A security assessment is vital for businesses looking to implement new SaaS, which can be completed using a detailed SaaS security checklist.
► Find out how to evaluate SaaS applications!
Performing a Software-as-a-Service (SaaS) security assessment is a vital part of any company's quality assessment protocol when evaluating potential vendors. Data stored through SaaS is not stored on-premise, which means sensitive and confidential data becomes more at risk from security breaches from the outside. It is important that all new SaaS in your portfolio meets the regulatory standards of your company.
A SaaS security questionnaire will ask where the data will be stored, what security measures are in place to ensure data safety, and make sure the vendor is up-to-date with data protection rules and certificates – along with various other questions.
Following general SaaS security best practices and a well-defined checklist will guide this assessment.
A SaaS security checklist is necessary when a company is evaluating the security of a new SaaS solution, and procurement should not move forward unless a proper SaaS risk assessment has been conducted and received the approval of the internal security teams.
It is a separate process to a technology risk assessment that evaluates application risks, reduces costs, and increases agility. A SaaS security application checklist is created and completed by the external supplier before moving forward with a company. An important part of this process is ensuring end-to-end encryption is in place, which guarantees data will not be shared with third parties or can be accessed by the provider.
The first part of the SaaS security questionnaire will contain general information about the vendor before moving into more detailed questions regarding the security of the vendor. General information includes the contact details as well as how long the vendor has been in business. Here is the full list of questions in the general information section of the SaaS security checklist:
This section and the subsections within go much more into detail regarding the security information of the product. Each subsection of the SaaS security checklist will assess whether the product is fit for its purpose and in line with your company’s security protocols.
This subsection of the SaaS security checklist outlines who is responsible for information security and what policies have already been implemented to ensure the security of the data between the company and the supplier. The questions are as follows:
Much like organizational security, human resources security covers who the company will be working with and what kind of access they have to sensitive information. This part of the SaaS security questionnaire asks whether the vendor has sufficient onboarding and offboarding processes, if they perform background checks and whether they receive security training.
This part of the SaaS security questionnaire will outline where on the physical site the servers will be kept, and what kind of physical security is in place to protect sensitive company data.
During this subsection of the SaaS security checklist, the company is asking whether the applications and network are regularly tested for security breaches, and what kinds of countermeasures are in place to stop that from happening.
How are the assets managed within the company, and how are each of the supplier’s clients’ data and information stored to ensure it is kept separate from each other? This part of the questionnaire will also require the vendor to outline a risk management methodology.
This subsection of the SaaS security questionnaire will cover how the applications mitigate risk, and what processes are in place for development, testing, and operations. The vendor is required to share software development methodology and what security measures are incorporated as part of the application development life cycle.
What does the relationship between the vendor and third-party subcontractors look like? This is important to outline who the subcontractors are, and what processes they use. This part of the SaaS security checklist should list all subcontractors.
Incidents can always happen, so this section of the SaaS security questionnaire will require information on what incidents have occurred in the last year, and what incident management processes are already in place. The vendor must share their incident management policy.
White PaperA Guide to SaaS Management
White PaperSaaS Management for CIOs and CFOs
The supplier must outline both their Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure that they have protocols in place in the event of a breach or other possible issue that may occur.
This section of the SaaS security checklist reveals what kind of operations security is in place; what malicious software protection is deployed? Are audit logs retained and reviewed? This is important for monitoring and logging anything unusual during day-to-day processes.
Here the vendor will be responsible for outlining what backup and restoration policies are in place in case of a server breach or crash. This could directly impact the continued use of the SaaS service and put company data at risk.
In this section of the SaaS security checklist, the vendor must outline what data encryption policy is in place. This is highly important, as it will determine how well the supplier safeguards an organization's data and information from potential threats.
How is sensitive data disposed of, both physically and through the service? The supplier must outline what data disposal policies are in place and also ensure that all paper is securely destroyed and computer hardware wiped according to good industry practice.
In this subsection of the SaaS security questionnaire, the vendor must outline what change management process is implemented. This ensures that if the system undergoes any changes the service will remain secure.
This final section of the SaaS security checklist makes sure the SaaS provider has all external certificates and meets important assessments concerning the security of the company. They are asked to provide recent proof.
Following the completion of the SaaS security checklist, the company will then assess whether the answers to the questions are sufficient and effectively ensure the security of data and sensitive information. If so, they can then move on to the next stage of the SaaS implementation process.
A successful quality security assessment is essential after a shadow IT discovery and provides peace of mind to companies implementing new SaaS solutions and is vital for a successful relationship between both parties.
Evaluate and assess new or existing SaaS vendors based on their security or product features, cost, support, and service criteria important to your organization.
Compare and evaluate different SaaS vendors
Add your own evaluation criteria
Grade vendors based on the criteria of importance and urgency
Select the SaaS vendor that fits your organization
What is data security in SaaS?
What is a SaaS security checklist?
What is a SaaS security audit?
How can you conduct a SaaS security audit?