SaaS Visibility Application Attributes
Explore attributes on which the risk score for a SaaS
application is based.
Attributes are characteristics on which the risk score is
calculated. You can drill down into the Application Dictionary to
evaluate the attributes for:
- Vendor and product—Basic information about the vendor and its product. For example, Product URL and NPS Score.
- Compliance—Adherence to regulatory standards or framework. For example, GDPR (General Data Protection Regulation) and CJIS (Criminal Justice Information Services).
- Security and Privacy—Product capabilities and terms and conditions that can improve your organization’s security and privacy. For example, Data Ownership.
Compliance program requirements change over time, so verify this
information with your organization’s due diligence department before
you complete your risk assessment.
Attribute | Summary Description | Detailed Description |
---|---|---|
App Name | Name of the SaaS application. | Name of the application as it’s known in
the industry, preceded by a summary of the SaaS application’s capabilities
as expressed by the vendor. |
App Domains | Default domain of the SaaS application. | Default domain of the SaaS application. |
Category | Product’s service category. | Product’s service category
for filtering. For example, Google Chart Tools is categorized as Analytics with Business Intelligence Level
2 subcategory and Data Visualization Level
3 subcategory.Categories and subcategories are dynamic, changing
over time as the product evolves or new industry categories become available.
If you need custom categorization, use custom tags. |
L2 Subcategory—Product’s service subcategory,
Level 2. | ||
L3 Subcategory—Product’s service subcategory,
L3. | ||
Consumer Popularity | Popularity as aggregated by social media
metrics. | A value derived from social media statistics,
including likes, followers, and reviews and used to gauge a product’s perceived
quality. |
Employee Count | Total employee count. | Total employee count as compiled by various
registries. The total is an approximation. |
Founded | Date company incorporated or opened for
business. | Date company incorporated or opened for
business and as outlined in the company’s Articles of Incorporation. |
Headquarters Location | Geographic location of company’s strategic
planning and executive management. | Geographic location of company’s strategic
planning and executive management. |
Holding (Public/Private) | Type of ownership. | Ownership shares are publicly traded vs.
privately held. |
How is this app detected? | Detection methods include: App-ID classification —detection
method on PAN‑OS 10.1 or later.URL classification —detection
method prior to PAN-OS 10.1. | You can only create recommendations for
enforcement on your firewall for SaaS apps that are detected using App-ID classification. Therefore,
the total number of SaaS apps in the Application Dictionary will
be greater than the number displayed in Select Applications when
you create a recommendation because your firewall uses App-IDs to
identify traffic on your network, and a subset of the SaaS apps
in the Application Dictionary do not have App-IDs.For
Prisma Access, SaaS policy rule recommendations authoring is supported,
but policy synchronization is not supported currently. |
Linkedin URL | Company’s Linkedin profile. | Company’s Linkedin account where you can
find more information about the company’s profile. |
NPS Score | Indicator of future growth as measured by
customer experience and loyalty with a score between <0 (weak)
and 100 (strong): % of Promoters - % of Detractors = Net Promoter
Score (NPS). For example, if a SaaS application has 35% Promoters and
25% Detractors, the SaaS application’s NPS score is 10. | Indicator of future growth as measured by
customer experience and loyalty: % of Promoters - % of Detractors
= Net Promoter Score (NPS). For example, if a SaaS application has
35% Promoters and 25% Detractors, the SaaS application’s NPS score is
10. Passives are neutral and do not impact the score. |
Opensource | Indicates whether the product is opensource. | SaaS application is opensource. Some analysts
argue that there is no evidence that open source is riskier, but
there is operational risk if a SaaS vendor doesn’t have infrastructure
in place to quickly apply patches to known vulnerabilities. |
Privacy policy | Privacy statement disclosure is publicly
available. | Privacy statement that outlines how the
company’s product gathers, uses, discloses, and manages customer
data is publicly available. |
Product URL | Website link to get more information about
the SaaS application. | Website link to get more information about
the SaaS application. |
Type of Service | SaaS product’s marketplace niche. | The niche that the SaaS product meets in
the marketplace. For example, cloud storage and backup. |
Vendor Name | Parent or subsidiary that markets, sells,
and distributes the SaaS application. | The entity that markets, sells, and distributes
the SaaS application. The vendor can be a subsidiary of a parent
company or the parent company itself. |
Attribute | Summary Description | Detailed Description |
---|---|---|
C5 | Germany’s Cloud Computing Compliance Controls
Catalog (C5) recommendations define
operational security against common cyber-attacks. | When in compliance with Germany’s Cloud
Computing Compliance Controls Catalog (C5) recommendations, the
