Please enable JavaScript.
Coggle requires JavaScript to display documents.
SaaS Governance - Coggle Diagram
SaaS Governance
Controls
Broad and detailed discovery
Real-time usage information
Interactions between applications
Vendor Financial viability
Alternative Products
Privacy
Data Location
Data Processor Statements
Access to data
Onboarding/Offboarding integration
Types of Risk
Financial
Contract Risk
Overprovisioning
Vendor Lock-in
Price control
Value chain
Software Bill of Materials?
Operational
Strategic, Tactical, or Ad Hoc?
Availability
Capacity
Onboarding/Offboarding
Vulnerability Management
OAuth Delegation risk
Reputational
Data loss
Insider threats
Privacy breaches
Third-party risk
Compliance
Inadquate controls
Data Location
Shifting regulatory landscape
Privacy Shield
EU SCC
UK Consultation
GDPR
What do UK CSC say?
https://www.ncsc.gov.uk/collection/saas-security
the SaaS offering should be centrally managed and users given the correct level of access
the SaaS offering should be accessed using up-to-date and regularly patched software
devices accessing the SaaS offering should be configured in line with the NCSC EUD Guidance
users should be made aware of the appropriate use of the service prior to receiving their credentials
user accounts on the service should be suspended when no longer required
audit logs should be monitored and any suspicious activity investigated
SaaS providers publish their security claims in a publicly accessible and easy-to-find location
Discovery risk
Background to SaaS Management Use Cases
Cost Management (Cockpit)
RIsk Management / Governance
SaaSOps (Mastering)
Article content
Why is a SAM tool and SAM Governance platform needed
What are the limitations for using existing tech for managing SaaS
Why is a dedicated SaaS tool needed for governance?
What is different about SaaS risk?
Cadence
Volume
Not all managed centrally
It's not desirable to manage central
Department/Democratic IT
SaaS drives business value
Why you need both a SAM tool and SaaS Governance platform
Use SAM tool to manage the big stuff
Managed Services for the long tail
SaaS Governance provides the intelligence for stakeholders to meet their objectives/desire
Wrap these three things up into a Case Study
Find partner contact at Snow
NIST Risk Management framework
Prepare – Includes all cybersecurity and other activities to prepare the organization to manage security and privacy risks
Categorize – The step to categorize the information processed, stored, and transmitted. It is based on the impact analysis
Select – Controls required to manage the risk
Implement – Implement controls
Assess – Assess the controls put in place to note if these are effective and producing the desired results
Authorize – Business leaders and stakeholders make a risk-based decision to authorize the system
Monitor – Monitor risks to business-critical systems and any controls implemented