Abstract image of a woman sitting on books and studying on a laptop

Cybersecurity Assessment Framework - Slideshare.pptx

Download as PPTX, PDF
Azra'ee Mamat, profile picture
Azra'ee Mamat

The document outlines a comprehensive cybersecurity framework aimed at operationalizing risk management and asset management within an organization. It details several key processes, including the identification and inventory of assets, assessment of their criticality, establishment of cybersecurity policies, and development of secure IT systems through formalized standards. Additionally, it highlights the importance of ongoing monitoring, threat detection, and training to enhance cybersecurity awareness among personnel.

Technology
Related topics:
IT Security
1 of 28
Downloaded 57 times
1
2
3
4
Most read
5
Most read
6
7
8
9
10
11
12
Most read
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
OPERATIONALIZING CYBERSECURITY FRAMEWORK
CYBERSECURITY SCOPE
CYBERSECURITY RISKS
CYBERSECURITY Baseline
CYBERSECURITY FUTURE STATE FOR KPOC
TO UNDERSTAND IT SYSTEM'S ENVIRONMENT, PROACTIVELY PRIORITIZE AND ADDRESS SYSTEM EXPOSURES PROCESS RISKMANAGEMENT ASSETMANAGEMENT BUSINESSENVIRONMENT VULNERABILITYMGT SECUREDEVELOPMENT PREDICT
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation PREDICT ASSET MANAGEMENT  Inventory of Assets. All systems, servers, applications, information assets, personnel and devices, related information systems and information flows are identified and updated on a regular manner.  Criticality Assessments. Assets are prioritized according to their importance to business.  Acceptable Use Requirements. Rules, responsibilities of and requirements to the acceptable use are developed. 1. Create an Inventory of Assets:  Develop a classification schema and templates to describe different types of assets: systems, servers, applications, services, information assets and devices.  Establish procedures for creating and updating Inventory of Assets during procurement, using and retention of the assets.  Inventory assets and identify stakeholders of the assets: administrators, owners, users and third-parties. 2. Assess criticality of the assets:  Elicit and document contractual, regulatory and internal requirements to information assets.  Develop an approach and procedure to assign and review criticality level of assets.  Mark assets according to their criticality level.  Document requirements to acceptable use of assets of different types and criticalities during the lifecycle of assets.  Develop guidelines and controls for protecting assets according to their criticality level. 3. Develop complete specification of all systems:  Inventory all modules, services and software on assets.  Determine connections and information flows between assets, internal and external information systems and data providers for each of the system.  Establish requirements to third parties, vendors, contracts and contractors regarding security of all systems. To communicate information about assets in IT systems, security category of the assets, rules of acceptable use and protection requirements.
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation  Business Context: organization’s business processes, activities, stakeholders and resilience requirements to all systems are identified and prioritized.  Continuity Plans: All cybersecurity requirements are identified and addressed by continuity controls.  Supplier Catalogue: suppliers and associated contracts are identified, cybersecurity requirements to suppliers are established and monitored in contracts and service deliveries. To provide business context, ensure cybersecurity continuity of all systems and address cybersecurity in supplier relationships. 1. Identify Business Context:  Identify organization’s activities and business processes (procurement to pay, order to cash and so on), corresponding internal systems, external information systems and services required to achieve organization’s purposes.  Identify stakeholders of business processes.  Gather resilience requirements to all systems that support organization’s activities.  Inform assessment of asset criticality by performing criticality analysis of corresponded business functions. 2. Prepare Continuity Plans:  Develop requirements for cybersecurity of all system in adverse situations: e.g. under attack or during recovery.  Document plans, response and recovery procedures for maintaining cybersecurity of all systems in case of disruptive event.  Integrate cybersecurity continuity controls with organization’s business continuity or disaster recovery activities. 3. Maintain Supplier Catalogue:  Identify and mandate cybersecurity controls and requirements (notification, incident management, screening, audit, compliance and so on) to contracts to specifically address supplier access to the organization's IT systems.  Establish and agree cybersecurity requirements with each supplier that may access SAP or any critical systems. Review requirements during changes to supplier agreements, development of any new application and systems.  Establish, Monitor, review and audit supplier adherence to agreements regarding cybersecurity. Implement monitoring process for managing supplier audit trails, records of security events, operational problems and failures disruptions related to the service delivered. PREDICT BUSINESS ENVIRONMENT
