor’s
CCM CONTROL offering and features within the competing clouds with mixed
results. IaaS SIEM implementations do not avoid growing storage
costs. Private and on-premise costs will be lower in the long run,
overcoming scalability and tiered storage savings in 1.5 to 2 years.

Audit & Assurance

MITIGATION
TOOL
SETUP/ EASE
SPIH COST EFFECTIVENESS
OF USE

SaaS 20K 7 3

PaaS 20K 5 3

IaaS 30K 8 5

Private 20K 9 5

STATIC & DYNAMIC

APPLICATION Application Security Testing includes both static and dynamic forms. Static
Application Security Testing includes checking DLLs and code repositories

SECURITY TESTING dependencies and coding practices such as boundary checking or standards
verification. Dynamic incorporates validation of software during operation,
fuzzing inputs of a running system, or checking edge cases. In contrast,
application security testing in the cloud may make adoption easier. Some SaaS
CCM CONTROL providers insert the complete code into the compiled application.
Communications between on-premise and cloud apps may be complex open
vulnerabilities. The agent that some systems require is loaded into the
development environment or on the application servers. Highly regulated
sectors or those with significant intellectual property concerns may need to
formulate requirements carefully considering deployment options. Ease of use
and deployment should keep in mind intellectual property exposure, privacy,
Application & sovereignty, speed of testing, and licensing for SPIH AppSec planning.
Interface Security

© Copyright 2023, Cloud Security Alliance. All rights reserved. 19

Mitigation Tool Cards page 1 backs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 20

Mitigation Tool Cards page 2
MITIGATION
TOOL
SETUP/ EASE
SPIH COST EFFECTIVENESS
OF USE

SaaS 30K 9 5

PaaS 70K 6 4

IaaS 90K 6 5

Private 70K 8 6

RESILIENCY All resiliency products involve trade-offs. Cloud provides unlimited

PRODUCTS scalability and on-demand access of a cloud. The direct costs

associated with built-in cloud PaaS services, such as image
snapshots and database backups, primarily center on storage costs.
The drawbacks principally surround portability/vendor lock-in and
CCM CONTROL cross-region nuances, especially when implementing cryptography.
Well-defined on-premise backup technologies include Storage Area
Networks (SANs) and Network Attached Storage (NAS). Teams may
face challenges integrating these technologies into a private cloud.

Business Continuity
& Resiliency

MITIGATION
TOOL
SETUP/ EASE
SPIH COST EFFECTIVENESS
OF USE

SaaS 10K 9 5

PaaS 5K 5 4

IaaS 40K 6 7

Private 20K 4 7

CONTINUOUS
INTEGRATION/ Implementing a continuous integration/continuous deployment solution
amounts to the penultimate change control implementation of DevOps.
CONTINUOUS DELIVERY Pipelines are not one-off developers trying a feature tweak or quickly
hacking together a fix for an immediate patch release. Changes occur
within a repository, potentially with automated quality assurance testing,
CCM CONTROL built-in SAST/DAST, and approval requirements. CI/CD pipelines are a
component of immutable software and infrastructure. Private or hybrid
CI/CD instantiations keep code repositories controlled. IaaS allows
dynamic scaling and at-rest confidentiality, similar to on-premise. PaaS
examples, such as Azure DevOps or AWS Production Manager, may be
found as a component of large service providers and typically
incompatible. SaaS protections surround typical expectations of BYOK,
Change Control blinding vendor administrator visibility to subscriber’s code.

© Copyright 2023, Cloud Security Alliance. All rights reserved. 21

Mitigation Tool Cards page 2 backs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 22

Mitigation Tool Cards page 3
MITIGATION
TOOL
SETUP/ EASE
SPIH COST EFFECTIVENESS
OF USE

SaaS 80K 4 3

PaaS 30K 6 5

IaaS 50K 8 4

Private 40K 9 7

ENCRYPTION Cryptography encompasses a wide swath of capabilities. The CEK

PRODUCTS domain contains key management controls, encryption routines,

integrity checking, digital signatures, and the overall Public Key
Infrastructure (PKI). Synonymous with confidentiality, cryptography
scrambles data from the uninvited or unauthorized. This includes
CCM CONTROL data-at-rest, data-in-motion and data-in-use. Crypto additionally
provides integrity protections through hashing and digital
signatures. Key management effectiveness trade-offs include
vendor key access during initial setup (IaaS/PaaS Cloud HSMs) to
BYOK in virtual HSMs to complete the vendor's trust with fully
managed keys.
Cryptography and
Encryption
Management

MITIGATION
TOOL
SETUP/ EASE
SPIH COST EFFECTIVENESS
OF USE

SaaS 80K 4 5

PaaS 70K 6 5

IaaS 80K 8 4

Private 90K 9 7

NETWORK Network defenses range broadly. Whether it’s WAF protections, net

DEFENSE flow monitoring, Perimeter Firewalls, or Intrusion Detection

Systems, all exist in this space. We generalized all of these types for
gamification purposes. The expected scalability of SaaS
implementations may surpass the TCP protections of a private
CCM CONTROL instance, but yield in application layer protocols analyzed. Private
and IaaS network flexibility and control are traded for network speed
and operational consistency in PaaS and SaaS implementations.

