Table of Contents
- Australian Privacy Principles (APP) Questionnaire
- CapAI Assessment (EU AI Act / AIA)
- Consensus Assessments Initiative Questionnaire (CAIQ)
- Center for Internet Security (CIS)
- CVAT
- General Data Protection Regulation (GDPR)
- DORA
- HackerOne Validated Assessment
- Higher Education Cloud Vendor Assessment Tool (HECVAT)
- International Organization for Standardization (ISO)
- NIS 2 Directive
- National Institute of Standards and Technology (NIST)
- Open Web Application Security Project (OWASP)
- PCI SAQ A
- PCI DSS v.4
- Standardized Information Gathering (SIG)
- Vendor Security Alliance (VSA)
- California Consumer Privacy Act (CCPA)
- Cybersecurity Maturity Model Certification (CMMC)
- Data Privacy Impact Assessment (DPIA)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- McAfee Validated Assessment
- Minimum Viable Secure Product (MVSP)
- Payment Card Industry Data Security Standard (PCIDSS)
- Privacy Shield
Summary
This article provides an overview of industry standard questionnaires that help organizations assess compliance with various privacy legislation, security frameworks, and regulatory requirements. These questionnaires cover a wide range of standards including data protection regulations (GDPR, CCPA), security frameworks (ISO, NIST), payment card standards (PCI DSS), and industry-specific assessments.
🔒 Australian Privacy Principles (APP) Questionnaire
The Australian Privacy Principles (APP) Questionnaire helps organizations assess compliance with Australia's privacy legislation. This questionnaire targets organizations operating in Australia and international companies handling Australian citizens' personal data.
Questionnaire Overview
The APP Questionnaire covers the 13 Australian Privacy Principles established under the Privacy Act 1988. These principles govern how personal information is collected, used, disclosed, and secured by organizations.
Target Organizations:
- Organizations operating in Australia with an annual turnover exceeding $3 million
- International companies processing Australian citizens' personal data
- Australian government agencies
- Health service providers
- Credit reporting bodies
🤖 CapAI Assessment (EU AI Act / AIA)
The CapAI Assessment is based on the EU AI Act / AIA. This is an industry-standard AI Questionnaire.
The AIA has a broad view of AI systems. These are software created using various methods like machine learning, expert systems, and statistical approaches. This definition is wider than visual AI definitions that focus only on machine learning. The AIA also includes other methods like Bayesian estimators and large-expert systems. To sum up, AIA covers:
- Machine learning including different types like supervised, unsupervised, and reinforcement learning.
- Logic and knowledge-based methods, like expert systems and reasoning.
- Statistical techniques, like Bayesian estimation and optimization.
What is the EU AI Act?
The AI Act is a proposed European law on artificial intelligence (AI) – the first comprehensive law on AI by a major regulator anywhere. The law assigns applications of AI to three risk categories. First, applications and systems that create an unacceptable risk, such as government-run social scoring of the type used in China, are banned. Second, high-risk applications, such as a CV-scanning tool that ranks job applicants, are subject to specific legal requirements. Lastly, applications not explicitly banned or listed as high-risk are largely left unregulated.
*** For further information regarding the EU AI Act: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021PC0206 ***
📋 Consensus Assessments Initiative Questionnaire (CAIQ)
The CAIQ provides industry-accepted ways to document what security controls exist in IaaS, PaaS and SaaS offerings. The questionnaire provides a set of questions a reviewer may wish to ask of a cloud provider. The CAIQ questionnaire is designed to support organizations when interacting with cloud providers during the cloud provider assessment process by giving organizations specific questions to ask about application and processes.
CAIQ 3.0s Full and Lite
The Security questionnaire CAIQ v4 offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency.
The CAIQ/CAIQ-Lite
The CAIQ/CAIQ-Lite is a shorter, more targeted form of the CAIQ questionnaire that brings to light the security posture of cloud providers for a key set of controls.
The CAIQ/CAIQ-Lite is for you if:
- Your organization uses cloud based applications (SaaS)
- Stores sensitive information in cloud-based applications
- Sees value in aligning to a widely used and industry recognized Framework
🛡️ Center for Internet Security (CIS)
CIS First 5/Top 20
The CIS Critical Security Controls are a prioritized set of actions for cybersecurity that form a defense-in-depth set of specific and actionable best practices to mitigate the most common cyber attacks. A principal benefit of the CIS Controls is that they prioritize and focus on a small number of actions that greatly reduce cybersecurity risk.
The CIS First 5/Top 20 is for you if:
- Do not have a comprehensive methodology or set of security requirements for your vendors.
- Are you looking to take the "first step" in assessing Security within your vendor population?
- Need to determine the most critical areas to establish a risk management program.
