Educause Security Discussion mailing list archives

Re: Securing Data in SaaS Applications

From: Ruth Ginzberg <rginzberg () UWSA EDU>
Date: Thu, 22 Feb 2018 19:14:38 +0000
Hi,

“Procurement” here…

What we (“Procurement”) would say is that for each technology acquisition you need to do a requirements analysis first, 
and determine what your requirements are before soliciting bids or proposals from suppliers.  That would include your 
information security requirements.

When you receive a completed HECVAT you should already have determined in advance (unique to that particular 
acquisition) which items in the HECVAT speak to requirements for that particular service/software/XaaS.   So then you 
simply need to compare the supplier’s responses against your requirements.

There will likely be some items in the HECVAT that you will require of ALL technology acquisitions, and others that are 
particular only to certain individual technology acquisitions.  Some items will sometimes or always be irrelevant – 
depending on your particular environment.  Which items are required and/or nice-but-not-necessary for any particular 
technology acquisition is something that needs to be determined by the CISO.  Once the CISO has done that, the 
Procurement professional might be able to check off whether they are addressed or not, and with some amount of training 
and experience, whether they are probably addressed satisfactorily or not, and then simply pass his or her assessment 
on to the CISO for review and sign-off.

Disclaimer:  MHO.  My institution has, wisely, never authorized me to speak on its behalf.


Ruth Ginzberg, CISSP, CTPS
Sr. I.T. Procurement Specialist
University of Wisconsin System
608-890-3961
[cid:image001.png@01D188DB.57CAD120]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ronald 
King
Sent: Thursday, February 22, 2018 12:54 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Securing Data in SaaS Applications

This is great. We have had fairly good luck with getting the HECVAT completed by vendors, but, we too end up with "what 
now?" We have been trying to work flow this. So, the timing of the question and discussion is great. For us it is 
Procurement that manages contracts.

One thing I was wondering: Since the HECVAT is not a contract/SLA, what is to prevent the vendor from changing 
something, like physical location of where the data is stored, 30 days after completing the HECVAT? The requirement in 
the contract to reassess on a regular basis is great. This will help us moving forward. However, reevaluating a new 
HECVAT for every cloud vendor every year seems a daunting task for smaller staffed organizations. Does anyone require 
the acceptable HECVAT responses be incorporated into the contract or SLA?

Thanks,
Ron

Ronald A. King, CISSP
Chief Information Security Officer
Morgan State University                                                                                           
Office: (443) 885-3372
1700 E. Cold Spring Ln.                                                                                           
Email:  ronald.king () morgan edu<mailto:ronald.king () morgan edu>
Baltimore, MD 21251                                                                                 URL:    
http://www.morgan.edu

                                                Growing the future ... Leading the 
world<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>


On Fri, Feb 16, 2018 at 10:32 AM, Santucci, Anthony <santucaj () wfu edu<mailto:santucaj () wfu edu>> wrote:
Hi Cyndie ..  we have a work-in-progress process that I manage for what we call software evaluations.  I have attached 
our checklist that we currently use.

We have been using a set of questions for InfoSec, PCI, BCDR and accessibility that I would say is a subset of the 
HECVAT.  It seems to be working for us right now and overtime I expect to do CSI as the campus gets more and more 
comfortable with the process.  Right now, it has been great except for occasional bottlenecks due to slow vendor 
response times or limited resources to review the documentation.

Once the evaluation is complete and it moves to 'production',  can usually glean SLA/SLR info from the contract which 
helps me complete the Service Portfolio information (last page of attachment).  I work very closely with procurement, 
legal, info sec and the requester.

Excellent questions regarding SLA/SLR -- like Sue, we "ensure the contract or SLAs contains language that protects the 
institution's data."

I would like to establish a yearly (periodic?) review for each of the solutions but that would take an army of people 
so any suggestions as to how we can establish a criteria would be great.  This is a good idea - "write into the 
contract that we want documents each year (at our request)."  I will float that by our team here.

