CASA Tiering

Stay organized with collections Save and categorize content based on your preferences.

Overview

CASA assurance tiers are solely focused on the method in which an application is assessed and the assurance that the application is compliant to the standard. The higher the assurance tier, the higher the confidence that the application has implemented the requirements. CASA recognizes 3 tiers as assurance level, and a self assessment tier as described below:

Tier

Name

Description

4

Comprehensive Assessment

This is the highest level of assurance. During this assessment, the authorized lab will perform all functional tests and work with the developer to complete any comprehensive testing not covered in a functional test.

3

Functional Assessment

During this assessment, the authorized lab will perform all functional tests. However, several items may not be validated by the lab, and thus will only be self attested to by the developer. A paper review of the developer submitted material will be performed for non-functional testable items.

2

Verified Self Assessment

This is a light weight assessment in which mostly automated testing will be performed to validate the functional test items. A paper/automated review of the developer submitted material may also be conducted.

1

Self Assessment

The self assessment tier is not an assurance level, because it is not validated. This tier is used to allow the developer to understand their application readiness for CASA assessment

CASA Tiers
Figure 2: CASA Tiers

Tiers Calculation

The framework users (Google..etc) and not the application developer calculate and determine tiers. CASA recommends the following parameters to calculate the application required assurance tier:

  1. The sensitivity of the data the application is accessing. Each data type might be given a risk weight to affect the tier calculation.

  2. The amount of users per type of data accessed.

  3. The company risk tolerance level.

  4. External and internal risk indicators.

Revalidation Requirements

All applications must be revalidated every year. However, once an application has been assessed against a tier, the following two years an annual assessment at the current tier or one level down may be performed to maintain the original assessment level. See the chart below for examples


Year 1

Year 2

Year 3

Year 4

Example 1

Comprehensive 

Functional 

Functional 

Comprehensive 

Example 2

Functional 

Verified Self  

Verified Self  

Functional 

Example 4

Verified Self  

Verified Self  

Verified Self  

Verified Self 

Example 5

Self

Self

Self

Self

To determine CASA assessment validity we followed the process outlined below to align with recognized industry standards and frameworks

CASA Tiers Reason
Figure 3: CASA Recertification