I am helping one of my client companies in Japan to review their SaaS usage evaluation criteria, and I would like to ask your opinion about this.
At the company, various SaaS applications are submitted to the information security management department from various organizations. Based on the usage, the company's security policy, the provider's questionnaire response and the SOC2 report, the department reviews whether to allow the use of the SaaS.
Often they get the SOC2 report from the provider, but they don't have the time to read it. There is only one person in charge who has the ability to properly review the reports, and we are concerned about the continuity of the system.
Therefore, we are going to simplify the review criteria as follows to save labor and reduce the difficulty of the review. Specifically, we are going to allow the use of the system without exception if any of the following criteria are met.
So here's the question.
If you have any comments on the above, I would be happy to hear them.
I would agree with the criteria, generally. In today's SaaS based world, you can never be positive, but taking a look around several scoring/certifying methods can make a strong case. If the risk level doesn't support additional persons qualified to review the security more thoroughly, then leaning on outside review is really the only option. To introduce any more friction will cause the kind of interdepartmental friction that usually results in shadow IT operations and security getting worse, not better.
Thank you, @mgorman .
> To introduce any more friction will cause the kind of interdepartmental friction that usually results in shadow IT operations and security getting worse, not better.
I think it would be a good insight for my client.