Cybersecurity Risks in SaaS Applications

On-Demand - 6 CPEs


Software as a Service (SaaS) constitutes an increasing risk to enterprises as organizations transition from on-premise business applications to cloud based applications. SaaS applications can contain sensitive enterprise information that can be accessed from any device connected to the Internet.

Due to this significant enterprise risk, SaaS applications need to be assessed for effective security and controls. Unfortunately, this is not easily achieved in SaaS environments.

This on-demand seminar is designed to provide an understanding of foundational SaaS concepts, key risks and associated controls. Throughout the seminar the focus is development of a risk-based approach to protect enterprise information in SaaS applications.

A wide range of globally recognized security and control resources will be highlighted during the seminar that can be used for planning and executing SaaS cybersecurity audits.

The intended audience for this seminar is all auditors (IT Auditors, business auditors, internal and external auditors) and audit management with the responsibility to provide effective assessments of enterprise risk.



Seminar Agenda:

SaaS Key Risks

· Defining SaaS, PaaS, IaaS

· Cloud Service Provider Risks

· SaaS Benefits

· SaaS - Who is responsible for data security?

· Top Threats to Cloud Computing

· Identifying Challenges to SaaS Security

· SaaS Shared Responsibilities

· Third Party Management

· SaaS Security Considerations

· SEC Proposed Rules on Cybersecurity


ERP / SaaS Applications

· ERP Objectives

· ERP Risks

· ERP / SaaS Examples

· ERP Access Management Risks

· ERP Data Integrity Risks

· ERP Business Continuity Risks


Cloud Security Resources

· Center for Internet Security (CIS) Critical Controls

· Cloud Security Alliance - CSA

· FedRAMP

· NIST Cybersecurity Framework

· OWASP

· Verizon Data Breach Investigations Report

· Others …


Cloud / SaaS Governance

· Enterprise Cloud Strategy

· Cloud Risk Management

· Regulatory Compliance

· SaaS Shared / Governance

· Shadow IT / Shadow Cloud


Access Management

· Identity Access Management / IAM

· SaaS Authentication

· SaaS MFA

· Single Sign On - SSO

· SaaS Authorization / User Profiles

· SaaS Shared Access Management Responsibilities

· SaaS Audit Trail / Logs

· SaaS CSP-Owned Log Management Responsibilities


Configuration & Change Management

· Security Configuration Management Risks

· Configuration Management

· Ongoing Configuration Maintenance

· SaaS Shared Change Management

· CIS Controls - Configuration Management


End Point Security / Zero Trust

· Working from Home / WFH

· Cloud Remote Access Options

· Endpoint Security / Zero Trust

· End Point Security – Shared Responsibilities


Encryption Key Management

· NIST 800-57 - Recommendations for Key Management

· Key Management - Shared Responsibilities


API - Application Programming Interface

· Defining API

· API Risks

· API Vulnerability Example

· OWASP API Security Report

· API Management - Vendor Examples


Incident Response Management

· Asset Management

· Incident Response Management

· Incident Response - Shared Responsibilities


SaaS Business Continuity

· SaaS Business Continuity Risks

· Recovery Planning

· BCP/DRP Planning - Shared Responsibilities

· BCP/DRP Planning - CSP Responsibilities


Cloud Security Awareness Training

· Key Components of Awareness Training

· NIST 800-50 - Building Security Awareness Training


Assessing Cloud Vendor Controls

· Contracts – Right to Audit

· Service Organization Controls (SOC) Reports

· SOC2 Reports

· Cloud Vendor Governance - Audit Considerations


Course Curriculum


  Introductory Sessions
Available in days
days after you enroll
  SaaS Risks
Available in days
days after you enroll
  Enterprise Resource Planning
Available in days
days after you enroll
  Audit Resources
Available in days
days after you enroll
  Governance
Available in days
days after you enroll
  Access Management
Available in days
days after you enroll
  Configuration and Change Management
Available in days
days after you enroll
  End Point Security
Available in days
days after you enroll
  Encryption
Available in days
days after you enroll
  Application Programming Interface
Available in days
days after you enroll
  Incident Response
Available in days
days after you enroll
  SaaS Business Continuity
Available in days
days after you enroll
  Security Awareness
Available in days
days after you enroll
  Vendor Assessments
Available in days
days after you enroll
  Concluding Sessions
Available in days
days after you enroll