CAIQ V3 Updates

Cloud Security Alliance (CSA) would like to present the next version of the Consensus Assessments Initiative Questionnaire (CAIQ) v3.1.

The CAIQ offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM). Therefore, it helps cloud customers to gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure.

CAIQ v3.1 represents a minor update to the previous CAIQ v3.0.1. In addition to improving the clarity and accuracy, it also supports better auditability of the CCM controls. The new updated version aims to not only correct errors but also appropriately align and improve the semantics of unclear questions for corresponding CCM v3.0.1 controls. In total, 49 new questions were added, and 25 existing ones were revised.

For this new CAIQ version, CSA took into account the combined comprehensive feedback that was collected over the years from its partners, the industry and the CCM working group.

Using The CAIQ-Lite to Assess Third Party Vendors

By Dave Christiansen, Marketing Director, Whistic

The mere mention of “security questionnaires” can evoke thoughts of hundreds of questions aimed at auditing internal processes in order to mitigate third party risk. This typically means a lengthy process prime to be optimized. While we don’t disagree with being thorough when evaluating third party vendors, in order to keep up with the speed cloud-based businesses are moving at, more light-weight standards can serve as excellent “on-ramps” to expedite the vendor risk assessment process.

As you’ve likely heard by now, Whistic and The Cloud Security Alliance collaborated to create the initial release of The CAIQ-Lite in order to encourage the streamlining of vendor security assessment and processes.  The inherent beauty of the CAIQ-Lite lies within its general construct, maintaining the 16 control domains contained within Cloud Controls Matrix 3.0.1 while condensing the total question count from 295 questions down to 73 questions. This does place additional weight on each question within CAIQ-Lite as they were selected based on importance/priority over those that were omitted.

As this new standard was released just three months ago, we’ve received a number of questions pertaining to what ideal use cases look like for CAIQ-Lite. Below is an initial resource list compiled to date:

  • An excellent baseline measurement that can be factored into your risk modeling and reporting.
  • The initial step in a potential multi-step process, aimed at nimbly receiving an initial response & channelling specific vendors on to a full CAIQ assessment, etc.    
  • A good way to quickly audit any “flagged” or questionable status vendors.
  • For any third-parties that may require an increased risk management cadence.
  • Conditions where third-party vendors only have limited-level access to your company’s data.
  • A re-engagement tool for any vendors that haven’t complied in a satisfactory manner previously, or perhaps have been suboptimal when it comes to communicating on this front.
  • An ideal introductory security questionnaire for use by vendors with a newly burgeoning information security team, perhaps lacking robust exposure to lengthier standards.

We continue to compile feedback for this new standard, and encourage CSA members to self-assess against CAIQ-Lite then reach out with any questions and/or suggestions in order to shape the final version of CAIQ-Lite in early 2020.

You may access the CAIQ-Lite Questionnaire online within the Whistic Platform or The CAIQ-Lite Spreadsheet here.

The CAIQ-Lite Whitepaper is also available for download here.

CSA STAR – The Answer to Less Complexity, Higher Level of Compliance, Data Governance, Reduced Risk and More Cost-Effective Management of Your Security and Privacy System

By John DiMaria, Assurance Investigatory Fellow, Cloud Security Alliance

STAR Registry: Security on the Cloud Verified

We just launched a major refresh of the CSA STAR (Security, Trust and Assurance Risk) program, and if you were at the CSA Summit at RSA, you got preview of what’s in store. So let me put things in a bit more context regarding the evolution of STAR.

The more complex systems become, the less secure they become, even though security technologies improve. There are many reasons for this, but it can all be traced back to the problem of complexity. Why? Because we give a lot of attention to technology, and we have increased silos of a plethora of regulations and standards. Therefore, we become fragmented and too complexed.

The adversary works in the world of the stack, and that complexity is where they thrive.

Ron Ross, Senior Scientist and Fellow at NIST

Complexed systems:

  • have more independent processes and that creates more security risks.
  • have more interfaces and interactions and create more security risks.
  • are harder to monitor and therefore, are more likely to have untested, unaudited portions.
  • are harder to develop and implement securely.
  • are harder for employees and stakeholders to understand and be trained on.

By using a single system for the ongoing management of compliance, regulatory, legal, and information security obligations, overlapping requirements can be identified, efficiencies leveraged, and greater visibility and assurance provided to the organization.

