At CSA Congress 2013 this week we are announcing the open review period of the Consensus Assessments Initiative Questionnaire (CAIQ) v.3 and we hope you will take a few moments and provide your input to this very important initiative. Lack of security control transparency is a leading inhibitor to the adoption of cloud services. The Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments.
The CSA is focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency. CAIQ, by design, is integrated with and will support other projects from our research partners. The CAIQ Questionnaire is available in spreadsheet format, and provides a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. It provides a series of “yes or no” control assertion questions which can then be tailored to suit each unique cloud customer’s evidentiary requirements.
This question set is meant to be a companion to the CSA Guidance and the CSA Cloud Controls Matrix (CCM), and these documents should be used together. This question set is a simplified distillation of the issues, best practices and control specifications from our Guidance and Controls Matrix, intended to help organizations build the necessary assessment processes for engaging with cloud providers. The Consensus Assessments Initiative is part of the CSA GRC Stack.
What’s New and Why we Need YOUR Input:
Now in its third version, the Cloud Assessments Initiative Working Group will start the open review period for a set of questions intended to help organizations further build the necessary assessment processes for engaging with cloud providers.
We are in need of input from the cloud community on a number of fronts. First, we would like input on the current CAIQ questions: are these questions still relevant to cloud security; are they written in a way that is easy for all stakeholders to understand, and should they remain important questions to ask during the cloud assessment process.
Second, we would like to have input on what questions should be added to the assessment to help strengthen the process overall for each domain. Finally, as CAIQ is a companion to the recently updated CCM V.3, we are seeking input on what questions should be added to two new control domains, Mobile Security and Interoperability and Portability.
As a side, the new CAIQ is now color coded to match the CCM V.3 domains for easy review.
ACTION: The open review period ends on January 6, 2013
This is your opportunity to provide feedback and comments to the v.3 of CAIQ. Submitting feedback is easy with our 3-step process. Follow the link below to the CSA Interact peer review site:
Thank you in advance for your time and contribution. We look forward to your input. If you have any questions, you can contact us by emailing [email protected].
Feel free to reference the following CCM documents during your review: