San Antonio IIA Board of Governors Meeting

Vendor Risk Considerations for SaaS Providers September 12, 2019 SaaS Implementation Audit Pioneer Energy Services is a publicly traded company. ASC 842, effective January 1, 2019 for publicly traded companies and January 1, 2021 for private companies. Lease Management SaaS Provider to comply with the new standard. High Level Assessment Data Asset Risk Evaluation: Is the application being used for a critical business function?

How would your organization be harmed if: The data asset became widely public and/or widely distributed. An employee of the provider accessed the asset in an unauthorized manner. The data / process / function were manipulated by an outsider. The process / function failed to provide expected results. The information/data were unexpectedly changed. The data asset was unavailable for a period of time. High Level Assessment

Financial Impact Operation Impact Compliance Impact Information Classification Logical Access Global Parameters Data Transmissions System Stability

Application Version Password Settings Physical Access Patch Management Info Sec & Infrastructure

Monitoring Business Continuity Network Architecture Date of Last Audit by IA Prior IA Audit Rating Detailed Level Assessment Provider Considerations Is the solution provider an industry leader, small player, niche player or new-comer? What is the size of the solution providers operations consider number of employees, annual revenues, etc. Where is the service providers headquarters? History: how long as the solution provider been in business? Are there current issues of concern?

List the providers current/prior clients, if known. Detailed Level Assessment Terms of Service Explain the limitations to how your organization can use the service as outlined in the providers acceptable usage policies, licensing rights or other provider usage restrictions. What advance notice will be provided by the provider for any change of terms? Does the contract / terms of service outline meaningful liability for the provider in the event that the environment / data is breached. Is there a cap on liability? Does the provider have cyber risk insurance in place? If so, please provide coverage details Detailed Level Assessment

Service Level Agreement Considerations Does the SLA identify minimum performance? Does the provider provide regular service management reports? Does the SLA include penalties for provider non-compliance with the agreement? Does the SLA include warranties that address data security, alteration and loss? Detailed Level Assessment Third Party Considerations Does the provider use a third party to provide the required services? What services are provided by the third party? What type of relationship does the provider have with the third party?

Does the provider monitor service continuity with upstream providers in the event of provider failure? Detailed Level Assessment Provider Administration Who at the provider can access your environment and/or data? How is their access controlled, logged, reported and reviewed? What is the providers downtime plan? What is the providers peak load, and is there sufficient capacity for this? Can SaaS provider timely and efficiently resolve backlogs when they occur? Detailed Level Assessment Provider Disaster Recovery/Continuity Does SaaS provider agreement outlines requirements for SaaS provider to

1) maintain and test DR and business continuity plans on at least annual basis; and 2) provide copies of such plans and testing results to PES? If so, obtain testing results and indicate when it was last tested. Does the provider have a failover site? If so, is the failover site certified to the same standards as the primary facility? Please describe. Where is the failover site located? Are there separate jurisdictional considerations that should be factored? What service-level guarantee does the provider offer under recovery conditions? Detailed Level Assessment Multi-tenancy (identify if a third party is involved) Is your environment set up on dedicated hardware, or do multiple tenants exist? If the latter, how does the provider control/restrict access to your organizations environment?

How does the provider segregate your environment from other tenants? Scalability Are the services provided by the provider scalable? Are there any limits? Detailed Level Assessment Compliance Have all regulatory requirements been identified? If so, by whom? Outline all regulatory requirements.

Does the provider store PII (Personally Identifiable Information)? If so, how is PII data handled differently than other data? Provide / attach evidence of PCI-DSS (Payment Card Industry Data Security Standard) compliance, if applicable. Does the contract state that the provider will provide evidence of compliance as soon as finalized? If not, why not? Does the proposed solution comply with WCAG 2.0 Level A and AA requirements? If so, provide/attach evidence.

Does service agreement provide a right to perform security audits of SaaS provider to ensure providers' security policies align with your organization? Audits can involve on-site visits and remote testing and may leverage independent third parties. Detailed Level Assessment Maintenance & Support What are the providers customer support hours? Do these work for the business area considering the solution? Are the providers routine maintenance windows manageable? Does the provider have meaningful problem response and resolution commitments to ensure support provided is sufficient and/or effective? Does the provider give notice of material reductions in functionality?

Detailed Level Assessment Termination Can your data and service be moved / transferred to another provider at any time? Are export utilities available and easy to use? Describe the process to terminate the service. Do we have the right to terminate if the provider introduces material modifications to service terms? Is there a right of termination for material breach of applicable privacy and security obligations? Specify any fees that may be incurred at the end of the service. (e.g. data transfer fees; penalties; etc.) Data transfer process after terminating services.

Detailed Level Assessment Application Security What standards does the provider follow for application development? Do these include rigorous testing and acceptance protocols? Has the SaaS application gone through thorough testing (as part of the Service Providers development lifecycle) for security vulnerabilities? What application security measures are used in the production environment (e.g., application-level firewall, database logging / auditing, etc.)? How is data integrity assured? What controls exist over internal processing? Are session timeouts available and customizable? Are timeouts enforced to ensure the integrity of SaaS application sessions?

