In the light of the increasing number of attacks against ERP systems and weaknesses discovered almost every day, there is a need to reorient a cybersecurity approach. The trend of coping with countless cybersecurity challenges in a fragmentary manner menaces organizations by sabotage, espionage, and fraud. Without C-level guidance, an enterprise security team working with a chaotic security solution stack, cloud applications, and eroding system boundaries cannot keep up with the imminent security hazards. This way, aiming to systemize the methods of coping with potential attacks, SAP Security Framework was created.
It is required for security managers to address the issue of disintegrated security and create the strategic options and environment in order to ensure the business applications security. They should shift from excessive trust in blocking and preventing mechanisms of access controls and Segregation of Duties to integrative approaches. As long as the preventing mechanisms could and do fail, ERP systems require continuous monitoring and remediation.
The perfect business application protection combines predictive, preventive, detective, and responsive capabilities and seamlessly integrates with such enterprise security processes as incident, risk and compliance management.
Where do you start? What SAP security controls are out there? Who needs to be involved? How do you go about identifying and facing your obligations? How will you prove that you meet all of the security requirements? How do you integrate SAP security with enterprise security? The first steps of your SAP compliance or ISMS implementation project seems to be the most confusing.
To build a framework for ensuring compliance both now and in the years ahead may be a simple solution for most organizations, i.e. to learn how to carry out all the security capabilities including risk management, vulnerability management, data security, and threat detection.
That is what the SAP Cybersecurity Framework is for: to build a comprehensive security architecture for your SAP estate.
What is SAP Cybersecurity framework?
The EAS-SEC SAP Cybersecurity Framework is aimed at systemizing all the necessary activities to secure business applications such as ERP systems from cybersecurity risks. The document consists of SAP security controls and tiered implementation guidelines. The main purpose of the framework is to enable holistic view on the SAP security.
The Framework implements Gartner’s approach to adaptive security architecture in the ERP security and describes 4 categories for ERP protection processes: predict, prevent, detect, and respond. It explains critical ERP systems security areas of actions, characterizes the desired outcomes, and offers a 3-step approach to succeed in each area, helping organizations arrive at a conceptual bridge between adaptive security architecture and actions.
The SAP Cybersecurity Framework implements EAS-SEC approach to unify the coverage completeness and the implementation priority. The framework provides you with a guidance on how to succeed in all the protection areas with minimum effort for maximum effect.
Each category describes specific protection processes, e.g. asset management, incident management or threat intelligence. Each is in line with industry-recognized frameworks from NIST, SANS, ISO, CIS but reflects the ERP systems peculiarities.
How to use SAP Cybersecurity Framework
The SAP Cybersecurity Framework details security processes in four categories depicted below.
For each of the activities, the SAP Cybersecurity Framework provides a three-step roadmap towards the realization of ERP security processes:
- The first step is the minimum that lets you set up the basis for protection and solve the most critical issues.
- The second step provides you with the sufficient level of security and requires a medium level of effort.
- The third step introduces advanced options including the automation, forensic, collaboration that provides you with the cutting-edge security capabilities.
Regardless of the degree of effort, the framework articulates the outcomes you are expected to achieve, be it an Inventory of Assets, SAP Continuity Plans, SAP Risk Register or SAP Security Metrics. The difference is in an extent of details. We encourage you to start small and implement the procedures little by little: choose a category, implement the first step for a process and then switch to another category. Such approach gradually allows you to cover all the processes at the basic level. Afterward, you will be ready to take the ERP security to the next level by executing the second and third steps. At this very moment, you have all the necessary capabilities to effectively secure enterprise systems.
What specific results can be derived from the framework?
The picture below illustrates the possible applications of the SAP Cybersecurity Framework.
The framework can help companies to shape their Security Program and describe security controls and practices they employ to protect IT systems. Companies can use it to establish a set of security areas, for example, in the program, protection processes, and policies.
Since the framework provides the detailed recommendations and references, companies can use it to develop specific security policies or update existing ones to include SAP systems in the scope of enterprise-wide security initiatives.
It’s a good practice to develop security plans for each of the IT systems, so that the framework will be useful to choose security controls to protect SAP systems.
The SAP Cybersecurity Framework describes the general outcomes for each of the activities, therefore can be used to develop security process descriptions and instructions. It permits analyzing the range of existing technical solutions and implementing them in SAP security projects.
Finally, we use the framework for mapping the compliance requirements to security controls. As we are sure that the framework covers all protective areas, so that can always select proper security controls while implementing compliance requirements of GDPR, ISO27001 or whatever else.
Companies always strive to protect their SAP systems, but nowadays it is more important than ever. Today’s enterprise systems are extremely open and interconnected. Recent news shows that attackers are constantly moving up the stack and turn their attention from infrastructure level to enterprise systems and business information.
This situation requires new comprehensive approaches to SAP systems protection. With your help and EAS-SEC community’s, we developed the SAP Cybersecurity Framework to standardize SAP security processes and facilitate SAP security development.
Let us recap. These are the key ideas of the article:
- Why companies need a framework for SAP security?
To ensure compliance and reliability of SAP systems.
- What is SAP Cybersecurity Framework?
Prioritized set of activities to secure SAP systems along with outcomes and implementation steps.
- How to use the framework?
By applying compliance requirements to SAP security controls and choosing security solutions and services.
- Why now?
The world has changed, including SAP systems and attacks. An approach to SAP security should respond to these changes.
Feel free to download SAP Cybersecurity Framework.
Besides, if you are interested in the ERP cybersecurity posture in general, you could take a look at the recent ERP Cybersecurity Survey 2017.
We believe the security of ERP system shouldn’t be a poor cousin of enterprise security any longer and demands to receive due attention and strategic management as it ensures the resilience of core enterprise operations.
SAP Cybersecurity Framework is developed under the EAS-SEC initiative. Security professionals are welcome to participate with a view to getting a common, harmonized and efficient standard of ERP security operations.