Business Risk Management
For Business Risk, services are assessed on how well they protect data from threats based on their own business practices. Business risks are assessed based on aspects such as service hosting location, certification practice, and audit history.
Business Risk Attributes
The Business Risk score is calculated out of the following categories and attributes defined by Skyhigh CASB.
| Category | Attribute | Description | Possible Value |
|---|---|---|---|
| Geography | Service Hosting Locations | Where is the geographic hosting location of cloud service provider? | 10 - Hosted in US 10 - Hosted in EU 20 - Hosted in EU approved countries 30 - Hosted in APAC 40 - Others 40 - Not publicly known 70 - Hosted in questionable countries |
| Certifications | Compliance Certifications | Which compliance certifications does the cloud service provider have (for example SSAE16, ISO 27001, SOC2, PCI, or HIPAA)? |
0 - Safe Harbor Safe Harbor Principles are designed to assist eligible organizations to comply with the EU Data Protection Directive and maintain the privacy and integrity of that data. |
|
10 - SAS70 / SSAE16 / ISEA 3402 SAS 70 (Statement on Auditing Standards No. 70) is the standard that an independent auditor, or service auditor, must employ to assess the contracted internal controls of a service organization, which include controls over IT and associated processes. The service auditor then outlined this description of controls through a service auditor's report. The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of standards developed specifically for certified public accountants (CPAs) to evaluate an entity’s internal controls and the impact a service organization might have on the entity’s control environment. This is important as auditors try to accurately audit a company’s financial statements. International Standard on Assurance Engagements (ISAE 3402) is an extension and expansion of SAS 70, is the standard an auditor must employ to assess the contracted internal controls of a service organization. |
|||
|
10 - DCAA / SOC 3 Defense Contract Audit Agency (DCAA) is a standard regulation performing all audits for the Department of Defense (DoD), and for providing accounting and financial advisory services to DoD components responsible for procurement and contract administration. Service Organization Control 3 (SOC 3) report outlines information related to a service organization's internal controls for security, availability, processing integrity, confidentiality, or privacy. |
|||
|
10 - ISO 27001 ISO 27001 is recognized globally for managing risks to the security of information service holds. Certification to ISO 27001 proves to clients and other stakeholders that the service is managing the security of information. ISO 27001 provides a set of standardized requirements for an Information Security Management System (ISMS). |
|||
|
10 - SOC2 Service Organization Controls (SOC 2) report focuses on a business's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. |
|||
|
10 - ISO 27018 ISO 27018 is a code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII). |
|||
|
10 - FISMA The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or manufactured threats. |
|||
|
10 - FedRAMP The Federal Risk and Authorization Management Program (FedRAMP) is an assessment and authorization process which U.S. federal agencies are directed by the Office of Management and Budget to use to make sure security is in place when accessing cloud computing products and services. |
|||
|
10 - HITRUST The Health Information Trust Alliance (HITRUST) is the Common Security Framework (CSF) certification process to make sure the privacy of patient information. |
|||
|
10 - ISO 27017 Information Security Standard (ISO 27017) reports on the protection of the information in the cloud service, this standard is built on the existing security controls of ISO 27002. |
|||
|
20 - ITIL Information Technology Infrastructure Library (ITIL), is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. |
|||
|
20 - PCI Compliance Payment Card Industry Data Security Standard (PCI DSS) compliance is the set of policies and procedures developed to protect credit, debit, and, cash card transactions and prevent the misuse of cardholders' personal information. |
|||
|
20 - HIPAA Health Insurance Portability and Accountability Act (HIPAA) is United States legislation that provides data privacy and security provisions for safeguarding medical information. |
|||
|
20 - CSA Star The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. |
|||
|
30 - TRUSTe / BBB The TRUSTe Certified Privacy seal is a signal to consumers that a website is safeguarding users personal information and values online privacy. The BBB Certified is a commitment to make a good faith effort to resolve any consumer complaints. |
|||
| 70 - Not publicly known | |||
| 90 - None | |||
| Operational Practices | Infrastructure Status Reporting | Does the cloud service provider publish uptime and service availability statistics? | 10 - Yes 50 - Not publicly known 60 - No |
| Geography | Business HQ | Where is the cloud service provider business headquartered? | 10 - USA 10 - Privacy Friendly Countries 30 - Not publicly known 60 - Others |
| Auditing | Support for Admin Audit Logging | Does the cloud service provider log administrative activities? | 10 - Yes 50 - Not publicly known 60 - No |
| Auditing | Support for User Activity Logging | Does the cloud service provider log user activities? | 10 - Yes 30 - Not publicly known 60 - No |
| Auditing | Support for Data Access Logging | Does the cloud service provider log accesses to data? | 10 - Yes 30 - Not publicly known 60 - No |
| Primarily Consumer Oriented | Business Type | Is the cloud service provider focused on predominantly consumer or enterprise-based clientele? | 10 - Enterprise 40 - Both 80 - Consumer |
| Security | Datacenter Security | Does the service provide physical security perimeters (e.g., fences, guards, electronic surveillance, physical authentication mechanisms, security patrols, etc) to safeguard sensitive data and information systems at the datacenter? | 10 - ISO 27001 Certified 30 - Biometric/Video Monitoring 40 - NA 60 - Not publicly known 80 - No |
| Regulatory Compliance | EU GDPR | General Data Protection Regulation (GDPR) proposed by the European Commission strengthens and unifies data protection for individuals within the European Union (EU), while addressing the export of personal data outside the EU. | 10 - GDPR Risk Low 40 - GDPR Risk Medium 70 - GDPR Risk High |