🎓 CVAT
The CoSN K-12 Community Vendor Assessment Tool, or CVAT, is a questionnaire framework specifically designed for K-12 schools, districts, and education service districts to measure vendor risk.
🇪🇺 General Data Protection Regulation (GDPR)
GDPR: The General Data Protection Regulation (GDPR) is an extraterritorial European law that applies to the processing, storage, and disclosure of personally identifiable information (PII) to individuals in the European Union.
GDPR is for you if:
- If your organization at any point handles personal data of individuals in the European Union
- Have operations within the EU's borders
- Have more than 250 employees, or if fewer than 250 employees, having frequent data processing that impacts the rights and freedoms of the EU Union.
- If you intend to do business with individuals "lives/resides" in the EU, you must comply with GDPR.
💼 DORA
This Whistic-made questionnaire is based on the regulatory requirements described in the Digital Operational Resilience Act (DORA) - Regulation EU 2022/2554. The DORA aims to strengthen the operational resilience of financial institutions in the European Union by setting regulatory standards for managing information and communication technology (ICT) risks. It can be accessed in Whistic here.
🔐 HackerOne Validated Assessment
Whistic completed an assessment on HackerOne's Security practices by reviewing their SOC 2. The Assessment report has been added to HackerOne's Trust Center Exchange security profile and is available for import.
🏫 Higher Education Cloud Vendor Assessment Tool (HECVAT)
HECVAT: The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template that attempts to generalize higher education information security and data protection questions and issues regarding cloud services for consistency and ease of use.
The HECVAT/HECVAT Lite is for you if:
- You are a college or university
- Need to identify and manage risks to your university, campus, and student body from third and fourth parties
- Are a third-party service provider and want to contract with Colleges and Universities.
Hecvat Full 3.05
The HECVAT is a questionnaire framework specifically designed for higher education to measure vendor risk. Before you purchase a third party solution, ask the solution provider to complete an HECVAT tool to confirm that information, data, and cybersecurity policies are in place to protect your sensitive institutional information and constituents' PII.
HECVAT 3.06 Full and Lite
The Higher Education Community Vendor Assessment Toolkit (HECVAT) is designed to help higher education institutions assess the security, privacy, and data protection practices of their third-party vendors. By standardizing the security review process for higher education and its vendors, HECVAT streamlines vendor assessments, promoting safer data sharing and compliance with institutional security policies.
HECVAT - Triage 3.0.5
The HECVAT Triage is a questionnaire designed to help companies determine which HECVAT framework fits their service. The HECVAT is specifically designed for higher education to measure vendor risk.
HECVAT 4.0
This new version of the HECVAT combines the Full, Lite, On-Prem, and Triage versions into one convenient place.
📊 International Organization for Standardization (ISO)
ISO 23053
ISO 23053: The ISO 23053 is an ISO standard Framework for Artificial Intelligence (AI) Systems Using Machine Learning (ML). This document establishes an Artificial Intelligence (AI) and Machine Learning (ML) framework for describing a generic AI system using ML technology. This document applies to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that are implementing or using AI systems.
ISO 27001
ISO 27001: ISO/IEC 27001 is one of the most well-known and well-used information security standards and is part of the ISO/IEC 27000 family of standards. It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and is designed to be used as a running risk assessment and audit for both InfoSec and vendor teams.
ISO is for you if:
- You are working towards a formal ISO certification
- Are looking to design and implement a coherent and comprehensive set of information security controls
- Are looking to adopt a management process to ensure that controls continue to meet your organization's information Security needs on an ongoing basis.
🇪🇺 NIS 2 Directive
The NIS 2 Directive establishes stricter cybersecurity standards and improves coordination across EU member states. This comprehensive framework emphasizes robust security measures to protect organizations in critical sectors such as:
- Electricity providers
- Hospitals
- Digital infrastructure providers
- Manufacturers of critical devices and chemicals
With the NIS 2 questionnaire, available in Whistic, suppliers in these essential industries can streamline compliance efforts and align with evolving regulations to enhance public safety and economic stability.
🏛️ National Institute of Standards and Technology (NIST)
NIST: A government-focused security framework, the SP 800-171 framework focuses on how government agencies (including the Department of Defense) handle the sharing and access of Controlled Unclassified Information (CUI). This information is protected and highly sensitive but not directly regulated by any government agency, making it unclassified.
NIST SP 800-171
NIST SP 800-171 is for you if:
- Already using NIST SP 800-53 within your organization or looking to align to it.
- Working toward FedRAMP or FedRAMP compliance.
- Are a Vendor looking to sell to the Government (DoD)
NIST AI Risk Management Framework
In collaboration with the private and public sectors, NIST has developed a framework to better manage risks to individuals, organizations, and society associated with artificial intelligence (AI). The NIST AI Risk Management Framework (AI RMF) is intended for voluntary use and to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.
