For PH financial institutions, configure Asana with SSO/SAML + SCIM for identity, stream Audit Log API events to your SIEM for monitoring/retention, standardize intake → approvals and SLAs with rules, and align data handling/residency to policy. Use this checklist and capture evidence (settings exports, screenshots, SIEM alerts) for reviews.

‍

1) What BSP expects (at a glance)

BSP circulars emphasize a risk-based approach to IT/security: strong identity& access controls, monitoring/auditability, incident and cyber-risk reporting, and fraud management proportional to your risk profile. Recent issuances cover technology/cyber-risk reporting(1019), enhanced information security management (982), and updated fraud management system requirements (1213, 2025).

‍

Note: This article is guidance only—not legal advice. Align final configurations with your internal policies and the latest BSP rules.

‍

2) The Asana configuration checklist

A) Governance & standardization

●    Approve project templates for critical workflows (e.g., Incident Response, Client Onboarding).

●    Adopt naming conventions and a custom-fields taxonomy (Status, Priority, Department, SLA, Risk) for clean reporting.

●    Assign template/portfolio owners and set an archiving cadence (e.g., quarterly).

‍
(These practices enable consistent reporting and auditable process control.)

‍

B) Identity, access & provisioning

●    Enforce SAML SSO via your IdP (Microsoft Entra, Okta, etc.) and require 2FAat the IdP.

●    Configure SCIM for automatic provisioning/de-provisioning and group mapping.

●    Define guest access (allowed domains, private-by-default for sensitive projects).

‍

C) Auditability & monitoring

●    Enable the Audit Log API and stream events to your SIEM (Splunk, etc.) for alerting and extended retention.

●    Monitor admin/security-relevant events (SSO/SCIM changes, sharing changes, exports).

●    Be aware Asana’s audit log API surfaced events can be retained long-term in your SIEM (Asana forum notes 90-day native retention; extend via SIEM).

‍

D) Data handling & residency

●    Train teams not to store regulated data in free-text/attachments unless approved by policy.

●    Review data residency options (e.g., EU/AU/JP data centers) against your organization’s requirements.

‍

E) Intake, approvals & SLAs

●    Use Forms mapped to custom fields to capture Priority/SLA and route requests to the correct project.

●    Use Approvals with timestamped decisions; add rules to set due dates and escalate P1 items.
(This supports traceability and timely handling of risk-sensitive work.)

‍

F) Incident response & continuity

●    Maintain an Incident Response template (triage → contain → eradicate → recover → lessons).

●    Keep a portfolio/dashboard for leadership visibility during incidents.

●    Document export & audit procedures (who can export, what to retain, where stored).

●    For regulated data types like ePHI, Asana provides a HIPAA domain enablement path with a BAA; use only if applicable to your business lines.

‍

G) DLP/eDiscovery & integrations

●    If your program requires it, configure DLP/eDiscovery integrations via Asana’s Audit Suite and supported partners/APIs.

●    Maintain an approved integrations register (IdP, SIEM, DLP/eDiscovery, automation tools).

‍

3) Evidence to capture for audits

●    Screenshots/exports: SSO enforced, SCIM groups, access reviews, project privacy settings. Asana Help Center+1

●    SIEM dashboards/alerts: Audit Log API events(admin changes, shares, exports). Asana Developer Docs+1

●    Process artifacts: approved templates, naming/fields catalog, archiving SOP.

●    Incident artifacts: timelines, approvals, exports, lessons learned (retained per policy).

4) Common pitfalls (and how to avoid them)

●    Uncontrolled guest access → Restrict domains and use private-by-default for sensitive projects. Asana Help Center

●    No retention beyond 90 days for audit logs → Stream to SIEM or storage. Asana Forum

●    Chaos in reporting→ Enforce templates + fields taxonomy; review quarterly.

5) Download the checklist(free)

Get the printable checklist to standardize rollouts and reviews:
Asana for BSP-regulated teams — Compliance Checklist (PDF)

‍

6) Next steps

●    Quick win: turn your highest-risk intake into a Form → routed project with Approvals and P1 escalations.

●    Then: wire the Audit Log API →SIEM and schedule a quarterly access review. Asana Developer Docs

‍

Need help? Book a Security Consult (Free) and we’ll map configurations to your internal policies and the latest BSP guidance.