That's a great point, Lou. We do see the HECVAT used by educational institution clients. In my opinion, the HECVAT is pretty standard as far as technology questionnaires go. I actually like the HECVAT more because it is more standard and does not get into the weeds. The CAIQ gets a lot deeper into specific cloud controls, likely deeper than most user entities care about. We rarely see CAIQs come in as evidence.
Do many others use HECVAT, CAIQ, or another questionnaire for cloud service providers?
Original Message:
Sent: 09-20-2019 11:09 AM
From: Lou Belsito
Subject: Cloud Based Vendors
I work in the academia space so we generally use the Higher Education Cloud Vendor Assessment Tool (HECVAT).
Original Message:
Sent: 09-19-2019 05:57 PM
From: Aaron Kirkpatrick
Subject: Cloud Based Vendors
The CAIQ (Consensus Assessments Initiative Questionnaire) was built for just this purpose. It was built by the Cloud Security Alliance. Many cloud service providers already have this completed and can quickly provide it to you.
What have others found as the best questionnaire for cloud services? Are many of you using the CAIQ?