Overview
CASA assurance tiers are solely focused on the method in which an application is assessed and the assurance that the application is compliant to the standard. The higher the assurance tier, the higher the confidence that the application has implemented the requirements. CASA recognizes 3 tiers as described below
|
Tier |
Name |
Description |
Required Access |
Cost |
|---|---|---|---|---|
|
3 |
Lab Tested - Lab Verified |
During this assessment, the authorized lab will test and validate all CASA requirements |
Access to the application code and deployment infrastructure
required by the lab
|
Contact authorized labs for cost |
|
2 |
Developer Tested - Lab Verified |
During this assessment the application developer scans their application utilizing CASA recommended scanning tools and provide the scan result to the ADA for validation. The results are validated by an independent lab partner |
No access required | No cost |
|
1 |
Self Assessment - Not Verified |
The self assessment tier is not an assurance level, because it is not validated. This tier is used to allow the developer to understand their application readiness for CASA assessment |
No access required |
No cost |
Tiers Calculation
The framework users (Google..etc) and not the application developer calculate and determine tiers. CASA recommends the following parameters to calculate the application required assurance tier:
-
The sensitivity of the data the application is accessing. Each data type might be given a risk weight to affect the tier calculation.
-
The amount of users per type of data accessed.
-
The company risk tolerance level.
-
External and internal risk indicators.
Revalidation Requirements
All applications must be revalidated every year. The application tier can increase to a higher tier however, once an application has been validated at tier 3 it will continue to be validated at tier 3 level.
