Re: Securing Data in SaaS Applications

[Sue McGlashan <sue.mcglashan () UTORONTO CA>]

Hi Cyndie

This will part of one of the panel discussions at the Security Professionals Conference, and something I work with 
daily - not that I have all (or even many) of the answers.

I am really happy Ruth (procurement) answered - we work with Procurement, and the departments, in trying to ensure the 
contract or SLAs contain language that protects the institution's data.

We assess the information in the HECVAT, and in whatever other documentation we manage to get (SOCS, application scans, 
summaries of pentests), to assess whether controls are sufficient.
 - and we write into the contract that we want documents each year (at our request).

 I think most important after reviewing the HECVAT and other provided docs, and assuming the company passes your 
requirements, is a good contract that specifies where data resides, how you would be informed if there is a breech, how 
you would receive logs, how you obtain your data when you need it (standard format), that the company maintains 
security posture, ... ... 

 - and then how do we manage to review each year / who monitors?  - good question. As I said, we do not have all of the 
answers. I look forward to hearing what others think.

Note.  There needs to be some triage.  Our small group cannot look at every SaaS vendor.  

-- 
Sue McGlashan M.Ed. CISSP CCSK
ISA, Information Security and Enterprise Architecture 
Information and Technology Services
University of Toronto
Phone 416-946-3260 
 
This email communication is intended only for the person or entity to which it is addressed and may contain 
confidential and/or privileged information. Any use of this information by persons or entities other than the intended 
recipient is prohibited. If you received this in error, please contact the sender and delete the email and all copies 
(electronic or otherwise) immediately.
 
 
On 2018-02-15, 5:18 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Ruth Ginzberg" <SECURITY () 
LISTSERV EDUCAUSE EDU on behalf of rginzberg () UWSA EDU> wrote:

    Hi Cyndie,
    
    Procurement person here...
    
    This is a great set of questions - ones that you should discuss internally with other stakeholders at your 
institution.  The thing that matters most is that everybody is on the same page and knows who is doing that, so that it 
doesn't accidentally turn out to be, "Mr/Ms. Nobody!"
    
    Regards,
    
    
    Ruth Ginzberg, CISSP, CTPS
    Sr. I.T. Procurement Specialist
    University of Wisconsin System
    608-890-3961
    
    -----Original Message-----
    From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Cyndie Holmes
    Sent: Thursday, February 15, 2018 4:02 PM
    To: SECURITY () LISTSERV EDUCAUSE EDU
    Subject: [SECURITY] Securing Data in SaaS Applications
    
    The vendor completed the HECVAT and a university is purchasing a SaaS service. Now what? 
    
    Trying to determine who has the responsibility for ensuring contracts or SLAs contain language that protects the 
institution's data. The owner (academic department or business function), procurement, IT, or Legal? Someone else?
    
    If the contract or SLA contains sufficient protection for the institution's data, who monitors the vendor for 
compliance with the contract or SLA data security controls?
    
    How are data security controls monitored if the contract or SLA contains no language for customer monitoring? Who 
monitors?
    
    Thanks