A Practical Guide to Cybersecurity Governance for SAP
Flat rate
$19 per month
Single license 1000+ eBooks and video tutorials Instant access 12 months($228per year) Automatic renewal
More Details
There is a lot of misunderstanding about how to apply cybersecurity principles to SAP software. Management expects that the SAP security team is prepared to implement a full cybersecurity project to integrate SAP software into a new or existing company cybersecurity program. It’s not that simple. This book provides a practical entry point to cybersecurity governance that is easy for an SAP team to understand and use. It breaks the complex subject of SAP cybersecurity governance down into simplified language, accelerating your efforts by drawing direct correlation to the work already done for financial audit compliance. Build a practical framework for creating a cyber risk ruleset in SAP GRC 12.0, including SOX, CMMC, and NIST controls. Learn how to plan a project to implement a cyber framework for your SAP landscape. Explore controls and how to create control statements, plan of action and milestone (POA&M) statements for remediating deficiencies, and how to document con- trols that are not applicable. The best controls in the world will not lead to a successful audit without the evidence to back them up. Learn about evidence management best practices, including evidence requirements, how reviews should be conducted, who should sign off on review evidence, and how this evidence should be retained.
- Introduction to cybersecurity framework compliance for SAP software
- SAP-centric deep dive into controls
- How to create a cyber risk ruleset in SAP GRC
- Implementing a cyber framework for your SAP landscape
Reading Example
2.1 What is a cybersecurity framework?
A cybersecurity framework is a structured and detailed list of requirements that define how information technology systems, software, and networks should be managed.
The first cybersecurity framework acknowledged federally in the U.S. was developed by the National Institute of Standards and Technology (NIST). NIST started cybersecurity framework research in 2013, (see: History and Creation of the Framework – https://www.nist.gov/cyberframework/online-learning/history-and-creation-framework) after the President of the United States issued Executive Order 13636, requiring the creation of a set of standards and processes for identifying and managing cyber risk. The first iteration of a cybersecurity framework from NIST was released in February 2014. Prior to this, there were multiple guidelines from different organizations and companies that attempted to codify risk and automate the management and detection of risks and prevent data loss. The creation of this framework pulled all the different guidelines together into a single point of reference. This gave security practitioners a toolset for education about and management of risk that was tool-agnostic.
In this book, we cover the most widely used current and emerging cybersecurity frameworks in the U.S. We provide an overview of:
- CIS Critical Security Controls (https://www.cisecurity.org/controls) defined by The Center for Internet Security (CIS)
- NIST Security and Privacy Controls for Information Systems and Organizations (https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final), Special Publication 800-53 Rev. 5 (NIST SP 800-53 Rev. 5)
- Cybersecurity Maturity Model Certification (CMMC) (https://dodcio.defense.gov/cmmc/)
We do a deep dive into NIST SP 800-53 Rev. 5 and CMMC. We have chosen these two frameworks because NIST SP 800-53 is the global industry standard for the majority of risk management tools. The new CMMC framework’s requirements on supply chain security are based heavily on the NIST SP 800-53 foundation. We dive into CMMC to help security practitioners prepare for this new requirement moving forward.
CMMC is driven by a requirement to secure the U.S. Department of Defense (U.S. DoD) supply chain against cyber risk. This requirement is not just for direct U.S. DoD contractors and suppliers—it will also impact the suppliers of those contractors, suppliers, and other U.S. government agencies that supply or contribute to U.S. DoD. If your customer is a supplier for the U.S. government in any way, your company will be asked for its state of cyber hygiene according to the CMMC requirements. This requirement is similar to a direct customer or supplier of your company wanting to know that your cloud provider has a current positive audit on their System and Organization Controls (SOC 1, SOC 2, SOC 3) reports.
System and Organization Controls reports evaluate the audit controls of a cloud provider or other service organization. The reports have different levels of complexity.
The Statement on Standards for Attestation Engagements number 16 (SSAE 16) is an audit control report that is used to create the SOC 1 report.
- SOC 1 (also known as SSAE 16): a report on internal controls over financial reporting
- SOC 2: an audit report of an organization’s information systems relevant to security, availability, processing integrity, confidentiality, or privacy
- SOC 3: an audit report similar to a SOC 2 but that does not include the testing performed and is used for marketing purposes