vendor implemented operational security controls to protect against
common cyber-attacks. |
CJIS | US FBI’s Criminal Justice Information Services (CJIS) policy on US FBI’s
Criminal Justice data security for sensitive criminal justice data. | When in compliance with US FBI’s Criminal
Justice Information Services (CJIS) policy, the SaaS application
adheres to data security for sensitive criminal justice data. |
COBIT | Control Objectives for Information and Related
Technologies (COBIT) framework for quality,
control, and reliability of information systems. | When in compliance with Control Objectives
for Information and Related Technologies (COBIT), the vendor implemented a security
framework to ensure quality, control, and reliability of information
systems. |
COPPA | US Children's Online Privacy Protection
Act (COPPA) privacy law governs
data collection privacy for children age 13 and under. | When in compliance with US Children's Online
Privacy Protection Act (COPPA), the SaaS application
adheres to US Federal privacy law that governs what type of information
online services can and cannot request from children age 13 and
under without parental consent. |
CSA STAR | Cloud Security Alliance (CSA) Security Trust
Assurance and Risk (STAR) best practices for
secure cloud computing environments. | When certified with Cloud Security Alliance
(CSA) Security Trust Assurance and Risk (STAR), indicates that the
vendor implemented advanced best practices to ensure a secure cloud
computing environment. Certification is based on self-assessment
and a third party audit. |
FEDRAMP | Federal Risk and Authorization Management (FEDRAMP) program provides security assessment, authorization,
and continuous monitoring of cloud products and services. | When in compliance with Federal Risk and
Authorization Management (FEDRAMP) program, which provides
security assessment, authorization, and continuous monitoring of
cloud products and services, SaaS application is authorized for
Federal Agency cloud deployments. |
FERPA | US Federal Education Rights and Privacy
Act (FERPA) privacy law governs
parental protections for children's education records. | When in compliance, with US Federal Education
Rights and Privacy Act (FERPA) privacy law, the SaaS
application complies with parental protections with regard to children's education
records, academic and disciplinary reports, and personal and family information. |
FINRA | US Federal Industry Regulatory Authority
(FINRA) rules
govern the integrity of the US financial system. | |
GAPP | Canadian-US Generally Accepted Privacy Principles (GAPP) data privacy framework
for management and prevention of data privacy risks in accounting. | When in compliance with Canadian-US Generally
Accepted Privacy Principles (GAPP) data privacy framework,
which outlines how accounting professionals collect, use, retain,
and disclose identifiable information (PII), indicates that the
vendor adheres to principles that manage and prevent privacy risks
in accounting, as defined by Canadian Institute of Chartered Accountants
(CICA) and the American Institute of Certified Public Accountants (AICPA).
Also included in SOC 2. |
GDPR | EU’s General Data Protection Regulation
(GDPR) privacy laws govern
the transfer of personal data outside Europe and European Economic
Area. | When in compliance with EU’s General Data
Protection Regulation (GDPR), the SaaS application complies
with EU privacy laws governing the transfer of personal data outside
Europe and European Economic Area. |
HIPAA | Health Insurance Portability and Accountability
Act (HIPPA) standards for protection
and confidential handling of health information. | When in compliance with Health Insurance
Portability and Accountability Act (HIPPA), the SaaS application
complies with laws that mandate the industry-wide standards for
health care information, and protection and confidential handling
of health information. |
HITRUST CSF | HITRUST CSF security framework
to meet multiple regulations (ISO/IEC 27000-series and HIPAA) that
govern sensitive and regulated data. | When in compliance with HITRUST CSF security framework,
which instructs organizations on how to efficiently meet multiple
regulations (such as and HIPAA), the vendor implemented security
and privacy controls related to how the organization creates, accesses,
stores, and exchanges sensitive and regulated data. |
ISAE 3402 | International Auditing and Assurance Standards
Board (ISAE) 3402 reporting standard for auditors of
SOC 1 reports. | As defined by International Auditing and
Assurance Standards Board (ISAE), when in compliance, the
vendor’s SOC1 report adheres to the ISAE 3402 reporting standards
for auditors. This report covers internal controls for financial
reporting. |
ISO 27001 | International Organization for Standardization
(ISO) 27001
standard for controls and processes related to information security. | When adhering to this International Organization
for Standardization (ISO) 27001 mandatory standard,
the vendor systematically examines its controls and processes related to
information security. |
ISO 9001 | ISO 9001 standard for implementation
of a ISO-certified quality management system. | When certified, indicates that the vendor’s
quality management system adheres to a specific quality standard,
which is based on gap analysis and internal audits. This certification
is globally recognized. Ongoing evaluation and maintenance is required