Infrastructure Virtual
Services

© Copyright 2023, Cloud Security Alliance. All rights reserved. 23

Mitigation Tool Cards page 3 backs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 24

Mitigation Tool Cards page 4
MITIGATION
TOOL
SETUP/ EASE
SPIH COST EFFECTIVENESS
OF USE

SaaS 20K 8 5

PaaS 40K 9 8

IaaS 30K 7 10

Private 20K 6 8

ACCESS Authentication improvements impact an organization broadly. Single sign-on

CONTROL
(SSO) extends security requirements beyond the enterprise. For example, local
settings for password complexity, reuse, and credential rotation period are set
at the individual endpoints or service provider level. If these are not constantly
maintained or service providers adjust their settings, an inconsistent security
posture may result in exploitable gaps. On-boarding and off-boarding corporate
CCM CONTROL users also leave time gaps, where account privileges for a dismissed employee
may not be accounted for and terminated within a reasonable time. SSO
centralizes authentication within a company’s control, reclaiming trust from
third-party providers and ensuring corporate policies and standards will be met
in the third-party’s offering. SSO offerings come in multiple deployment
models, with several well-known SaaS providers commonly incorporating CSP
PaaS choices and build-your-own integrations. Integration effectiveness and
Identity and Access scalability typically run inversely proportional to ease of use.
Management

MITIGATION
TOOL
SETUP/ EASE
SPIH COST EFFECTIVENESS
OF USE

SaaS 50K 8 3

PaaS 75K 6 6

IaaS 60K 4 8

Private 30K 2 10

MALWARE Operating System style Endpoint Protections provide waning

DEFENSE defenses as we move up the SPI stack. Licensing costs may become
troublesome in auto-scaling IaaS vs. on-premise installations. While
well understood in the on-premise server and virtualized system,
Legacy corporate EPP is not as effective in a PaaS or SaaS. There's
CCM CONTROL no location to operate or install services without going to another
PaaS or SaaS offering to watch the watchers. This requires an
additional Third Party security assessment and integration approach
to watch the endpoint services. Expect costs to accelerate by
adding multiple clouds or complex custom solutions.

Threat and
Vulnerability
Management

© Copyright 2023, Cloud Security Alliance. All rights reserved. 25

Mitigation Tool Cards page 4 backs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 26

Mitigation Tool Cards page 5

MITIGATION
TOOL
SETUP/ EASE
SPIH COST EFFECTIVENESS
OF USE

Canned LMS 50K 6 4

Internal LMS 75K 8 6

Build your own 100K 8 10

In-person 125K 10 10

SECURITY &
AWARENESS Learning Management Systems provide cleaner and easier
consumption of training. In particular, security training provides a

TRAINING force multiplier, extending the impact of security with a champions

program. While prepared training delivered remotely may be
inexpensive and check the compliance box, studies show
customization increases learning effectiveness. Personalization,
CCM CONTROL interactivity, and especially in-person training prove the most
effective.

Human Resources
Security

© Copyright 2023, Cloud Security Alliance. All rights reserved. 27

Mitigation Tool Cards page 5 backs

© Copyright 2023, Cloud Security Alliance. All rights reserved. 28

Game Score Cards page 1
CCM Network Anti- Encryption Access Resiliency SAST/ Security
MITIGATION MATRIX SIEM Malware/ CI/ CD Training/
Controls Defense Endpoint Products Controls Products DAST LMS

SaaS 80K/4/5 80K/8/8 50K/8/3 10K/9/5 80K/4/3 20K/8/5 30K/9/5 20K/7/3 50K/6/4

PaaS 70K/6/5 40K/3/3 75K/6/6 5K/5/4 30K/6/5 40K/9/8 70K/6/4 20K/5/3 75K/8/6
Cost/ Ease of Use/
Effectiveness
IaaS 60K/8/4 70K/4/8 60K/4/8 40K/5/7 50K/8/4 30K/7/10 90K/6/6 30K/8/5 100K/8/10

Private 90K/9/7 60K/7/9 30K/2/10 20K/4/7 40K/9/7 20K/6/8 70K/8/6 20K/9/5 125K/10/10

DICE IVS A&A TVM CCC CEK IAM BCR AIS HRS
Pandemic Eleven ROLL

Insufficient Identity,
Credentials, Access, and Key 1, 12

Insecure Interfaces and APIs 2

Misonfiguration and
Inadequate Change Control 3

Lack of Cloud Security

Architecture and Strategy 4

Insecure Software
Development 5

Unsecured Third-Party
Resources 6

System Vulnerabilities 7

Accidental Cloud Data

Disclosure 8

Misconfig. and Exploit. of

Serverless and Container 9

Organized Crime/ Hackers/

APT 10

Cloud Storage Data

Exfiltration 11

CCM Network Anti- Encryption Access Resiliency SAST/ Security

MITIGATION MATRIX SIEM Malware/ CI/ CD Training/
Controls Defense Endpoint Products Controls Products DAST LMS

