Which framework provides a set of controls specifically designed to assess the security of cloud service providers?