Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Business Risk Management

For Business Risk, services are assessed on how well they protect data from threats based on their own business practices. Business risks are assessed based on aspects such as service hosting location, certification practice, and audit history.

Business Risk Attributes

The Business Risk score is calculated out of the following categories and attributes defined by Skyhigh CASB. 

Category Attribute Description Possible Value
Geography Service Hosting Locations Where is the geographic hosting location of cloud service provider? 10 - Hosted in US
10 - Hosted in EU
20 - Hosted in EU approved countries
30 - Hosted in APAC
40 - Others
40 - Not publicly known
70 - Hosted in questionable countries
Certifications Compliance Certifications Which compliance certifications does the cloud service provider have (for example SSAE16, ISO 27001, SOC2, PCI, or HIPAA)?

0 - Safe Harbor

Safe Harbor Principles are designed to assist eligible organizations to comply with the EU Data Protection Directive and maintain the privacy and integrity of that data.

10 - SAS70 / SSAE16 / ISEA 3402

SAS 70 (Statement on Auditing Standards No. 70) is the standard that an independent auditor, or service auditor, must employ to assess the contracted internal controls of a service organization, which include controls over IT and associated processes. The service auditor then outlined this description of controls through a service auditor's report.

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of standards developed specifically for certified public accountants (CPAs) to evaluate an entity’s internal controls and the impact a service organization might have on the entity’s control environment. This is important as auditors try to accurately audit a company’s financial statements.

International Standard on Assurance Engagements (ISAE 3402) is an extension and expansion of SAS 70, is the standard an auditor must employ to assess the contracted internal controls of a service organization. 

10 - DCAA / SOC 3

Defense Contract Audit Agency (DCAA) is a standard regulation performing all audits for the Department of Defense (DoD), and for providing accounting and financial advisory services to DoD components responsible for procurement and contract administration.

Service Organization Control 3 (SOC 3) report outlines information related to a service organization's internal controls for security, availability, processing integrity, confidentiality, or privacy.

10 - ISO 27001

ISO 27001 is recognized globally for managing risks to the security of information service holds. Certification to ISO 27001 proves to clients and other stakeholders that the service is managing the security of information. ISO 27001 provides a set of standardized requirements for an Information Security Management System (ISMS). 

10 - SOC2

Service Organization Controls (SOC 2) report focuses on a business's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system.

10 - ISO 27018

ISO 27018 is a code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII).

10 - FISMA

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or manufactured threats. 

10 - FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is an assessment and authorization process which U.S. federal agencies are directed by the Office of Management and Budget to use to make sure security is in place when accessing cloud computing products and services.


The Health Information Trust Alliance (HITRUST) is the Common Security Framework (CSF) certification process to make sure the privacy of patient information.

10 - ISO 27017

Information Security Standard (ISO 27017) reports on the protection of the information in the cloud service, this standard is built on the existing security controls of ISO 27002. 

20 - ITIL

Information Technology Infrastructure Library (ITIL), is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.

20 - PCI Compliance

Payment Card Industry Data Security Standard (PCI DSS) compliance is the set of policies and procedures developed to protect credit, debit, and, cash card transactions and prevent the misuse of cardholders' personal information.

20 - HIPAA

Health Insurance Portability and Accountability Act (HIPAA) is United States legislation that provides data privacy and security provisions for safeguarding medical information.

20 - CSA Star

The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. 

30 - TRUSTe / BBB

The TRUSTe Certified Privacy seal is a signal to consumers that a website is safeguarding users personal information and values online privacy. 

The BBB Certified is a commitment to make a good faith effort to resolve any consumer complaints. 

70 - Not publicly known
90 - None
Operational Practices Infrastructure Status Reporting Does the cloud service provider publish uptime and service availability statistics? 10 - Yes
50 - Not publicly known
60 - No
Geography Business HQ Where is the cloud service provider business headquartered? 10 - USA
10 - Privacy Friendly Countries
30 - Not publicly known
60 - Others
Auditing Support for Admin Audit Logging Does the cloud service provider log administrative activities? 10 - Yes
50 - Not publicly known
60 - No
Auditing Support for User Activity Logging Does the cloud service provider log user activities? 10 - Yes
30 - Not publicly known
60 - No
Auditing Support for Data Access Logging Does the cloud service provider log accesses to data? 10 - Yes
30 - Not publicly known
60 - No
Primarily Consumer Oriented Business Type Is the cloud service provider focused on predominantly consumer or enterprise-based clientele? 10 - Enterprise
40 - Both
80 - Consumer
Security Datacenter Security Does the service provide physical security perimeters (e.g., fences, guards, electronic surveillance, physical authentication mechanisms, security patrols, etc) to safeguard sensitive data and information systems at the datacenter? 10 - ISO 27001 Certified
30 - Biometric/Video Monitoring
40 - NA
60 - Not publicly known
80 - No
Regulatory Compliance EU GDPR General Data Protection Regulation (GDPR) proposed by the European Commission strengthens and unifies data protection for individuals within the European Union (EU), while addressing the export of personal data outside the EU. 10 - GDPR Risk Low
40 - GDPR Risk Medium
70 - GDPR Risk High


  • Was this article helpful?