Why use the CAIQ for vendor analysis vs. other questionnaires?
By John DiMaria, Assurance Investigatory Fellow, Cloud Security Alliance
Well, here is some information only old fixtures like me know from doing this for 30 years:
The challenge with most security questionnaires
A questionnaire addresses only the “perception” of risk by your customers; it does not address your “actual” risks. Customer security teams often create these questionnaires based on their own risks using a list of specific controls based on their internal experiences or what they are using. They usually apply the same prescription to every vendor they work with, regardless if it’s reasonable or even applicable.
In many cases, it is to check a box or cover a legal requirement of due diligence recommended by the General Council. This means that you can (technically) complete this questionnaire without having any tangible evidence of security at all. And here is the kicker, they may not even look at your answers and many times don’t. Face it, if you are a person tasked with administering security questionnaires and you have; for example, 1000 vendors and you send them all a questionnaire that say covers 114 + controls similar to ISO/IEC 27001 plus maybe a few of your own and now they all come back… are you going to read every line and vet each question to make sure it is complete enough and if a few are not; are you going to audit them or even call to discuss it? Chances are the answer is NO, or at best, you address the “showstoppers.” Even if you wanted to address every single one 100%, it would take a huge investment. So, the questionnaire is just a tad better than blind trust.
Now obviously, none of what I just described is advisable, but it does happen to some extent. So how do you make the best use of your time, help your customers satisfy their requirements, provide an actual account of what you have in place with applicable controls, AND ensure it is updated and maintained for them?
One questionnaire that aligns with over 40 leading standards and regulations
CSA, through the power of years of research, has combined the comprehensive feedback that was collected over the years from its partners, working groups and the industry to produce the Cloud Control Matrix (CCM). The CCM is a set of sector-specific controls for cloud service providers. There is also a set of questions a cloud consumer and auditor may wish to ask a cloud provider to ascertain their compliance to the CCM called the Consensus Assessment Initiative Questionnaire (CAIQ).
The CAIQ offers an industry-accepted way to document what security controls exist in cloud services, providing security control transparency and to some extent assurance. Therefore, it helps cloud customers to gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure. It allows the cloud user to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experience and because it is posted on the STAR public registry and updated on a regular basis, the customer can easily monitor the provider’s ongoing compliance posture providing a higher level of peace of mind for the user.
Eliminates the need for multiple questionnaires
Because the CCM aligns itself with over 40 of the leading standards and regulations, it basically eliminates the need for any other questionnaire. This allows the cloud service provider (CSP) to break down how you express risk to a customer with your actual risk. And because of the detailed mappings, within the main CCM document, they can see the connection with many other standards and/or regulations they may have questions about.
For cloud customers:
It is prudent to require that your cloud providers submit a CAIQ self-assessment to the CSA STAR registry. This means the provider will have completed the first of three levels of transparency and assurance provided by the CSA STAR Program.
The CSA STAR compliance program lets you select the level of transparency and assurance you may want to require from CSPs as part of your procurement process and ongoing monitoring.
The STAR registry is a trusted source of information on the security and privacy posture of CSPs. It enforces accountability and lets you build a coherent GRC program.
If your provider is not listed on the STAR registry, you can submit a request to have them verified using our ready-made editable template that you can revise and e-mail directly to your provider(s).
After you've selected the appropriate level for your organization you can check their status in the STAR registry.
To cloud service providers:
The Security, Trust, Assurance, and Risk (STAR) registry is a cost-effective solution that decreases complexity while increasing trust and transparency. Demonstrate your adherence to security and privacy best practices to future and current customers by submitting to the registry.
- Accelerate your sales cycle
- Solidify your position as a trusted provider of cloud services
- Better build, establish and maintain a robust security program that is internationally accepted
- Expand your business by helping customers navigate secure cloud adoption
- Be part of a global database that is becoming the marketplace for providers used by cloud users
- You can update your entry annually and it is maintained by CSA. You just need to provide a link to your customers.
- CSA experts will help you with the initial business communication to facilitate eliminating or reducing those multiple questionnaires
If you would like to discuss this subject in more detail with one of our experts or find out more about the STAR Program, contact us at [email protected] and visit the dedicated website at https://cloudsecurityalliance.org/star/