Detailed Level Assessment Application Security Does the service provider offer an iOS or Android app? If so, is any data stored on the mobile device? Does a jail broken version of the mobile app exist that is available for download? Does the application provide a desktop client for data synchronization? If so, describe the type of data that is being synchronized. Does the application require any software to run on any of the customers enterprise servers? If so, describe the function of the software and the nature of its communication with your SaaS application. Detailed Level Assessment Authentication

Can the solutions user authentication be integrated with our user authentication protocols? Does the application support the automated import of identities (e.g. from Active Directory)? Are SaaS user passwords masked, encrypted, stored in a visible file? Do SaaS application password settings meet your organizations policy?

Does the SaaS application support SAML? What type of password retrieval methods are utilized by the application? Static challenge/response? Dynamic knowledge-based authentication? Does application allow for anonymous usage? What areas require authentication? Detailed Level Assessment Authentication

What type of password retrieval methods are utilized by the application? Static challenge/response? Dynamic knowledge-based authentication? Does the application support authentication filtering based on device and/or IP address? Are there controls to log and monitor all sign-on attempts, both valid and invalid? Are all invalid sign-on attempts logged and monitored? Is all access to the system monitored? (access via application and database?)

Does the application have controls in place to prevent unauthorized access to the system? Does the system lock out after a certain number of invalid sign-on attempts? Detailed Level Assessment Data Access Does the provider have access to your data, and if so, what restrictions are there over this level of access? Are there secondary uses of the areas account information or

data without the business areas knowledge or consent by the provider and / or affiliates? Can any third party access your data, and if so, how? Detailed Level Assessment Data Ownership Does the provider reserve rights to use, disclose or make public the areas account information and / or data? Do the intellectual property rights of your organizations data remain intact (if applicable)? Does the provider retain rights to your data even if data is removed from the provider? Detailed Level Assessment Data Transmission

What security features exist for data transmitted back and forth between the user and the provider? Are data transfers manual or automated? What security features exist if the provider transmits data from one location to another (if applicable)? What are the providers data leak prevention capabilities? Detailed Level Assessment Data Integration Attach both a process flow and a detailed data flow diagram. Will the service / solution require integration with other solutions / data, either on premise or in the cloud? If so, please describe. Does the service / solution support automated file transfers or web service calls? Is there a secured location to store files that can be picked up? In what format(s) can data be delivered (e.g., files on secure FTP or service

calls)? Is a third-party involved in the integration process? Detailed Level Assessment Data storage / backup (identify if a third party is involved) Where and how will your data be stored? Are there impacts on security in light of the differences in legal / regulatory compliance requirements depending on storage location? Any data stored outside the US? What is the frequency of data backups? Are backup procedures adequate and/or in line with your organization's practices?

Are data backups stored on-site or off-site? If the data is stored off-site, does a subcontractor store it? If so, list all relevant sub-contractors. Does restoration includes data restoration and system restoration? Is there controlled access to the data and storage media? Please describe. Do the providers administrators have access to view the customers data in clear text? Are there role-based processes in place to ensure that only the appropriate individuals within the service providers organization will have access to customer data? Detailed Level Assessment Data storage / backup (identify if a third party is involved)

How is stored and backup data protected / secured by the provider (e.g., encryption, tokenized, anonymized). If so, please explain the process in detail? If backup data is encrypted, is it done at the mounted storage volume level? Using transparent data encryption? At the file level? How are encryption keys managed? manage their own encryption keys?

If the SaaS provider will be managing the keys, what defined processes are in place for key lifecycle management? (key creation, deletion, storage, rotation, etc.) Does your organization have the capabilities to identify and respond to encryption failures or misconfigurations in a timely manner. Does each customer have the option to Detailed Level Assessment Data storage / backup (identify if a third party is involved)

Will a local backup be made of data stored by the provider? If so, by whom, how often, where will it be stored and how / how often will it be tested? What is the process to restore data from the providers backup? Can data be recovered for a specific customer in case of failure or data loss? Detailed Level Assessment Data Retention What specific fields will be retained? What is the retention period for each data field? How often does the provider delete data? Has your organization developed data retention and purge directives for assets stored by the SaaS provider to ensure data are retained only for the time required by law or for business needs.

Are data egress terms clearly outlined in the contract? Detailed Level Assessment Data Retention Will your organizations data be permanently erased from the solution, including any backup storage, when this data is deleted or the service ended? Is verification provided that data has been securely deleted after termination of service? Detailed Level Assessment Security Explain the providers available security features, and whether these are supported by an independent information security management certification (e.g., ISO/IEC 27001).

Does the provider use systematic detection, including log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting, and active response. Please describe. Does the provider have a cyber plan in place? If so, please provide details. Have there been any major security incident(s) reported with the provider in the last two years? If so, detail the incident(s) and resolution(s). Detailed Level Assessment Security What activities are logged by the provider? Does the providers logging and monitoring framework allow isolation of an incident to specific tenants? Who can set up activities to be logged? Who has access to these logs? Where are they stored? Who can modify the logs?

