corpgov:saasapp

Table of Contents

SaaS Application Controls
- Control Satisfaction Matrix
  - Major Document History
SaaS Compliance Mapping Matrix
- SaaS Quarterly Reports Matrix

SaaS Application Controls

Control Satisfaction Matrix

Framework Standard	Category	Controls Satisfied	800-53r4 Controls	ISO/SEC 27001	Audit Controls
DLZP Internal	None	None	None	None	None

Major Document History

Date	Comment	Who
8/16/2019	Added SaaS Matrix, Quarterly Rpt Matrix	Tharp
8/19/2019	Updated Quarterly Rpt Matrix	Tharp
8/29/2019	Copied Content For IS-1 SOC submission	Tharp
10/6/2021	Policy's Reviewed for Audit	Tharp

SaaS Compliance Mapping Matrix

A-lign Ref: IS-36, IS-37, IS-38, IS-39, IS-40, IS-41, IS-42, IS-43, IS-44, IS-45, IS-46, IS-47, COB-1, COB-2, COB-3, COB-4, COB-5, COB-6, COB-7, COB-8

Application	Business Use	App Type	App Owner	Recovery Capability	Admin Rights	User Rights	PassWord (Req)	Auth Settings (Std; MFA; Other)	Lockout Policy	Logging Policy	Alert of suspicious activity	Access review by Mgt.	Logs (Network; O/S; DB; App; VPN)? Review by management?	Backup policy and procedures	Backup encryption	Backup Restore Approval	Disater Recovery	Updates/Patches (O/S; Security; Bugs)
AWS Command Line	Manage Cloud Infrastructure	Cloud Service Provider	Dave Brunet	Alternate Region	Account Admin	IAM Role	Complex - Configurable	MFA - Available	N/A	CloudWatch	Available	Yes	Ad-hoc	N/A	N/A	N/A	N/A	N/A
AWS Console	Manage Cloud Infrastructure	Cloud Service Provider	Dave Brunet	Alternate Region	Account Admin	IAM Role	Complex - Configurable	MFA - Available	N/A	CloudWatch	Available	Yes	Ad-hoc	N/A	N/A	N/A	N/A	N/A
AWS Object Storage S3	Cloud Object Storage	Cloud Service Provider	Dave Brunet	Alternate Region	Account Admin	IAM Role	Complex - Configurable	MFA - Available	N/A	CloudWatch	Available	Yes	Ad-hoc	N/A	N/A	N/A	N/A	N/A
DLZP Wiki	Internal Policies and Operations Data	SaaS	Dave Brunet	AutoRestore with 15 Min of Data Loss Potential	Account Admin	Wiki ACL	Complex - Configurable	Standard	No	CloudWatch	Yes	Yes	Yes	Every 4 hours	Yes	Yes	Auto Recover < 15 Data Loss	Yes
DropBox	Business File Sharing	SaaS	Lisa Brunet	Inherited from provider	Account Admin	Role Based	Complex - Configurable	MFA - Available	Not Published	Inherited from provider	Inherited from provider	Yes	Yes	Inherited - Default 120 Days	Inherited	N/A	N/A	N/A
Email	Amazon WorkMail	SaaS	Dave Brunet	Inherited from provider	Account Admin	User Access	Complex - Configurable	Screen Lock - Enabled - Mobile Email - Encryption Required	10 Attempts	Inherited from provider	Inherited from provider	Yes	No	Inherited from provider	Inherited from provider	N/A	N/A	N/A
Google Apps	Interative File Sharing	SaaS	Dave Brunet	Inherited from provider	Account Admin	User Access	Complex - Configurable	MFA - Available	4 Login Attempts	Inherited from provider	Inherited from provider	Yes	Ad-hoc	Inherited from provider	Inherited from provider	N/A	N/A	N/A
Instant Messaging Apps	(Google Hangouts; Slack; SMS Text)	SaaS	Dave Brunet	Inherited from provider	Account Admin	User Access	Complex - Configurable	Various	Inherited from provider	Inherited from provider	Inherited from provider	Yes	No	Inherited from provider	Inherited from provider	N/A	N/A	N/A
PriTunl VPN	Systems Admin SoftVPN	COTS	Dave Brunet	Autorestore with no Data Loss	Account Admin	User Access	N/A	MFA - Enabled	3 Login attempts	CloudWatch	No	Yes	Ad-hoc	Daily	Yes	Yes	N/A	Yes
Trend Micro	Workstation Intrusion Detection	SaaS	Lisa Brunet	Inherited from provider	Account Admin	No Access	N/A	N/A	Inherited from provider	Inherited from provider	Inherited from provider	Yes	No	Inherited from provider	Inherited from provider	N/A	N/A	Yes
Voice	Phone - Cellular	SaaS	Lisa Brunet	Inherited from provider	Account Admin	User Access	PIN	Screen Lock - Enabled - Encryption Required	Inherited from provider	Inherited from provider	No	Yes	Phone Bill	Inherited from provider	Inherited from provider	N/A	N/A	N/A
Zoho CRM	Sales Client Activity	SaaS	Lisa Brunet	Inherited from provider	Account Admin	User Access	Complex - Configurable	MFA - Enabled	Inherited from provider	Inherited from provider	Inherited from provider	Yes	No	Inherited from provider	Inherited from provider	N/A	N/A	N/A
Zoho Project	Project Management; Change Management; Issue Management (client tickets)	SaaS	Lisa Brunet	Inherited from provider	Account Admin	User Access	Complex - Configurable	MFA - Available	Inherited from provider	Inherited from provider	Inherited from provider	Yes	No	Inherited from provider	Inherited from provider	N/A	N/A	N/A
Zoom	Teleconferencing	SaaS	Lisa Brunet	Inherited from provider	Account Admin	User Access	Complex - Configurable	MFA - Available	Inherited from provider	Inherited from provider	Inherited from provider	Yes	No	Inherited from provider	Inherited from provider	N/A	N/A	N/A