Released on January 26, 2023, the Framework was developed through a consensus-driven, open, transparent, and collaborative process that included a Request for Information, several draft versions for public comment, multiple workshops, and other opportunities to provide input. It is intended to build on, align with, and support AI risk management efforts by others.
*** Further information available here: https://www.nist.gov/itl/ai-risk-management-framework ***
🌐 Open Web Application Security Project (OWASP)
The OWASP is a Standard focused on the SDLC (Software Development Lifecycle) and web application security. It is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
The OWASP Top 10
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.
OWASP Top 10 is for you if:
- You are assessing the industry best practices of web security for a particular web service
- Assess a web services understanding of current threat vectors and how they protect against them.
💳 PCI SAQ A
PCI SAQ A Self-Assessment Questionnaire (SAQ) A includes only those PCI DSS requirements applicable to merchants with account data functions completely outsourced to PCI DSS validated and compliant third parties, where the merchant retains only paper reports or receipts with account data. SAQ A merchants may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants and do not store, process, or transmit any account data in electronic format on their systems or premises.
💳 PCI SAQ A-EP
PCI SAQ A-EP Self-Assessment Questionnaire (SAQ) A-EP includes only those PCI DSS requirements applicable to merchants that process account data only via standalone, PCI-listed approved PCI Transaction Security (PTS) point-of-interaction (POI) devices with an IP connection to the payment processor. An exception applies for PTS POI devices classified as Secure Card Readers (SCR) and Secure Card Readers PINs (SCRs); using SCRs or SCRPs are not eligible for this SAQ. SAQ A-EP merchants may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants and do not store account data on any computer system.
💳 PCI SAQ B
PCI SAQ B Self-Assessment Questionnaire (SAQ) B includes only those PCI DSS requirements applicable to merchants that process account data only via imprint machines or standalone dial-out terminals. SAQ B merchants may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants and do not store account data on any computer system.
💳 PCI SAQ B-IP
PCI SAQ B-IP Self-Assessment Questionnaire (SAQ) B-IP includes only those PCI DSS requirements applicable to merchants that process account data only via standalone, PCI-listed approved PCI Transaction Security (PTS) point-of-interaction (POI) devices with an IP connection to the payment processor. An exception applies for PTS POI devices classified as Secure Card Readers (SCR) and Secure Card Reader PINs (SCRPs); merchants using SCRs or SCRPs are not eligible for this SAQ. SAQ B-IP merchants may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants and do not store account data on any computer system.
💳 PCI SAQ P2PE HW
PCI SAQ P2PE HW Self-Assessment Questionnaire for Point-to-Point Encryption (SAQ P2PE) includes only those PCI DSS requirements applicable to merchants that process account data only via a validated PCI-listed P2PE solution. SAQ P2PE merchants do not have access to clear-text account data on any computer system or payment terminals from a validated PCI-listed P2PE solution. For example, a mail/telephone-order merchant could be eligible for SAQ P2PE if they receive account data on paper or over the telephone, and key it directly and only into a payment terminal from a validated P2PE solution.
💳 PCI DSS v.4
PCI DSS is a comprehensive set of security standards aimed at protecting cardholder data throughout the payment card processing lifecycle, encompassing both physical and technical security measures.
All SAQs are a subset of the DSS that target specific industries or merchants.
📝 Standardized Information Gathering (SIG)
The SIG (Standard Information Gathering) questionnaire family is released by Shared Assessments and addresses multiple areas of risk across many use cases, making it an easily adaptable and relatively flexible framework for many InfoSec teams. Additionally, the original SIG framework has been re-released multiple times as a CORE and LITE questionnaire to make it more appealing to smaller, on-the-go security teams. The original SIG questionnaire evaluates 18 risk controls and is a good bet for teams looking to complete more complex RFPs, conduct self-assessments or audits, or determine a broader scope of risk security.
SIG Lite
The SIG LITE questionnaire distills the larger, more complex concepts of the SIG assessment into a few easily manageable questions, making it the ideal assessment to see whether or not further review is needed.
SIG Core
SIG CORE is a unique approach to the original SIG assessment in that it offers InfoSec teams a library of questions to choose from to basically create their own unique questionnaire with vendors.
🤝 Vendor Security Alliance (VSA)
VSA: Unlike other questionnaires, the VSA assessment process was created with the vendor in mind. Its focus is to eliminate irrelevant questions, reducing the time it takes for InfoSec and security teams to complete the questionnaire.
VSA Core
The VSA-Core questionnaire focuses on security and privacy principles and practices. From a security perspective, it does not go into the same depth as the VSA-Full questionnaire but it does add the Privacy section that covers the core principles of USA data breach laws, the California Consumer Privacy Act, and GDPR.
