I appreciate your great effort to write "SaaS Governance Best Practices for Cloud Customers". I read it and have a few questions.
Q1. Does a "process" defined in "2.2 Structure" mainly support the layers, "user & access policies" and "data classification & accountability", named in CSA Shared Responsilibity Model?
https://cloudsecurityalliance.org/blog/2021/02/04/the-evolution-of-cloud-computing-and-the-updated-shared-responsibility/Q2. Why is the scope of "2.3.3 Usage Lifecycle" different from the scope of "3.1.2 Usage"? For example, the section 2.3.3 include "provisionning" but the other section does not. The section 3.1.2 has "continuously evaluate and reduce the attack surface" but the other one does not.
Q3. Why is "4.2 Mobile Devices and Teleworking" in "4. Organization of Information Security"? I think neither mobile devices nor teleworking do not relate to an organization, though.
------------------------------
Masahiro Haneda CCSK
Security Consltant
NRI SecureTechnologies Ltd.
Tokyo
------------------------------