Meeting MAS’s new technology risk management guidelines for SaaS-powered businesses

Thought Leadership
Written By Andy Budiman

What’s new?

The key component of the revised Guidelines is reinforcing the “importance of incorporating security controls” in technology development and delivery lifecycle, as well as in the deployment of emerging technologies. It spells out that third-party services are to be assessed and managed ongoingly.

“On an ongoing basis, the FI should ensure the third party employs a high standard of care and diligence in protecting data confidentiality and integrity as well as ensuring system resilience” 

The Guidelines are descriptive about the management of security controls such as:

  • Configuration Management,  

  • User Access Management, 

  • Privileged Access Management,

  • Remote Access Management, 

  • Data Loss Prevention,

and the need to have processes in place to monitor, review and report on the effectiveness of the security controls:

  • Risk Monitoring, Review and Reporting for Board and management,

  • Audit Function to provide independent and objective opinion of the adequacy and effectiveness of risk management, governance and internal controls.

For businesses relying on SaaS such as Office 365, G Suite, Slack, Salesforce, this means:

  • Obtaining ongoing visibility of user’s access, administrative privileges and tracking changes over time,

  • Ensuring all users have the necessary security controls and data loss prevention measures enforced at all times, 

  • Implementing processes and systems in place for audit and reporting. 

For many, the new requirements would significantly increase the cost of compliance and put additional pressure on their lean IT/security resources. Most small and medium businesses will not be able to give the above the priorities they deserve and run the risk of non-compliance. 

Detexian’s SaaS Security Assurance Solution, the answer for SMEs’ security assurance needs. 

Detexian is SMEs’ track record of proactive security assurance for SaaS applications that host business critical and customer sensitive data. It is a living risk register that not only records but also contextualises SaaS security risks for Board and management reporting. 

It independently and continuously assesses the effectiveness of controls and, where there are exceptions, helps bring them in line with an organisation’s risk tolerance or chosen compliance framework.

How does it work?

Via simple API connection with SaaS applications, Detexian:

  • Automates the collection of relevant security configuration information, 

  • Contextualises issues detected,

  • Populates them in a living risk register together with recommended actions, and

  • Enables businesses to build a track record of proactive SaaS security assurance. 

Businesses using Detexian have peace of mind essential security controls for critical SaaS applications are always monitored. This in turn solidifies their customer confidence. 

Detexian is designed and built from the ground up for SMEs that will be most impacted by changing information security regulations. SMEs remain largely underserved by the enterprise security market because the cost of ownership of enterprise tooling is too high for the majority who lack specialist resources.  Hence Detexian is an SME-focused product that:

  • Can be operated without specialist skills;

  • Keeps up with changing regulatory requirements;

  • Helps SMEs or their MSP’s with lean (or often no) security practice achieve compliance while consuming any SaaS.

Andy Budiman
Previous

Why SSPM is becoming an integral part of risk management for every business
Next

Founder Introduction: Andy Budiman