Information Security

 View Only
  • 1.  Cloud Based Vendors

    Posted 09-11-2019 03:48 PM
    ​More and more vendors are converting to cloud-based strategies for providing services and/or storing confidential/sensitive data. Should there be a separate info sec questionnaire and due diligence requirements for these types of vendors? Any guidance would be appreciated.

    Thank you!

  • 2.  RE: Cloud Based Vendors

    Posted 09-19-2019 05:57 PM
    The CAIQ (Consensus Assessments Initiative Questionnaire) was built for just this purpose. It was built by the Cloud Security Alliance. Many cloud service providers already have this completed and can quickly provide it to you.

    What have others found as the best questionnaire for cloud services? Are many of you using the CAIQ?

  • 3.  RE: Cloud Based Vendors

    Posted 09-20-2019 11:09 AM

    I work in the academia space so we generally use the Higher Education Cloud Vendor Assessment Tool (HECVAT).

  • 4.  RE: Cloud Based Vendors

    Posted 09-20-2019 01:54 PM
    That's a great point, Lou. We do see the HECVAT used by educational institution clients. In my opinion, the HECVAT is pretty standard as far as technology questionnaires go. I actually like the HECVAT more because it is more standard and does not get into the weeds. The CAIQ gets a lot deeper into specific cloud controls, likely deeper than most user entities care about. We rarely see CAIQs come in as evidence. 

    Do many others use HECVAT, CAIQ, or another questionnaire for cloud service providers?