Re: Securing Data in SaaS Applications

["Santucci, Anthony" <santucaj () WFU EDU>]

Hi Cyndie ..  we have a work-in-progress process that I manage for what we
call software evaluations.  I have attached our checklist that we currently
use.

We have been using a set of questions for InfoSec, PCI, BCDR and
accessibility that I would say is a subset of the HECVAT.  It seems to be
working for us right now and overtime I expect to do CSI as the campus gets
more and more comfortable with the process.  Right now, it has been great
except for occasional bottlenecks due to slow vendor response times or
limited resources to review the documentation.

Once the evaluation is complete and it moves to 'production',  can usually
glean SLA/SLR info from the contract which helps me complete the Service
Portfolio information (last page of attachment).  I work very closely with
procurement, legal, info sec and the requester.

Excellent questions regarding SLA/SLR -- like Sue, we "*ensure the contract
or SLAs contains language that protects the institution's data*."

I would like to establish a yearly (periodic?) review for each of the
solutions but that would take an army of people so any suggestions as to
how we can establish a criteria would be great.  This is a good idea - "*write
into the contract that we want documents each year (at our request).*"  I
will float that by our team here.

Thanks,
Anthony

--------------------------------------------
*Anthony J. Santucci*
*Manager, Service Management*
*Information Systems*
*Wake Forest University*

On Thu, Feb 15, 2018 at 5:38 PM, Sue McGlashan <sue.mcglashan () utoronto ca>
wrote:

> Hi Cyndie
>
> This will part of one of the panel discussions at the Security
> Professionals Conference, and something I work with daily - not that I have
> all (or even many) of the answers.
>
> I am really happy Ruth (procurement) answered - we work with Procurement,
> and the departments, in trying to ensure the contract or SLAs contain
> language that protects the institution's data.
>
> We assess the information in the HECVAT, and in whatever other
> documentation we manage to get (SOCS, application scans, summaries of
> pentests), to assess whether controls are sufficient.
>  - and we write into the contract that we want documents each year (at our
> request).
>
>  I think most important after reviewing the HECVAT and other provided
> docs, and assuming the company passes your requirements, is a good contract
> that specifies where data resides, how you would be informed if there is a
> breech, how you would receive logs, how you obtain your data when you need
> it (standard format), that the company maintains security posture, ... ...
>
>  - and then how do we manage to review each year / who monitors?  - good
> question. As I said, we do not have all of the answers. I look forward to
> hearing what others think.
>
> Note.  There needs to be some triage.  Our small group cannot look at
> every SaaS vendor.
>
> --
> Sue McGlashan M.Ed. CISSP CCSK
> ISA, Information Security and Enterprise Architecture
> Information and Technology Services
> University of Toronto
> Phone 416-946-3260
>
> This email communication is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> information. Any use of this information by persons or entities other than
> the intended recipient is prohibited. If you received this in error, please
> contact the sender and delete the email and all copies (electronic or
> otherwise) immediately.
>
>
> On 2018-02-15, 5:18 PM, "The EDUCAUSE Security Constituent Group Listserv
> on behalf of Ruth Ginzberg" <SECURITY () LISTSERV EDUCAUSE EDU on behalf of
> rginzberg () UWSA EDU> wrote:
>
>     Hi Cyndie,
>
>     Procurement person here...
>
>     This is a great set of questions - ones that you should discuss
> internally with other stakeholders at your institution.  The thing that
> matters most is that everybody is on the same page and knows who is doing
> that, so that it doesn't accidentally turn out to be, "Mr/Ms. Nobody!"
>
>     Regards,
>
>
>     Ruth Ginzberg, CISSP, CTPS
>     Sr. I.T. Procurement Specialist
>     University of Wisconsin System
>     608-890-3961
>
>     -----Original Message-----
>     From: The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cyndie Holmes
>     Sent: Thursday, February 15, 2018 4:02 PM
>     To: SECURITY () LISTSERV EDUCAUSE EDU
>     Subject: [SECURITY] Securing Data in SaaS Applications
>
>     The vendor completed the HECVAT and a university is purchasing a SaaS
> service. Now what?
>
>     Trying to determine who has the responsibility for ensuring contracts
> or SLAs contain language that protects the institution's data. The owner
> (academic department or business function), procurement, IT, or Legal?
> Someone else?
>
>     If the contract or SLA contains sufficient protection for the
> institution's data, who monitors the vendor for compliance with the
> contract or SLA data security controls?
>
>     How are data security controls monitored if the contract or SLA
> contains no language for customer monitoring? Who monitors?
>
>     Thanks

Attachment: Software_Eval_Checklist.pdf
Description: