cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Masahiro
Newcomer III

SaaS Usage Evaluation Criteria

I am helping one of my client companies in Japan to review their SaaS usage evaluation criteria, and I would like to ask your opinion about this.

 

At the company, various SaaS applications are submitted to the information security management department from various organizations. Based on the usage, the company's security policy, the provider's questionnaire response and the SOC2 report, the department reviews whether to allow the use of the SaaS.

 

Often they get the SOC2 report from the provider, but they don't have the time to read it. There is only one person in charge who has the ability to properly review the reports, and we are concerned about the continuity of the system.

 

Therefore, we are going to simplify the review criteria as follows to save labor and reduce the difficulty of the review. Specifically, we are going to allow the use of the system without exception if any of the following criteria are met.

 

  1. It is certified by ISMAP or FedRAMP.
  2. No negative auditor opinions in the most recent SOC3 report issued within the past year, or specific confirmation of negative opinions in the SOC2 report, confirming that it is consistent with your policies and usage.
  3. A very high level (e.g., Excellent for Netskope) in the CASB scoring service.
  4. Certified to ISO/IEC 27001 and 27017 (or 27018 if handling personal information) within three years if you do not have top-secret data to be retained.
  5. High level of CASB scoring service (e.g., High for Netskope) if you do not have secret data to be retained.
  6. The CASB scoring service is at a medium level (e.g., Medium for Netskope) if less confidential data is to be retained.
  7. For integrity and availability, replace the confidentiality in 4-6 with those.

 

So here's the question.

 

  1. If you or your customers have similar issues, would you agree to move to the above criteria for review? And why?
  2. If you or your customers are operating under similar standards, what are the challenges you face?
  3. If none of the above applies to you, what do you think about my idea?


If you have any comments on the above, I would be happy to hear them.

 

Best regards,

 

Haneda, Masahiro
Certification: CISSP, CCSP, CCSK, PMP, ITIL Foundation V3
Location: Japan
My LinkedIn Profile
3 Replies
Masahiro
Newcomer III

ISMAP is kind of like Japanese version of FedRAMP.
Haneda, Masahiro
Certification: CISSP, CCSP, CCSK, PMP, ITIL Foundation V3
Location: Japan
My LinkedIn Profile
mgorman
Contributor II

I would agree with the criteria, generally.  In today's SaaS based world, you can never be positive, but taking a look around several scoring/certifying methods can make a strong case. If the risk level doesn't support additional persons qualified to review the security more thoroughly, then leaning on outside review is really the only option.  To introduce any more friction will cause the kind of interdepartmental friction that usually results in shadow IT operations and security getting worse, not better.

Masahiro
Newcomer III

Thank you, @mgorman .

 

> To introduce any more friction will cause the kind of interdepartmental friction that usually results in shadow IT operations and security getting worse, not better.

 

I think it would be a good insight for my client.

 

Haneda, Masahiro
Certification: CISSP, CCSP, CCSK, PMP, ITIL Foundation V3
Location: Japan
My LinkedIn Profile