In the ever-evolving landscape of data regulations, businesses are not only challenged with implementing processes to ensure compliance, but also with documenting these efforts and providing evidence to competent authorities.
Take DORA, for example, the EU’s new Digital Operational Resilience Act. Compliance reporting is a crucial component of DORA and can be burdensome without fit-for-purpose tools and the right partners.
That’s where Own can help. Through our various solutions, we can provide documentary evidence for specific DORA requirements pertinent to critical SaaS applications, particularly Salesforce. Let’s look at some key requirements and how we can help.
SaaS Risk Assessment and Data Protection
A critical component of a regulatory compliance program for DORA and other regulations is conducting regular risk assessments to determine the most critical areas to concentrate finite resources on.
Own Secure for Salesforce streamlines the implementation of regulatory requirements with automated, periodic assessments, and risk-prioritized security insights. These insights can all be mapped back to standard security and regulatory frameworks, while also performing an essential role in improving security posture by providing data-driven inputs to your GRC program.
Own Customers may also benefit from advisory services such as security risk assessments and ongoing security consulting. These services provide an additional level of support by ensuring key control information is highlighted, capability maturity is properly assessed, and implementation/remediation guidance is available.
Common problems that Own sees in SaaS environments include insufficient controls on administrative accounts and API access, overly broad access to sensitive data, a lack of barriers to export data, and vulnerabilities in custom SaaS code. To support the requirement to provide documentary evidence of compliance, Secure for Salesforce provides exportable reports detailing the current state of SaaS data protection and recommended remediation actions.
SaaS Data Availability & Recovery
DORA requires covered entities to have backups that are logically and physically separated from their production systems, which is a sound strategy for any company. But having a backup solution in place is just step one. To comply with DORA, financial institutions must do more than create contingency plans. They have to ensure that processes work in practice and improve over time.
For instance, DORA requires covered entities to test their backup restoration procedures periodically to ensure that they function properly. Own solutions include Data Recovery Readiness and Recovery (DR3™) for SaaS, helping customers exercise their SaaS data recovery operations and rebound quickly with a combination of processes, people, and technology. Customers can use DR3™ assessment reports as documentary evidence supporting compliance with this requirement.
Enforcing data retention policies is also a crucial consideration because insufficient archiving increases SaaS data exposure risks, particularly for data breaches and ransomware attacks. Own Archive can be used to offload inactive ePHI safely and securely, reducing the amount of sensitive data that is potentially exposed to unauthorized access.
SaaS Data Monitoring & Alerting
The importance of monitoring for anomalous activity applies to any information system, including SaaS environments. DORA requires financial institutions to have automatic alerting mechanisms and sufficient resources and capabilities to “monitor user activity, the occurrence of ICT anomalies and ICT-related incidents, in particular cyber-attacks.”
Own Secure for Salesforce generates alerts when high-risk permissions are assigned, proactively giving customers early warning of potential problems. Additionally, Own Recover performs analysis of data changes between backups that provide visibility of data modifications over time. In addition, to help customers detect potential problems more quickly, Own Recover generates Smart Alerts to notify customers of abnormally large amounts of data being deleted or corrupted.
Streamline DORA Compliance Efforts for SaaS
At Own, we understand the challenges businesses face in meeting DORA compliance requirements for SaaS systems, particularly for critical applications like Salesforce. Download our guide on DORA Compliance and SaaS, including how Own can support your compliance efforts.
