Establishing an effective SAP cyber security program ties key activities to clearly defined business risks specific to your organization.
The high level steps to do this are:
1.Evaluate the organization’s capabilities and identify gaps
2.Understand the SAP landscape and the role SAP plays
3.Identify risks within the SAP environment
4.Define and deploy a cyber program to address identified SAP risks
5.Measure progress and manage risks on an on-going basis
Step 1 – Evaluate capabilities and identify gaps
Understanding your business drivers, what you do and what you don’t do for information security is the first step for establishing a value-add SAP cyber security program. Common business drivers include shareholder value, customer loyalty, brand protection, legal and regulatory commitments and innovation and agility.
•Make sure look across people, processes and technology
•SAP specific evaluation areas include the following
-Information privacy and protection
-Risk, compliance and policy management
-Security architecture and operations
-Identity and access management
Successful evaluations use a well defined set of criteria and scoring system to measure existing capabilities. A prescriptive set of criteria across people, process and technology domains should be defined for each of the nine security services.
- People – The ability of the people that support the information security program to successfully execute the requisite activities
- Process – The ability of the operational processes that comprise the information security program to meet the anticipated expectations of stakeholders
- Technology – The ability of the technology infrastructure to support the operational processes that comprise the information security program
Step 2 – Understand the SAP landscape and what SAP is used for
The second step is to map out your SAP landscape to understand the assets within it:
•It is important to understand your SAP assets so you understand the “playing field”
•Often times, there are “forgotten” SAP systems and SAP clients that are discovered during this step
•Make sure to document the:
-Connections between systems
-Type of systems you have (i.e. development, production, staging)
-The business processes and information that each system processes or scores
Then prioritize your SAP systems based on the role they play within your business processes and organization:
•Based on your company, industry and how your SAP systems are used within your organization, you will be able to understand and prioritize the different SAP systems in context to your business
•Next you’ll be able to gauge the potential economic impact to your organizations if an SAP system were to be breached
•Look at any gaps in your compliance structure, or policies could impact your organization
Step 3 – Identify the business risks within SAP
The third step is to understand the business risks that exist within your SAP system.
•Measure the security posture and compliance status of your SAP systems
•Evaluate what measures you have to identify a negative change in security and compliance for these business critical systems
•Identify the SLAs to restore these systems to an acceptable level of security and compliance
•Quantify exposure to the identified risks
Common risks within SAP include critical asset loss and stoppage of operations. Loss of critical assets, such as sensitive data and intellectual property
Stoppage of operations
Step 4 – Define and deploy a program to address identified SAP risks
The fourth step is to define a program and key activities to monitor and manage identified risks with SAP. Five key considerations for an SAP specific cyber security program include:
- Vulnerability management
- Secure system lifecycle management
- Identity and access management
- Event and log monitoring
Vulnerability management includes scanning, reporting on and managing potential SAP application vulnerabilities, appropriate patch levels and misconfiguration.
•Start by performing an initial scan of your SAP environment to establish a baseline for your SAP vulnerability management program.
-Make sure to review identified vulnerabilities for applicability and risk to help prioritize remediation efforts. The review is also important because some vulnerabilities may need to be accepted.
•Vulnerability management is an on-going activity. A recurring process should be put in place to identify, review and take action on vulnerabilities.
-Tools such as Onapsis Secure Platform help simplify and automate on-going SAP vulnerability management
Identity and access management
An effective SAP identity & access management program includes the following:
- An understanding of your critical assets within SAP and how to get at them
- A single set of processes, roles and tools to support SAP access needs across locations and business units.
- An effective role design that considers the “who”, “what” and “where” of user access.
- GRC tools to proactively monitor and manage business risks.
- Self service workflow tools to streamline the user access request process.
- Regular re-certification of user access to ensure entitlements are appropriate and risks are managed
Identify SAP key controls to manage identified business risks.
Make sure to determine the relevant security frameworks (i.e., NIST or SANS) to align controls and risks.
•Leverage your existing SAP controls whenever possible. Many of the key controls performed today support leading security frameworks.
•Analytics can be leveraged to simplify key control performance while increasing frequency of control execution.
Event & log monitoring is identify threats and anomalies within the SAP environment
- SAP logs a significant amount of data related to system activities. Some example logs include the SAP audit, ICM and gateway logs.
- The volume of data stored in SAP requires logging and monitoring policies and procedures to be specific and refined in order to deliver valuable insights and eliminate false positives.
- Event & log monitoring is an on-going activity. A recurring process should be put in place to continuously adapt monitoring activities and to review and take actions on results.
Secure Software Lifecycle Management
Secure Software Lifecycle Management focuses on embedding good on-going security principles into new SAP deployments and releases.
Step 5 – Measure progress and manage risk on an on-going basis
The final step is to establish an on-going process for monitoring and communicating progress, results and priority issues.
- Collaborate across functional teams to define shared KPIs to monitor, measure and communicate success
- Tie vulnerabilities, threats and potential issues back to business risks and KPIs to make results meaningful and understandable to non-technical and executive audiences.
- Regularly communicate results to drive results and promote a healthy security culture within your organization
- Tie SAP cyber security activities to key business risks and performance indicators to maximize reach and buy-in.
- Effective SAP cyber security programs start with a clear understanding of your business risks and SAP assets.
- Cyber security activities should be embedded in both on-going operations and new SAP deployments and releases.
- Take advantage of what you are already doing to accelerate the implementation of an SAP cyber security program.
- Automated tools and analytics solutions can simplify and improve the accuracy of SAP cyber security related activities.
Thoughts or questions? Feel free to leave comments below. Thanks