SaaS Cybersecurity

On-Demand - 6 CPEs

Software as a Service (SaaS) constitutes an increasing risk to enterprises as organizations transition from on-premise business applications to cloud based applications. SaaS applications can contain sensitive enterprise information that can be accessed from any device connected to the Internet.

Due to this significant enterprise risk, SaaS applications need to be assessed for effective security and controls. Unfortunately, this is not easily achieved in SaaS environments.

This on-demand seminar is designed to provide an understanding of foundational SaaS concepts, key risks and associated controls. Throughout the seminar the focus is development of a risk-based approach to protect enterprise information in SaaS applications.

A wide range of globally recognized security and control resources will be highlighted during the seminar that can be used for planning and executing SaaS cybersecurity audits.

The intended audience for this seminar is all auditors (IT Auditors, business auditors, internal and external auditors) and audit management with the responsibility to provide effective assessments of enterprise risk.

Seminar Agenda:

SaaS Key Risks

· Defining SaaS, PaaS, IaaS

· Cloud Service Provider Risks

· SaaS Benefits

· SaaS - Who is responsible for data security?

· Top Threats to Cloud Computing

· Identifying Challenges to SaaS Security

· SaaS Shared Responsibilities

· Third Party Management

· SaaS Security Considerations

· SEC Proposed Rules on Cybersecurity

ERP / SaaS Applications

· ERP Objectives

· ERP Risks

· ERP / SaaS Examples

· ERP Access Management Risks

· ERP Data Integrity Risks

· ERP Business Continuity Risks

Cloud Security Resources

· Center for Internet Security (CIS) Critical Controls

· Cloud Security Alliance - CSA

· FedRAMP

· NIST Cybersecurity Framework

· OWASP

· Verizon Data Breach Investigations Report

· Others …

Cloud / SaaS Governance

· Enterprise Cloud Strategy

· Cloud Risk Management

· Regulatory Compliance

· SaaS Shared / Governance

· Shadow IT / Shadow Cloud

Access Management

· Identity Access Management / IAM

· SaaS Authentication

· SaaS MFA

· Single Sign On - SSO

· SaaS Authorization / User Profiles

· SaaS Shared Access Management Responsibilities

· SaaS Audit Trail / Logs

· SaaS CSP-Owned Log Management Responsibilities

Configuration & Change Management

· Security Configuration Management Risks

· Configuration Management

· Ongoing Configuration Maintenance

· SaaS Shared Change Management

· CIS Controls - Configuration Management

End Point Security / Zero Trust

· Working from Home / WFH

· Cloud Remote Access Options

· Endpoint Security / Zero Trust

· End Point Security – Shared Responsibilities

Encryption Key Management

· NIST 800-57 - Recommendations for Key Management

· Key Management - Shared Responsibilities

API - Application Programming Interface

· Defining API

· API Risks

· API Vulnerability Example

· OWASP API Security Report

· API Management - Vendor Examples

Incident Response Management

· Asset Management

· Incident Response Management

· Incident Response - Shared Responsibilities

SaaS Business Continuity

· SaaS Business Continuity Risks

· Recovery Planning

· BCP/DRP Planning - Shared Responsibilities

· BCP/DRP Planning - CSP Responsibilities

Cloud Security Awareness Training

· Key Components of Awareness Training

· NIST 800-50 - Building Security Awareness Training

Assessing Cloud Vendor Controls

· Contracts – Right to Audit

· Service Organization Controls (SOC) Reports

· SOC2 Reports

· Cloud Vendor Governance - Audit Considerations