Using The CAIQ-Lite to Assess Third Party Vendors
Blog Article Published: 07/01/2019
By Dave Christiansen, Marketing Director, Whistic
The mere mention of “security questionnaires” can evoke thoughts of hundreds of questions aimed at auditing internal processes in order to mitigate third party risk. This typically means a lengthy process prime to be optimized. While we don’t disagree with being thorough when evaluating third party vendors, in order to keep up with the speed cloud-based businesses are moving at, more light-weight standards can serve as excellent “on-ramps” to expedite the vendor risk assessment process.
As you’ve likely heard by now, Whistic and The Cloud Security Alliance collaborated to create the initial release of The CAIQ-Lite in order to encourage the streamlining of vendor security assessment and processes. The inherent beauty of the CAIQ-Lite lies within its general construct, maintaining the 16 control domains contained within Cloud Controls Matrix 3.0.1 while condensing the total question count from 295 questions down to 73 questions. This does place additional weight on each question within CAIQ-Lite as they were selected based on importance/priority over those that were omitted.
As this new standard was released just three months ago, we’ve received a number of questions pertaining to what ideal use cases look like for CAIQ-Lite. Below is an initial resource list compiled to date:
- An excellent baseline measurement that can be factored into your risk modeling and reporting.
- The initial step in a potential multi-step process, aimed at nimbly receiving an initial response & channelling specific vendors on to a full CAIQ assessment, etc.
- A good way to quickly audit any “flagged” or questionable status vendors.
- For any third-parties that may require an increased risk management cadence.
- Conditions where third-party vendors only have limited-level access to your company’s data.
- A re-engagement tool for any vendors that haven’t complied in a satisfactory manner previously, or perhaps have been suboptimal when it comes to communicating on this front.
- An ideal introductory security questionnaire for use by vendors with a newly burgeoning information security team, perhaps lacking robust exposure to lengthier standards.
We continue to compile feedback for this new standard, and encourage CSA members to self-assess against CAIQ-Lite then reach out with any questions and/or suggestions in order to shape the final version of CAIQ-Lite in early 2020.
The CAIQ-Lite Whitepaper is also available for download here.