SaaS Quarterly Reports Matrix

QTR Reports	App Admin Rpt/Task	App User Rpt/Task	Log Review RPT/Task	VPN Access Logs/Task	Antivirus Settings RPT/Task	Updates-Patches/Task	Code Changes/Task
AWS Command Line	Yes/M5-T36	Yes/M5-T36	Yes/M5-T36	No	No	No	No
AWS Console	Yes/M5-T36	Yes/M5-T36	Yes/M5-T36	No	No	No	No
AWS Object Storage S3	Yes/M5-T36	Yes/M5-T36	Yes/M5-T36	No	No	No	No
DLZP Wiki	Yes/M5-T30	Yes/M5-T30	Yes/M5-T30	No	No	Yes	Yes/M5-T30
DropBox	Yes/M5-T37	Yes/M5-T37	Yes/M5-T37	No	No	No	No
Email	Yes/M5-T37	Yes/M5-T37	Yes/M5-T37	No	No	No	No
Google Docs	Yes/M5-T38	Yes/M5-T38	Yes/M5-T38	No	No	No	No
Instant Messaging Apps	N/A	N/A	N/A	No	No	No	No
PriTunl VPN	Yes/M5-T27	Yes/M5-T27	Yes/M5-T27	Yes/M5-T27	No	Yes	No
Trend Micro	Yes/M5-T37	Yes/M5-T37	Yes/M5-T37	No	Yes/M5-T37	Yes	No
Voice	N/A	N/A	N/A	No	No	No	No
Zoho CRM	Yes/M5-T37	Yes/M5-T37	Yes/M5-T37	No	No	No	No
Zoho Project	Yes/M5-T37	Yes/M5-T37	Yes/M5-T37	No	No	No	No
Zoom	Yes/M5-T37	Yes/M5-T37	Yes/M5-T37	No	No	No	No