Introducing Compliance Insights in Productiv

CIOs depend on Productiv for a complete, 360-degree view of their application portfolio. Having this view provides more effective governance and transparency across SaaS applications, in a way that is easily shared across the organization. 

An important part of this governance is understanding risk, especially when it comes to external software vendors to whom you entrust your data. To effectively manage security concerns and risk, your IT and Information Security teams need insight into the compliance certifications of each app in your application portfolio. 

With Compliance Insights, this information is now available to your team across all of your applications. Previously, information about whether application compliance was scattered across the web, making it difficult to answer important questions like: 

• We’re preparing for an audit, which applications are not SOC2 compliant?
• We are expanding to Europe, are our applications GDPR compliant?
• Do recently discovered apps (Shadow IT) meet our compliance requirements?

Moreover, hunting down this information, recording it, and keeping it up to date could easily consume hundreds of person-hours per year. That’s wasted, low value effort that could be spent on more strategic efforts. Productiv has now eliminated this burden, giving you the information you need while eliminating the heavy lifting involved.

As always, Productiv leverages its unique approach to give you greater insight into compliance. While others approach SaaS management as a license-based exercise, Productiv starts with user-based analytics, and builds up from there. That means you’ll be able to see compliance data at all levels of the Productiv experience. You’ll see this a little later in the post. 

The new Compliance Insights feature introduces new compliance visibility across your application portfolio:

• Compliance certification status across the Productiv experience, including at the App, Team, and User level
• Support for key compliance types: FedRAMP, Fisma, GDPR, ISO27001, SOC2, Swiss-US Privacy Shield
• Flexibility to show only the certifications that matter to your organization

Let’s take a look at Productiv to give you a sense of what to expect.

First, we can examine our Managed Applications. These are the ones that IT typically has the most control over. In this example, you can see great coverage across GDPR, SOC2, and ISO27001. 

This is easily customizable. Using the “Certifications” pulldown in the upper right, you can select which certifications that you’re most interested in examining. 

Here we see the six certifications available within Productiv today: FedRAMP, Fisma, GDPR, ISO27001, SOC2, Swiss-US Privacy Shield. More on each of these later in the post.

While this kind of compliance coverage is expected when IT teams are heavily involved in selecting and managing vendors, what about the applications where the business brings something onboard without IT support? Let’s take a look at the compliance insights across your shadow IT footprint.

Here you see the applications that Productiv automatically discovered through integrations with your spend systems and network systems. Using the same certifications as above, we see significantly spottier coverage for compliance.

Now IT can see instantly where they need to spend their time to most significantly reduce their risk of exposure. Shadow IT features like trending applications and newly discovered applications allow IT to keep focus on where the most activity is, and what new applications are taking hold in the organization.

Finally, let’s say you have teams that have special compliance requirements because of the information that they deal with, or where they are located in the world. One of the core differentiators for Productiv is that we build SaaS management from the user level – not just the license. What that means for compliance insights is that we can easily give you flexible, customized views of your compliance data down to an individual or a team. For example, below you see our compliance insights scoped down to the Data Science team. This level of data is useful for Information Security to validate if this team is in compliance, but also useful as you have a conversation with the Data Science team about applications that they are using, and ones they shouldn’t be using. 

Compliance Coverage

Lastly, let’s click down on the six compliance certifications that Productiv is launching within Compliance Insights. This list will grow and change as we continue to adapt to the demands of our customers and new certifications that appear on the market.

1. FedRAMP – The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Any cloud service that holds federal data must be FedRAMP Authorized. FedRAMP prescribes the requirements and process cloud service providers must follow in order for the government to consume their service.
2. Fisma – The Federal Information Security Management Act (FISMA) is a United States federal law passed in 2002 that made it a requirement for federal agencies to develop, document, and implement an information security and protection program. Though FedRAMP and FISMA are both built on the foundation of NIST 800-53, they have different objectives. FISMA offers guidelines to government agencies on how to ensure data is protected, while FedRAMP offers guidelines to agencies adopting cloud service providers on how to protect government data.
3. GDPR – The General Data Protection Regulation is a European Union privacy law that comes into effect on May 25, 2018. … It increases restrictions on what organizations can do with your data, and it extends the rights of individuals to access and control data about themselves.
4. ISO27001 – ISO/IEC 27001:2013 (also known as ISO27001) is the international standard that sets out the specification for an information security management system (ISMS). Its best-practice approach helps organizations manage their information security by addressing people and processes as well as technology.
5. SOC2 – SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider.
6. Swiss-U.S. Privacy Shield – The Swiss-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce, and Swiss Administration, to provide companies on both sides of the Atlantic with a method to comply with data protection requirements when transferring personal data from Switzerland to the United States in support of transatlantic commerce.

Making Compliance tracking easier and more complete

How well do you understand the risk associated with your SaaS portfolio? And just as important, how much work does your team need to put in to understand that risk? With Compliance Insights from Productiv your IT and Information Security teams have the details of compliance certifications of each app in your application portfolio. 

Compliance Insights are available now in Productiv within the Enterprise Tier. If you would like to see everything available within Enterprise, request a demo.