Which audit logs are available the organization to review? (e.g. user activity logs). Are such logs sufficient to your organizations needs? Detailed Level Assessment Security How long are logs maintained by the provider? What alerts can be set in the system?

Who gets notified by the alert? If virtual machines are in use by the provider, does the providers virtual machine management infrastructure include a tamper audit or software integrity function to detect changes to the build/ configuration of the virtual machine? Does the provider leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances?

Detailed Level Assessment Physical Security Is the location where your data is stored secure? Does the provider have a rigorous physical access protocol? If a third party is involved, will your organization have access to the third partys SOC 2 and / or any other independent security / control audit / assessment report(s)? Detailed Level Assessment Incident Management What is the providers incident response procedure for handling a security or data breach? Does SLA outline provider's responsibility to report security breach incidents? If yes, what is the timeline?

Does the providers incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls? Is the provider capable of supporting litigation holds (freeze of data from a specific point in time) for a specific tenant without freezing other tenant data? Detailed Level Assessment Incident Management Describe your organizations process to report an incident to the provider. Describe the providers process to report an incident involving the environment / data to your organization. Describe the providers reporting mechanism for security and / or other incidents. In what format do notifications go out, and

what information do they contain? Detailed Level Assessment Independent audit / assessment When are audits conducted (i.e., frequency)? What standard / certification is used to conduct audits (e.g., ISO 27001, SSAE 16 SOC 2, etc.)? Will your organization receive a copy of the audit report when finalized? Is this requirement outlined in the contract with the service provider? What is the date of the latest SOC report? Does your organization have the right to audit the provider? If so, is this right outlined in the contract / terms of service? If not, why not? Does the provider perform regular vulnerability assessments / penetration tests to determine security gaps? Have the most recent security risks / gaps identified been mitigated?

Detailed Level Assessment Relationship Management Will the area assign a Vendor Relations Manager (VRM) to oversee the relationship with the provider? Does your organization have a process in place to monitor SaaS application and related resources. Does your organization have a process in place to formally review the providers performance at least annually against the contract and Service Level Agreement in collaboration with Information Technology Services? Has an internal process been established to formally review the contract with the provider at least annually? Detailed Level Assessment Local Administration Who will be the local administrator in the department / area?

Areas business continuity Will the area be developing a business continuity plan for when the solution / service or data is not available? If so, by when? If not, why not?

Recently Viewed Presentations

  • Bell Work - 1.cdn.edl.io

    Bell Work - 1.cdn.edl.io

    Synonym:secretive, hidden,covert, sly, sneaky Justification: I think that the word furtive means secretive because Crissy is trying to stay hidden from her parents. recompose
  • Diapozitiv 1 - zvu.hr

    Diapozitiv 1 - zvu.hr

    Kategorije prikazuju mogučnost aplikacije teorije dinamičkih sistema Imogene M. King u praktičko obravnavanje. Rezultat istraživanja je način aplikacije dinamičkih sistema u svakodnevan život starostnika sa šečernom bolešču sestavljen na osnovi praktičkih činjenica(Harih, 2008 ...
  • PowerPoint Presentation - Metacognition

    PowerPoint Presentation - Metacognition

    The work of self-regulation calls for students to identify patterns, draw of inferences, and make comparisons. Self-regulation is essential in order to increase both declarative and procedural knowledge. Solid Evidence There is ample PER evidence to show that metacognition and...
  • Title of presentation goes here - UMass Amherst

    Title of presentation goes here - UMass Amherst

    College of Nat Sciences. C. Lannert. Physics. S. Compton. Biochem ... Understand pollutions impact on local ecosystems (food web, water chemistry, water cycle) Communicate and navigate local government. Fracking (inspired by 8th grade framework)
  • Knee Evaluation - University of Michigan

    Knee Evaluation - University of Michigan

    Evaluation of Knee Injuries. Dr. Alan A. Zakaria, D.O., M.S. 1080 Kirts Blvd., Suite 400 ... Medial Collateral Ligament (MCL) ... Maximum tension at full extension. Restraint to valgus stress. Knee Anatomy: Lateral Collateral Ligament (LCL) Posterosuperior lateral femoral condyle...
  • Chapter 3 The Basic Structure of a Cell

    Chapter 3 The Basic Structure of a Cell

    copyright cmassengale * Golgi Animation Materials are transported from Rough ER to Golgi to the cell membrane by VESICLES copyright cmassengale ER Golgi Body * Endoplasmic Reticulum - ER Found in both plant and animal cells Network of tubes Transport...
  • Soil & Vegetation

    Soil & Vegetation

    Mixed Forest. South of the boreal forest in eastern Canada is a . mixed forest. of coniferous and deciduous trees. Soils in mixed forest regions are suitable for farming. Today, little of the forest remains in the southern part of...
  • Love, Love - Paperless Hymnal

    Love, Love - Paperless Hymnal

    873 1 - Love, Love Group 1 1. Love, love, love, love, the gospel in a word is love, Love thy neighbor as thy brother, love, love, love. Group 2 Group 3