SaaS Security Programs: Build What You Seek
0 likes600 views
The document outlines New Relic's stance on information provided, emphasizing that it should not be construed as a commitment or obligation to sell securities or deliver products. It discusses various aspects of security maturity, including team structure, processes, policies, compliance, monitoring, and the importance of a transparent mindset towards information security. Lastly, it raises questions for evaluating security policies and compliance status while addressing potential risks and vulnerabilities.
SaaS Security Programs: Build What You Seek
- 1. FS15 Title Slide (WIP) • Shaun Gordon, CSIO, New Relic
- 2. ©2008-15 New Relic, Inc. All rights reserved. Safe Harbor This document and the information herein (including any information that may be incorporated by reference) is provided for informational purposes only and should not be construed as an offer, commitment, promise or obligation on behalf of New Relic, Inc. (“New Relic”) to sell securities or deliver any product, material, code, functionality, or other feature. Any information provided hereby is proprietary to New Relic and may not be replicated or disclosed without New Relic’s express written permission. Such information may contain forward-looking statements within the meaning of federal securities laws. Any statement that is not a historical fact or refers to expectations, projections, future plans, objectives, estimates, goals, or other characterizations of future events is a forward-looking statement. These forward- looking statements can often be identified as such because the context of the statement will include words such as “believes,” “anticipates,” “expects” or words of similar import. Actual results may differ materially from those expressed in these forward-looking statements, which speak only as of the date hereof, and are subject to change at any time without notice. Existing and prospective investors, customers and other third parties transacting business with New Relic are cautioned not to place undue reliance on this forward-looking information. The achievement or success of the matters covered by such forward-looking statements are based on New Relic’s current assumptions, expectations, and beliefs and are subject to substantial risks, uncertainties, assumptions, and changes in circumstances that may cause the actual results, performance, or achievements to differ materially from those expressed or implied in any forward-looking statement. Further information on factors that could affect such forward-looking statements is included in the filings we make with the SEC from time to time. Copies of these documents may be obtained by visiting New Relic’s Investor Relations website at ir.newrelic.com or the SEC’s website at www.sec.gov. New Relic assumes no obligation and does not intend to update these forward-looking statements, except as required by law. New Relic makes no warranties, expressed or implied, in this document or otherwise, with respect to the information provided.
- 8. The Team
- 9. Describe your security organization, including the title of person who leads it, the size, and the number of people 100% dedicated to it? How do you handle security incidents? Describe your response to any recent security event. Questions about The Team
- 10. Processes
- 11. How is the security team involved in reviewing the software development process? How do you ensure or validate the security of the code that is pushed to your production systems? How are the employees or 3rd parties authenticated? How do you ensure employees are deprovisioned when they leave the company, and appropriately reprovisioned when they change roles? Questions about Processes
- 12. Policies
- 13. Do you have documented security policies? Please provide copies, if available. Do you classify data based on sensitivity? If so, how? What are your data sharing and retention policies and practices? Do you allow your employees to remove customer data from the production environment? If so, under what circumstances? Which of your employees have access to customer data and why? Which third-parties will have access to that data, and how do you ensure that they will protect it? Questions about Policies
- 15. Do you have a good understanding of the regulations and/or industry standards that are largely applicable to you? Please list them, as well as your current evaluation of your compliance status (yes, no, partially) with each one. Are there any major security exceptions and gaps that you are aware of impacting your compliance obligations? If so, what is your roadmap for addressing them? Questions about Compliance
- 16. Monitoring
- 17. How do you know if there are new vulnerabilities in your network, servers, and applications? How would you know if your network, servers, and/or applications are breached or compromised? How do you monitor, log, and/or audit all access to your network and/or customer data? Questions about Monitoring
- 19. Do you perform external assessments, and at what frequency? Please provide latest reports, if available.. Questions about Transparency
- 20. Mindset
- 26. How are information security responsibilities communicated to employees who work with customer data? How frequently? Questions about Mindset
- 28. UNCONSCIOUS INCOMPETENCE UNCONSCIOUS COMPETENCE CONSCIOUS INCOMPETENCE CONSCIOUS COMPETENCE Learning Matrix
- 29. UNCONSCIOUS INCOMPETENCE UNCONSCIOUS COMPETENCE CONSCIOUS INCOMPETENCE CONSCIOUS COMPETENCE No Security Program or Team Handwaving No Policies or Processes Poor Access Control No Compliance Awareness Security back-of-mind Large Security Team Formal Security Reviews Audited Policies & Processes Compliance Evidence Companywide Mindset Designated not Dedicated Sec Team Understanding Concerns Ad-Hoc Policies & Processes Aware of Compliance Requirements Checklist Security Dedicated Security Team Documented Policies & Processes No Compliance Auditing Security Monitoring Pragmatic Security Security Maturity Matrix
- 30. UNCONSCIOUS INCOMPETENCE UNCONSCIOUS COMPETENCE CONSCIOUS INCOMPETENCE CONSCIOUS COMPETENCE OK for PUBLIC data (but even then, we probably wouldn’t recommend) OK for any RESTRICTED data (e.g. CCs, SSNs) OK for INTERNAL data (e.g.Workplace plans) OK for CONFIDENTIAL data (e.g. customer data, PII, finance data) Allowable USe
- 31. UNCONSCIOUS INCOMPETENCE UNCONSCIOUS COMPETENCE CONSCIOUS INCOMPETENCE CONSCIOUS COMPETENCE No Security Program or Team Handwaving No Policies or Processes Poor Access Control No Compliance Awareness Security back-of-mind Large Security Team Formal Security Reviews Audited Policies & Processes Compliance Evidence Companywide Mindset Designated not Dedicated Sec Team Understanding Concerns Ad-Hoc Policies & Processes Aware of Compliance Requirements Checklist Security Dedicated Security Team Documented Policies & Processes No Compliance Auditing Security Monitoring Pragmatic Security Security Maturity Matrix
- 32. FS15 Thank You Slide (WIP) • Shaun Gordon, CSIO, New Relic