to retain certification, indicating that vendor consistently provides
products and services that meet customer and regulatory requirements
and demonstrates continuous improvement of the organization’s products, services,
and/or processes. |
ITAR | US International Traffic in Arms Regulations
(ITAR) export control laws
that govern export of defense and military related technologies | When in compliance with US International
Traffic in Arms Regulations (ITAR) export control laws that
govern export of defense and military related technologies, indicates
that the vendor has the necessary safeguards to protect US national
security and foreign policy objectives. Compliance includes registration with US Directorate of Defense
Trade Controls (DDTC). |
Jericho Forum Commandments | (now The Open Group Security Forum)
principles for cloud security. | When in agreement with Jericho Forum Commandments (now The
Open Group Security Forum ) principles, indicates that the vendor subscribes
to the best practice that security solutions should not rely on
a network as a security perimeter, but rather cloud security ("de-perimeterisation"). |
NIST SP 800-53 | US National Institute of Standard and Technology (NIS SP 800-53) standard
and guidelines for FISMA compliance govern security and privacy
of federal information systems. | When in compliance with US National Institute
of Standard and Technology (NIS SP 800-53) standard and
guidelines for FISMA compliance, indicates that the vendor adheres
to regulations that govern security and privacy of federal information
systems. |
PCI | Payment Card Industry (PCI) security best practices
for storing and transmitting consumer credit card data in the cloud. | When in compliance with Payment Card Industry
(PCI), indicates that the provider
hosting your credit card data adheres to specific security best
practices for storing and transmitting your credit card data in
the cloud. |
Privacy Shield | EU-US and Swiss-US Privacy Shield framework
for transferring personal data from the EU and Switzerland to the
US. | When in compliance with EU-US and Swiss-US Privacy Shield framework, indicates that the vendor
has a mechanism in place to comply with data protection requirements
when transferring personal data from the EU and Switzerland to the
US. |
Safe Harbor Compliance | EU-US Safe Harbor framework
governs privacy of data transfered within European Economic Area
(EEA). | When in compliance, SaaS application complies
with EU-US Safe Harbor framework
that governs privacy of data transfered within European Economic
Area (EEA). |
SSAE 18 | As defined
by American Institute of Certified Public Accountants (AICPA)
for Attestation Engagement Standards (SSAE), including SSAE
18, formerly SAS70 and SSAE 16, when compliant, indicates that the
vendor has effective internal controls for financial reporting compatible
with globally accepted accounting principles such as ISAE 3402. | |
SOC 1 | SOC 1 (System and Organization Controls)
audit, as defined by American Institute of Certified Public Accountants (AICPA),
comprises internal controls for financial reporting. | As defined by American Institute of Certified
Public Accountants (AICPA), for data centers and
SaaS vendors, when in compliance, indicates that an independent
auditing firm verified that the vendor passed a SOC 1 audit of internal
controls for financial reporting in accordance with SSAE 18 standards,
which includes Type 1 (snapshot in time) and Type 2 (6-month period)
reports. |
SOC 2 | SOC 2 (System and Organization Controls)
audit, as defined by American Institute of Certified Public Accountants (AICPA),
comprises including security, availability, processing integrity,
and data privacy. | As
defined by American Institute of Certified Public Accountants (AICPA),
for data centers and SaaS vendors, when in compliance, indicates
that an independent auditing firm verified that the vendor passed
a SOC 2 audit in accordance with SSAE 18 standard and vendor received
a SOC 2 report, which is written for a customer audience. This audit offers
assurance related to:
|
SOC 3 | SOC 3 (System and Organization Controls)
audit, as defined by American Institute of Certified Public Accountants (AICPA),
comprises including security, availability, processing integrity,
and data privacy. | As defined by American Institute of Certified
Public Accountants (AICPA), SOC 3 audit covers the
same audit as SOC 2—including security, availability, processing
integrity, and data privacy. However, a SOC 3 audit results in a SOC
3 report, which has less detail and specifically written for a general audience. |
Attribute | Description |
---|---|
Data Ownership | Based on the SaaS app’s terms and conditions,
one of the following values displays:
Regardless of the
value that displays in the SaaS Security web interface, it’s important
that you have your Legal team review the service’s terms and conditions
before you onboard the SaaS app. |
IP Based Restriction | IP based restriction is the ability to restrict
login access to the SaaS application for specific IP addresses.
Based on the SaaS application’s capabilities, one of the following
values displays:
|
MFA | Multi‑factor Authentication (MFA) offers an additional layer
of security for login access. Based on the SaaS application’s capabilities,
one of the following values displays:
|
SAML |
|
Recommended For You
Recommended Videos
Recommended videos not found.