Thanks,
Anthony

--------------------------------------------
Anthony J. Santucci
Manager, Service Management
Information Systems
Wake Forest University

On Thu, Feb 15, 2018 at 5:38 PM, Sue McGlashan <sue.mcglashan () utoronto ca<mailto:sue.mcglashan () utoronto ca>> 
wrote:
Hi Cyndie

This will part of one of the panel discussions at the Security Professionals Conference, and something I work with 
daily - not that I have all (or even many) of the answers.

I am really happy Ruth (procurement) answered - we work with Procurement, and the departments, in trying to ensure the 
contract or SLAs contain language that protects the institution's data.

We assess the information in the HECVAT, and in whatever other documentation we manage to get (SOCS, application scans, 
summaries of pentests), to assess whether controls are sufficient.
 - and we write into the contract that we want documents each year (at our request).

 I think most important after reviewing the HECVAT and other provided docs, and assuming the company passes your 
requirements, is a good contract that specifies where data resides, how you would be informed if there is a breech, how 
you would receive logs, how you obtain your data when you need it (standard format), that the company maintains 
security posture, ... ...

 - and then how do we manage to review each year / who monitors?  - good question. As I said, we do not have all of the 
answers. I look forward to hearing what others think.

Note.  There needs to be some triage.  Our small group cannot look at every SaaS vendor.

--
Sue McGlashan M.Ed. CISSP CCSK
ISA, Information Security and Enterprise Architecture
Information and Technology Services
University of Toronto
Phone 416-946-3260<tel:416-946-3260>

This email communication is intended only for the person or entity to which it is addressed and may contain 
confidential and/or privileged information. Any use of this information by persons or entities other than the intended 
recipient is prohibited. If you received this in error, please contact the sender and delete the email and all copies 
(electronic or otherwise) immediately.


On 2018-02-15, 5:18 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Ruth Ginzberg" <SECURITY () 
LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> on behalf of rginzberg () UWSA EDU<mailto:rginzberg () 
UWSA EDU>> wrote:

    Hi Cyndie,

    Procurement person here...

    This is a great set of questions - ones that you should discuss internally with other stakeholders at your 
institution.  The thing that matters most is that everybody is on the same page and knows who is doing that, so that it 
doesn't accidentally turn out to be, "Mr/Ms. Nobody!"

    Regards,


    Ruth Ginzberg, CISSP, CTPS
    Sr. I.T. Procurement Specialist
    University of Wisconsin System
    608-890-3961<tel:608-890-3961>

    -----Original Message-----
    From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Cyndie Holmes
    Sent: Thursday, February 15, 2018 4:02 PM
    To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
    Subject: [SECURITY] Securing Data in SaaS Applications

    The vendor completed the HECVAT and a university is purchasing a SaaS service. Now what?

    Trying to determine who has the responsibility for ensuring contracts or SLAs contain language that protects the 
institution's data. The owner (academic department or business function), procurement, IT, or Legal? Someone else?

    If the contract or SLA contains sufficient protection for the institution's data, who monitors the vendor for 
compliance with the contract or SLA data security controls?

    How are data security controls monitored if the contract or SLA contains no language for customer monitoring? Who 
monitors?

    Thanks
Current thread:

Securing Data in SaaS Applications Cyndie Holmes (Feb 15)
- Re: Securing Data in SaaS Applications Ruth Ginzberg (Feb 15)
  - Re: Securing Data in SaaS Applications Sue McGlashan (Feb 15)
    - Re: Securing Data in SaaS Applications Santucci, Anthony (Feb 16)
    - Re: Securing Data in SaaS Applications Ronald King (Feb 22)
    - Re: Securing Data in SaaS Applications Ruth Ginzberg (Feb 22)
    - Re: Securing Data in SaaS Applications Holmes, Cyndie (Mar 01)