SaaS Governance Working Group

Fill out the form below to view this webinar!

Introduction to the SaaS Governance Working Group

Security and privacy are the primary concerns for organizations considering SaaS adoption, and recent research indicates that 77% of SaaS-adopting organizations have experienced SaaS-specific security incidents. SaaS services account for the bulk of the cloud industry market, and any security incident could critically impact cloud customers.

SaaS services present unique risks to their cloud customers:

  • they are highly business process specific
  • they handle and store critical business and personal data
  • they integrate a broad array of service components, operating over a deep application stack
  • they may depend on multiple cloud service providers

Due to heavy competitive pressure in the SaaS market today, security is too often not a top priority for SaaS providers – especially for the smaller providers that may not have the necessary security expertise to identify and manage the risks that could impact cloud customers and the cloud provider’s own operations.

The SaaS Governance Working Group will encourage and define mechanisms for customers and service providers to cooperate and work closely with each other to manage SaaS risks and ensure the security of customer data and the resilience of the SaaS cloud infrastructure.

Scope and Responsibilities

The scope for the SaaS Governance working group includes, but is not limited to:

  • Develop a baseline set of fundamental SaaS governance practices for SaaS Providers and Customers.
  • Develop a library and mitigation measures of SaaS-specific risks for SaaS Providers and Customers.
  • Develop a practical security guide to help SaaS Providers implement secure SaaS delivery to best protect cloud customer data.
  • To share any newly developed security controls other relevant CSA initiatives.

SaaS Governance Working Group Leadership

SaaS Governance Co-chairs

Sandeep Poonen

Sandeep Poonen

Sandeep Poonen is the Information Security Officer for Cloud Services at VMware. He brokers all key information security capabilities from IT Security into the cloud service portfolio. He is also responsible for the Information Security Risk Management program at VMware. He has several years of experience in IT and application security, helping several Fortune 100 enterprises (and beyond) architect security solutions for their enterprise application landscape.

Mark Ames

Mark Ames

Mark has extensive experience in security architecture, information security policy, risk management, regulatory compliance, and implementation of security controls across enterprise systems and networks. He leads consulting and development teams across a range of clients in banking, telecommunications, government, and small to medium businesses.

Mark regularly holds leadership roles in professional associations including ISACA, the Australian Information Security Association, and the Asian Advisory Board of (ISC)2. Mark’s professional goals include solving hard problems for clients, building client skills and capabilities, and making a positive contribution to the industry. He continues to contribute to national and international standards working groups and is a Senior Member of the ACM.

Ronald Tse

Ronald Tse

Ronald Tse is the founder and CEO of Ribose, leading strategic development and its technology roadmap. He graduated from Brown University with bachelor’s degrees magna cum laude in Computer Science and Biology, and a master’s degree in Computer Science. Previous to Ribose, Ronald worked on highly-scalable distributed systems at Brown and MIT, with a background in the life sciences industry.

Under his leadership, Ribose became the world’s first cloud platform to achieve MTCS (Multi-Tier Cloud Security), the only cloud service provider to be triple assured by the Cloud Security Alliance: CSA STAR Attestation, CSA STAR Certification (Cloud Controls Matrix, CCM 3.0.1) and CSA C-STAR Assessment, as well as the first in the cloud industry to receive BSI’s Kitemark for Secure Digital Transactions for validated application security; and has been consistently awarded the industry’s highest cloud security ratings: the highest security tier, Level 3, in MTCS and the highest maturity level, Gold, in STAR Certification.

He currently serves CalConnect as a Board Director and Director of External Relationships, is the founding chair of CSA’s SaaS Governance workgroup, CalConnect’s TC VCARD (contact exchange) and PC SEC (secure calendar) committees, voting member at CSA’s International Standardization Council, represents China / Hong Kong / CSA at ISO/IEC JTC1/SC27 (information security), is a liaison representative of CalConnect to ISO TC 211 (geographic information), represents Hong Kong at China’s National Information Security Standards Committee (TC 260) and the Hong Kong/Guangdong Information Committee.

He is a member of Sigma Xi, an IAPP Fellow of Information Privacy, a CISSP-ISSAP, ISSMP, CSSLP, CAP, SSCP, CISA, CISM, CRISC, CGEIT, CIPP/US, CIPM, CIPT, PSM I-II-III, PSPO I-II, PSD, CCIE #9650 and a lead auditor in ISO/IEC 27001.

SaaS Governance Working Group Initiatives

Please contact SaaS Governance Working Group Leadership for more information.

Want to contribute to the SaaS Governance Working Group?

Fill out the form below to join today!


Having read and understood the CSA’s Privacy Policy,

I specifically consent to receive marketing messages via the following channels:

Indicates a required field.

If you experience trouble using this form, please submit the information here.

Thanks for your interest!

Your request to join SaaS Governance has been recorded. Someone will be in touch with you soon with more instructions.

SaaS Governance Working Group Downloads

No downloads currently available.