The VSA/VSA-Lite is for you if:
- You are concerned with Vendor experience as the questionnaire focuses on eliminating irrelevant questions
- Reducing the time it takes for InfoSec and security teams to complete the questionnaire.
🏛️ California Consumer Privacy Act (CCPA)
The CCPA questionnaire is designed as a readiness checklist more than as an assessment. The checklist addresses controls specified in the California Consumer Privacy Act of 2018. It is not intended as legal advice but rather as a tool to assist in focusing on what you should consider if addressing CCPA-related data.
More information about the CCPA is available at the California Attorney General's website.
https://oag.ca.gov/privacy/ccpa
The CCPA is for you if:
- You are concerned about consumer privacy rights in California
- You are doing business with consumers who may be in California
🔐 Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification (CMMC) program enhances cyber protection standards for companies in the Defense Industrial Base (DIB). It is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program incorporates a set of cybersecurity requirements into acquisition programs and provides the Department with increased assurance that contractors and subcontractors are meeting these requirements.
The framework has three key features:
- Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forth the process for information flow down to subcontractors.
- Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
- Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
The Questionnaires are designed as readiness checklists. To achieve any level of CMMC certification, the business completing the questionnaire will need to engage a certified assessment team to perform the verification.
CMMC is for you if:
- You engage in business as a contractor or supplier to the US Department of Defense
- Plan to engage in business as a contractor or supplier to the US Department of Defense
📋 Data Privacy Impact Assessment (DPIA), also Privacy Impact Assessment or Data Protection Impact Assessment
General Data Protection Regulation (GDPR): Introduced as Article 35 of GDPR. The controller has an obligation to conduct an impact assessment and to document it before starting the intended data processing.
A DPIA must always be conducted when the processing could result in a high risk to the rights and freedoms of natural persons. The assessment must be carried out, especially if one of the risk examples set forth in Art. 35(3) of the GDPR is relevant. To specify the open-ended wording of the law regarding the basic obligation to perform a privacy impact assessment, the supervisory authorities are involved.
The DPIA is for you if:
- GDPR is applicable to your business
🏥 Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA Privacy Rule
The Privacy Rule standards address the use and disclosure of individuals' health information (known as "protected health information") by entities subject to the Privacy Rule. These individuals and organizations are called "covered entities." The Privacy Rule also contains standards for individuals' rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public's health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.
Covered Entities:
Healthcare Providers
Health Plans
Healthcare clearinghouses
Business Associates
HIPAA is for you if:
- You are a covered entity or otherwise subject to HIPAA regulations
🛡️ McAfee Validated Assessment
Whistic completed an assessment on McAfee's Security practices by reviewing their SOC 2. The Assessment report has been added to McAfee's Trust Center Exchange security profile and is available for import.
✅ Minimum Viable Secure Product (MVSP)
MVSP
From the Google Security Blog:
To solve this challenge, organizations across the industry teamed up to design Minimum Viable Secure Product or MVSP – a vendor-neutral security baseline that is designed to eliminate overhead, complexity, and confusion during the procurement, RFP, and vendor assessment process by establishing minimum acceptable security baselines. With MVSP, the industry can increase clarity during each phase and to parties on both sides of the equation can achieve their goals and reduce the onboarding and sales cycle by weeks or even months.
MVSP is for you if:
- You are looking for a simplified end-to-the-point assessment covering a broad range of controls
💳 Payment Card Industry Data Security Standard (PCIDSS)
https://www.pcisecuritystandards.org/
PCI A
PCI-S provides guidelines to secure account-based payment data by encrypting it from the point of interaction until it reaches the intended recipient, ensuring the data remains protected throughout its entire journey. A is tailored toward companies that only use card-not-present transactions to provide their services.
PCIDSS
From https://www.pcisecuritystandards.org/pci_security/standards_overview:
PCI Security Standards are developed specifically to protect payment account data throughout the payment lifecycle and to enable technology solutions that decouple the data and remove the incentive for criminals to steal it. They include standards for merchants, service providers, and financial institutions on security practices, technologies, and processes, and standards for developers and vendors of creating secure payment products and solutions.
PCIDSS is for you if:
- You are accepting or processing payment cards or otherwise involved in the payment card (credit card) industry
🛡️ Privacy Shield
https://www.privacyshield.gov/welcome
From https://www.privacyshield.gov/Program-Overview:
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, the European Commission, and the Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law (see the adequacy determination). On January 12, 2017, the Swiss Government announced the approval of the Swiss-U.S. Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States (see the statements from the Federal Council and Federal Data Protection and Information Commissioner).
Privacy Shield is for you if:
- You are transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. It should be noted that there have been several rulings in Europe and Switzerland that relate to the use of Privacy Shield, and any business using Privacy Shield should be aware of potential legal ramifications.
Related to:
Industry Standard | Cybersecurity | ISO