CSA STAR: Built to Support

To respond to these growing business concerns, the Cloud Security Alliance (CSA) created the Cloud Control Matrix (CCM). Developed in conjunction with an international industry working group, it specifies common controls which are relevant for cloud security and is the foundation on which the three pillars of CSA STAR are built.

In the same approach, we recently released the GDPR Code of Conduct (CoC). The GDPR CoC shows adherence to GDPR privacy requirements, streamlines contracting, accelerates sales cycles and provides assurance to the cloud customer of data privacy in conjunction with CSA STAR.

CSA STAR is being recognized as the international harmonized solution, leading the way of trust for cloud providers, users, and their stakeholders, by providing an integrated cost-effective solution that decreases complexity and increases trust and transparency while enabling organizations to secure their information, protect against cyber-threats, reduce risk, and strengthen their information governance. It creates trust and accountability in the cloud market with increasing levels of transparency and assurance. What’s more, it provides the solution to an increasingly complex and resource-demanding compliance landscape by providing technical standards, an integrated certification and attestation framework, and public registry of trusted data.

The STAR Registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions and also to manage their supply-chain. Additionally, it allows cloud service providers (CSPs) to benchmark themselves against like CSPs in their industry.

STARWatch can then be used for benchmarking and/or third-party risk management. STARWatch is a SaaS application to help organizations manage compliance with CSA STAR Registry requirements. STARWatch delivers the content of the CCM and Consensus Assessments Initiative Questionnaire (CAIQ) in a database format, enabling users to manage compliance of cloud services with CSA best practices.

While it is understood that ISO/IEC 27001, the international management systems standard for information security, and SOC 2 are both widely recognized and respected, their requirements are more generic. As such, there can be a perception that they do not focus on certain areas of security that are critical for particular sectors, such as cloud security, in enough detail.

By adopting STAR as an extension of your ISO/IEC 27001 or SOC 2 System, you’ll be sending a clear message to existing and potential customers that your security systems are robust and have addressed the specific issues critical to cloud security.

STAR Certification can boost customer and stakeholder confidence, enhance your corporate reputation, and give your business a competitive advantage.

Take the STAR Challenge

Take the first step in evaluating how your organization stacks up against the CCM. Fill out the self-assessment using the CAIQ and the CCM. You can then upload your information into the STAR Registry, taking credit for your compliance efforts.

Additionally you can evaluate yourself against the GDPR Code of Conduct. Just fill out the self-assessment, which can then be uploaded to the STAR Registry, along with your Statement of Adherence . Our team of experts will evaluate your submission and either respond with questions or approve your submission for posting. Again, you’ll be making a major statement about your compliance posture.

Once you have completed this step (or along the way) you can make decisions on whether there is a business case to move into Level 2 (certification and/or attestation).

Contact us to find out more about CSA STAR and the opportunities available for you to contribute and have a voice in this growing area of increasing trust and transparency in the cloud.

Introducing CAIQ-Lite

By Dave Christiansen, Marketing Director, Whistic

CAIQ-Lite: A New Framework for Cloud Vendor Assessment report cover

The Cloud Security Alliance and Whistic are pleased to release CAIQ-Lite beta, a new framework for cloud vendor assessment.

CSA and Whistic identified the need for a lighter-weight assessment questionnaire in order to accommodate the shift to cloud procurement models, and to enable cybersecurity professionals to more easily engage with cloud vendors. CAIQ-Lite was developed to meet the demands of an increasingly fast-paced cybersecurity environment, where adoption is becoming paramount when selecting a vendor security questionnaire.

With the initial objective of developing an effective questionnaire containing 100 or less questions, CAIQ-Lite contains 73 questions compared to the 295 found in the CAIQ, while maintaining representation of 100 percent of the original 16 control domains present in the Cloud Controls Matrix (CCM) 3.0.1. Contributing research leveraged multiple sources of CSA member and Whistic customer feedback, as well as a panel of hundreds of IT security professionals. Research behind Whistic’s proprietary scoring algorithm was utilized as a part of the final CAIQ-Lite question selection process.

We look forward to community feedback on CAIQ-Lite, which can be accessed by CSA members for free at Whistic,  as well as from CSA. The current version will be improved over the next 12 months, based on additional community input. Also, any members that already have a CAIQ on the CSA STAR Program will automatically have a CAIQ-Lite generated for them on the Whistic Platform.

Click to access the full whitepaper, containing further details regarding the creation and deployment of this new cloud service questionnaire.