SaaS Governance

I appreciate your great effort to write "SaaS Governance Best Practices for Cloud Customers". I read it and have a few questions.

Q1. Does a "process" defined in "2.2 Structure" mainly support the layers, "user & access policies" and "data classification & accountability", named in CSA Shared Responsilibity Model?
https://cloudsecurityalliance.org/blog/2021/02/04/the-evolution-of-cloud-computing-and-the-updated-shared-responsibility/

Q2. Why is the scope of "2.3.3 Usage Lifecycle" different from the scope of "3.1.2 Usage"? For example, the section 2.3.3 include "provisionning" but the other section does not. The section 3.1.2 has "continuously evaluate and reduce the attack surface" but the other one does not.

Q3. Why is "4.2 Mobile Devices and Teleworking" in "4. Organization of Information Security"? I think neither mobile devices nor teleworking do not relate to an organization, though.

------------------------------
Masahiro Haneda CCSK
Security Consltant
NRI SecureTechnologies Ltd.
Tokyo
------------------------------

@Shamun Mahmud​ @Michael Roza

​​I found your names in this community and in the document, "SaaS Governance Best Practices for Cloud Customers".

Could you kindly answer my questions above? Especially, Q2 and Q3.

------------------------------
Masahiro Haneda CCSK
Security Consltant
NRI SecureTechnologies Ltd.
Tokyo
------------------------------

Original Message:
Sent: Aug 28, 2022 01:00:16 AM
From: Masahiro Haneda
Subject: Questions about SaaS Governance Best Practices for Cloud Customers

I appreciate your great effort to write "SaaS Governance Best Practices for Cloud Customers". I read it and have a few questions.

Q1. Does a "process" defined in "2.2 Structure" mainly support the layers, "user & access policies" and "data classification & accountability", named in CSA Shared Responsilibity Model?
https://cloudsecurityalliance.org/blog/2021/02/04/the-evolution-of-cloud-computing-and-the-updated-shared-responsibility/

Q2. Why is the scope of "2.3.3 Usage Lifecycle" different from the scope of "3.1.2 Usage"? For example, the section 2.3.3 include "provisionning" but the other section does not. The section 3.1.2 has "continuously evaluate and reduce the attack surface" but the other one does not.

Q3. Why is "4.2 Mobile Devices and Teleworking" in "4. Organization of Information Security"? I think neither mobile devices nor teleworking do not relate to an organization, though.

------------------------------
Masahiro Haneda CCSK
Security Consltant
NRI SecureTechnologies Ltd.
Tokyo
------------------------------

Hi Masahiro,

I did see your questions and will look at them this weekend. Best regards,

------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------

Original Message:
Sent: Aug 31, 2022 04:27:28 AM
From: Masahiro Haneda
Subject: Questions about SaaS Governance Best Practices for Cloud Customers

@Shamun Mahmud​ @Michael Roza

​​I found your names in this community and in the document, "SaaS Governance Best Practices for Cloud Customers".

Could you kindly answer my questions above? Especially, Q2 and Q3.

------------------------------
Masahiro Haneda CCSK
Security Consltant
NRI SecureTechnologies Ltd.
Tokyo

Original Message:
Sent: Aug 28, 2022 01:00:16 AM
From: Masahiro Haneda
Subject: Questions about SaaS Governance Best Practices for Cloud Customers

I appreciate your great effort to write "SaaS Governance Best Practices for Cloud Customers". I read it and have a few questions.

Q1. Does a "process" defined in "2.2 Structure" mainly support the layers, "user & access policies" and "data classification & accountability", named in CSA Shared Responsilibity Model?
https://cloudsecurityalliance.org/blog/2021/02/04/the-evolution-of-cloud-computing-and-the-updated-shared-responsibility/

Q2. Why is the scope of "2.3.3 Usage Lifecycle" different from the scope of "3.1.2 Usage"? For example, the section 2.3.3 include "provisionning" but the other section does not. The section 3.1.2 has "continuously evaluate and reduce the attack surface" but the other one does not.

Q3. Why is "4.2 Mobile Devices and Teleworking" in "4. Organization of Information Security"? I think neither mobile devices nor teleworking do not relate to an organization, though.

------------------------------
Masahiro Haneda CCSK
Security Consltant
NRI SecureTechnologies Ltd.
Tokyo
------------------------------