SaaS Governance

  • 1.  SaaS Usage Evaluation Criteria

    Posted Oct 10, 2021 09:41:00 AM

    I am helping one of my client companies in Japan to review their SaaS usage evaluation criteria, and I would like to ask your opinion about this.

     

    At the company, various SaaS applications are submitted to the information security management department from various organizations. Based on the usage, the company's security policy, the provider's questionnaire response and the SOC2 report, the department reviews whether to allow the use of the SaaS.

     

    Often they get the SOC2 report from the provider, but they don't have the time to read it. There is only one person in charge who has the ability to properly review the reports, and we are concerned about the continuity of the system.

     

    Therefore, we are going to simplify the review criteria as follows to save labor and reduce the difficulty of the review. Specifically, we are going to allow the use of the system without exception if any of the following criteria are met. 

    1. It is certified by ISMAP or FedRAMP (ISMAP is kind of like Japanese version of FedRAMP).
    2. No negative auditor opinions in the most recent SOC3 report issued within the past year, or specific confirmation of negative opinions in the SOC2 report, confirming that it is consistent with your policies and usage.
    3. A very high level (e.g., Excellent for Netskope) in the CASB scoring service.
    4. Certified to ISO/IEC 27001 and 27017 (or 27018 if handling personal information) within three years if you do not have top-secret data to be retained.
    5. High level of CASB scoring service (e.g., High for Netskope) if you do not have secret data to be retained.
    6. The CASB scoring service is at a medium level (e.g., Medium for Netskope) if less confidential data is to be retained.
    7. For integrity and availability, replace the confidentiality in 4-6 with those.

     

    So here's the question. 

    1. If you or your customers have similar issues, would you agree to move to the above criteria for review? And why?
    2. If you or your customers are operating under similar standards, what are the challenges you face?
    3. If none of the above applies to you, what do you think about my idea?


    If you have any comments on the above, I would be happy to hear them.

     

    Best regards,



    ------------------------------
    Masahiro Haneda CCSK
    Security Consltant
    NRI SecureTechnologies Ltd.
    Tokyo
    ------------------------------


  • 2.  RE: SaaS Usage Evaluation Criteria

    Posted Oct 10, 2021 01:36:00 PM

    Hello Masahiro, 

    I made SaaS/Cloud assessment checklist for my workplace and previous workplace...for a long time, I assess SaaS for internet/external use(more than two digits) and report to project approval Committee, Maybe I can help you.

    Simply, I'll explain what do I check now for example. 

    SaaS Assessment is very formidable task, especially for Client, there are too many critical issues. 

    Below is core check items in 'pre-check list'(It' checking for requirement). First of all, I check type of data usage and PII in the SaaS. And If 0/1/2 is not cleared, I reject it. 

    0. Is it for internal Use/External(Client) Use? 

    -> If it for internal, need to check 'why'
    -> If it for external , need to check 'Client Compliance' 

    1. Using PII ? (Is it processed? Is it stored? Is it viewed?)

    -> Need to check 'PII handling policy' for the work area.

    -> If there is PII , Must check storage/backup location, most Japanese company don't want to store/process PII in offshore environment.

    2. Sanction check (Normally, need to consult with Legal team, but I check HQ location and CEO at least)

    After pre-check, I send 'SaaS interview sheet' to vendor, below questions are core items in the 'interview sheet'.

    1. ISMS (It's very important, especially ISO/IEC 27001) 
    2. Related compliance (optional) / such as ISMAP , FedRAMP , SOC and so on. It is good, But it's not critical unless legally required. If it is required, I should consult with Legal team.

    3. Branch office/Agency in Japan

    3-1. Customer Support 24/365 in Japanese (It's important for operational cost and BCP)
    4. Response to Court Orders 

    5. SSO support (SAML ,OAuth and so on) - It's very important for AAA management

    * In my case, CASB score is not important(honestly, I don't check it, because there are too many unique SaaS in Japan)

    Regards,




    ------------------------------
    Seungryul Hong
    Security Manager
    Asurion Japan Holdings G.K.
    Tokyo
    ------------------------------



  • 3.  RE: SaaS Usage Evaluation Criteria

    Posted Oct 13, 2021 01:37:00 AM
    Thank you for you comments, @Seungryul Hong.

    Your case is informative for me.

    I definitely agree that #5 is very important. However, unfortunately my client has given up SSO for SaaSs this time, because it is very hard to negotiate implementation of SSO with relevant departments and there is not enough time to achieve the SSO. ​I am wondering how and whom I should recommend SaaS SSO implementation next fiscal year.


    Best regards,
    Haneda, Masahiro

    ------------------------------
    Masahiro Haneda CCSK
    Security Consltant
    NRI SecureTechnologies Ltd.
    Tokyo
    ------------------------------