Risk assessments, security questionnaires, vendor due diligence, and RFPs are strategic initiatives for organizations managing risk across growing and interconnected supply chains. How is one questionnaire different from another, and how do you decide which ones to use? Today we compare CAIQ vs SIG, or SIG vs CAIQ if you like.
What is CAIQ?
CAIQ (Consensus Assessments Initiative Questionnaire – by CSA) is a questionnaire that provides a set of Yes/No questions for cloud service providers, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) offerings, to determine if their cloud practices are reliably secure.
The CAIQ contains just under 300 questions. It was developed by the Cloud Security Alliance (CSA), a not-for-profit organization that promotes the use of best practices for providing security assurance within cloud computing.
CAIQ provides an industry-accepted way to document what security controls exist in cloud services, increasing security control transparency and assurance. It helps cloud customers to gauge the security posture of prospective cloud service vendors, as well as easily monitor their ongoing compliance with security standards.
Its latest version has been recently combined with the Cloud Controls Matrix (CCM), comprising a cybersecurity control framework for cloud computing. The Matrix is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. This makes it a de-facto standard for cloud security assurance and compliance.
What is SIG?
In thinking about SIG vs CAIQ, SIG (Standardized Information Gathering) is a questionnaire that gathers information from a third party vendor to determine how security risks are managed across 18 different risk domains. The questions are based on industry regulations guidelines and standards, including NIST, FFIEC, ISO, HIPAA, and PCI.
It was developed by Shared Assessments as a holistic tool for risk assessments of cybersecurity, IT, privacy, data security, and business resiliency.
There are two variants:
- SIG Core, the full library of questions security teams can pick and choose from, including topics like GDPR and other specific compliance regulations. SIG contains over 1,200 questions.
- SIG Lite, a simplified assessment for vendors with lower inherent risk, that focuses on the most high-level questions. SIG Lite contains just under 200 questions.
As more vendor security assessments are introduced, security and risk managers struggle to decide which vendor assessment frameworks to use, at which time, and for which third parties.
Why use CAIQ for vendor assessments vs. other questionnaires?
Using CAIQ is advised when evaluating cloud providers during the vendor risk assessment process, as it contains just under 300 questions about cloud operations and processes (IaaS, PaaS, and SaaS).
Why use SIG for vendor assessments vs. other questionnaires?
Using SIG, especially SIG Lite, is advised when evaluating vendors who have less inherent risk. It takes the high-level concepts and questions from the larger SIG assessments, distilling them down to just under 200 questions. The SIG Core library is useful for more extensive assessments.
Domains covered in CCM and by the CAIQ questionaire:
https://cloudsecurityalliance.org/research/guidance/
What is STAR?
The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.
STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.
https://cloudsecurityalliance.org/star/
Star Level 1: Self-Assessment
At level one organizations can submit one or both of the security and privacy self-assessments. For the security assessment, organizations use the Cloud Controls Matrix to evaluate and document their security controls. The privacy assessment submissions are based on the GDPR Code of Conduct.
Who should pursue level one?
Organizations should pursue this level if they are…
- Operating in a low-risk environment
- Wanting to offer increased transparency around the security controls they have in place.
- Looking for a cost-effective way to improve trust and transparency
Security Self-Assessment
CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers submit the Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices. STAR Self-Assessments are updated annually.
The CAIQ v4 has two versions:
- CCM + CAIQ v4: The CAIQ v4 bundled with CCM here is intended to be used as a reference only. You cannot use the spreadsheet that contains both the CAIQ and CCM to submit to the registry.
STAR Level 1: Security Questionnaire (CAIQ v4): Use this version of CAIQ v4 to fill out and submit to the STAR registry.
GDPR Self-Assessment
The Code Self-Assessment covers the compliance to GDPR of the service(s) offered by a CSP. A company after the publication of the relevant document on the Registry will receive a Compliance Mark valid for 1 year.
The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment. For more information on GDPR CoC: https://cloudsecurityalliance.org/privacy/gdpr/code-of-conduct/
Star Level 2: Third-Party Audit
Level 2 of STAR allows organizations to build off of other industry certifications and standards to make them specific for the cloud.
Organizations looking for a third-party audit can choose from one or more of the security and privacy audits and certifications. An organization’s location, along with the regulations and standards it is subject to will have the greatest factor in determining which ones are appropriate to pursue.
Which organizations should pursue level 2?
Organizations should pursue this level if they are…
- Operating in a medium to high risk environment
- Already hold or adhere to the following: ISO27001, SOC 2, GB/T 22080-2008, or GDPR
- Looking for a cost-effective way to increase assurance for cloud security and privacy.
STAR Attestation: For SOC 2
The CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. The STAR Attestation provides for rigorous third party independent assessments of cloud providers. Attestation listings will expire after one year unless updated.
STAR Certification: For ISO/IEC 27001:2013
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. This technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix. Certification certificates follow normal ISO/IEC 27001 protocol and expire after three years unless updated.
C-STAR: For the Greater China Market
The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012. Certification certificates expire after three years unless updated.