SaaS 80K/4/5 80K/8/8 50K/8/3 10K/9/5 80K/4/3 20K/8/5 30K/9/5 20K/7/3 50K/6/4

PaaS 70K/6/5 40K/3/3 75K/6/6 5K/5/4 30K/6/5 40K/9/8 70K/6/4 20K/5/3 75K/8/6
Cost/ Ease of Use/
Effectiveness
IaaS 60K/8/4 70K/4/8 60K/4/8 40K/5/7 50K/8/4 30K/7/10 90K/6/6 30K/8/5 100K/8/10

Private 90K/9/7 60K/7/9 30K/2/10 20K/4/7 40K/9/7 20K/6/8 70K/8/6 20K/9/5 125K/10/10

DICE IVS A&A TVM CCC CEK IAM BCR AIS HRS
Pandemic Eleven ROLL

Insufficient Identity,
Credentials, Access, and Key 1, 12

Insecure Interfaces and APIs 2

Misonfiguration and
Inadequate Change Control 3

Lack of Cloud Security

Architecture and Strategy 4

Insecure Software
Development 5

Unsecured Third-Party
Resources 6

System Vulnerabilities 7

Accidental Cloud Data

Disclosure 8

Misconfig. and Exploit. of

Serverless and Container 9

Organized Crime/ Hackers/

APT 10

Cloud Storage Data

Exfiltration 11

© Copyright 2023, Cloud Security Alliance. All rights reserved. 29

Game Score Cards page 2
CCM Network Anti- Encryption Access Resiliency SAST/ Security
MITIGATION MATRIX SIEM Malware/ CI/ CD Training/
Controls Defense Endpoint Products Controls Products DAST LMS

SaaS 80K/4/5 80K/8/8 50K/8/3 10K/9/5 80K/4/3 20K/8/5 30K/9/5 20K/7/3 50K/6/4

PaaS 70K/6/5 40K/3/3 75K/6/6 5K/5/4 30K/6/5 40K/9/8 70K/6/4 20K/5/3 75K/8/6
Cost/ Ease of Use/
Effectiveness
IaaS 60K/8/4 70K/4/8 60K/4/8 40K/5/7 50K/8/4 30K/7/10 90K/6/6 30K/8/5 100K/8/10

Private 90K/9/7 60K/7/9 30K/2/10 20K/4/7 40K/9/7 20K/6/8 70K/8/6 20K/9/5 125K/10/10

DICE IVS A&A TVM CCC CEK IAM BCR AIS HRS
Pandemic Eleven ROLL

Insufficient Identity,
Credentials, Access, and Key 1, 12

Insecure Interfaces and APIs 2

Misonfiguration and
Inadequate Change Control 3

Lack of Cloud Security

Architecture and Strategy 4

Insecure Software
Development 5

Unsecured Third-Party
Resources 6

System Vulnerabilities 7

Accidental Cloud Data

Disclosure 8

Misconfig. and Exploit. of

Serverless and Container 9

Organized Crime/ Hackers/

APT 10

Cloud Storage Data

Exfiltration 11

CCM Network Anti- Encryption Access Resiliency SAST/ Security

MITIGATION MATRIX SIEM Malware/ CI/ CD Training/
Controls Defense Endpoint Products Controls Products DAST LMS

SaaS 80K/4/5 80K/8/8 50K/8/3 10K/9/5 80K/4/3 20K/8/5 30K/9/5 20K/7/3 50K/6/4

PaaS 70K/6/5 40K/3/3 75K/6/6 5K/5/4 30K/6/5 40K/9/8 70K/6/4 20K/5/3 75K/8/6
Cost/ Ease of Use/
Effectiveness
IaaS 60K/8/4 70K/4/8 60K/4/8 40K/5/7 50K/8/4 30K/7/10 90K/6/6 30K/8/5 100K/8/10

Private 90K/9/7 60K/7/9 30K/2/10 20K/4/7 40K/9/7 20K/6/8 70K/8/6 20K/9/5 125K/10/10

DICE IVS A&A TVM CCC CEK IAM BCR AIS HRS
Pandemic Eleven ROLL

Insufficient Identity,
Credentials, Access, and Key 1, 12

Insecure Interfaces and APIs 2

Misonfiguration and
Inadequate Change Control 3

Lack of Cloud Security

Architecture and Strategy 4

Insecure Software
Development 5

Unsecured Third-Party
Resources 6

System Vulnerabilities 7

Accidental Cloud Data

Disclosure 8

Misconfig. and Exploit. of

Serverless and Container 9

Organized Crime/ Hackers/

APT 10

Cloud Storage Data

Exfiltration 11

© Copyright 2023, Cloud Security Alliance. All rights reserved. 30