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation  Cybersecurity Policy. Organizational information security policy addresses IT cybersecurity objectives, threat environment and controls.  Security Processes. Cybersecurity processes and procedures, roles and responsibilities are established and aligned with internal roles and external partners.  Control Procedures. Legal, regulatory and operational requirements regarding cybersecurity of all systems are identified, enforced and controlled. To develop cybersecurity policies, roles, responsibilities and procedures to ensure IT cybersecurity is understood and integrated to organization operational and management processes PREDICT GOVERNANCE 1. Establish IT Cybersecurity Policy:  Define cybersecurity objectives and guiding principles, assign general responsibilities for cybersecurity and communicate them to employees and relevant external parties.  Establish an approach to communicate and address risks associated with the operation and use of all applications in context of organizational operations risk management.  Demonstrate top management leadership and commitment with respect to cybersecurity. 2. Develop security processes:  Develop descriptions for all relevant to organization Security Processes.  Define systems cybersecurity roles and responsibilities. Assign them to internal roles, organizational positions and external parties.  Implement cybersecurity review in all management phases of IT projects: project objectives should include cybersecurity goals; necessary security controls are identified and security assessment is a part of acceptance and testing of all systems. 3. Implement control procedures:  Document and keep up to date all relevant to IT systems legislative statutory, regulatory and contractual requirements.  Develop specific controls and individual responsibilities to meet relevant compliance requirements.  Prepare questionnaires and technical procedures to evaluate compliance of IT security controls and processes.
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To provide cybersecurity assurance in IT systems by assessing vulnerabilities and reducing attack vectors 1. Regularly perform IT security audits and penetration tests:  Develop an annual scan plan to ensure gradual coverage of all IT systems.  Conduct vulnerability assessments and security audits for IT systems in use, before acceptance and in development.  Systematically assess IT security controls through internal and external penetration tests.  Communicate security assessments results in terms of security breach, fraud and compliance risks. 2. Repeatedly scan all systems for vulnerabilities, recommend and track remediations:  Prepare and maintain scan profiles for assets according to applicable compliance requirements, security policies and protection guidelines.  Prioritize remediation activities according to asset criticality, vulnerability risk and estimated effort.  Develop remediation plans to address security issues in applications, security controls and infrastructure.  Maintain remediation knowledge database with description of executed corrections, applied patches, secure configurations and context considerations. 3. Monitor vulnerabilities, remediations and threats online from public and private sources and threat intelligence feeds  Monitor information about security vulnerabilities, new remediations and threats on vendor and third-parties web-sites, mailing lists, newsgroups and other notification services  Collect Threat Intelligence feeds and review them in regards to IT Security threats.  Stay up to date with latest research publications and security events.  Scan Plans. Security testing covers all systems.  Scan Profiles. Relevant IT risks, compliance and technical policies are translated into scan profiles and technical checks.  Remediation Plans. Organization develops and implements remediation plans to address vulnerabilities in IT systems. PREDICT VULNERABILITIES MANAGEMENT
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation  Threat Model. The organizational approach to IT cybersecurity risks is established.  Risk Register. Risks from operation and use of IT systems are identified, prioritized and estimated.  Risk Responds. Appropriate courses of actions to accept, avoid, mitigate or transfer IT cybersecurity risk are identified, evaluated and implemented. To make decisions on addressing possible adverse impacts from the operation and use of IT systems 1. Create threat model for IT systems:  Identify scope (organizational entities, IT systems, etc.) for cybersecurity risk management activities and align them with enterprise risk management.  Create threat model for all systems: document and approve risks assessment methodology: threat sources, vulnerabilities, attack scenarios and impacts.  Develop risk assessment and response guidance. 2. Assess likelihoods and estimate business impacts of cybersecurity risks: • Identify threats to and vulnerabilities in IT systems and infrastructure. • Analyze likelihood of cybersecurity risks using vulnerability assessment results, surveying subject matter experts and business impact analysis. • Determine the risk to organizational operations if identified threats exploit identified vulnerabilities. 3. Automate risk management and develop risk response plans:  Automate risk management by integrating Vulnerability Management, GRC platforms and Incident Response solutions.  Identify and implement alternative courses of actions to respond to IT cybersecurity risks determined during the risk assessment.  Create plans for monitoring the effectiveness of risk response measures and risk monitoring triggers. PREDICT RISK MANAGEMENT
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To ensure security during IT systems development and acquisition. PREDICT SECURE DEVELOPMENT  IT Security Requirements. Cybersecurity requirements to all IT systems in development are identified and addressed by security controls.  Development Standards and Processes: IT system development occur with standard processes that consider secure practices and are documented and repeatable.  Security Plans. All IT systems have security plans in place describing implemented security controls and solutions. 1. Develop basic security requirements to configuration of servers, networks, IT applications and endpoints:  Separate development, testing and production environments.  Develop secure transport procedures.  Assign and control access rights of developers (developer access keys and developer authorizations). 2. Create secure development standards and processes:  Prepare development and coding standards, which includes checking of developed systems for vulnerabilities (code issues, obsolete statements, missing authorization checks, etc.)  Provide security trainings for development team.  Ensure quality assurance plans address IT security requirements: adherence to standards, passing of security assessments, proper documentation. 3. Automate secure development processes:  Automate secure development process in ITSM. Integrate code scanning tools into automated development workflow.  Use virtual patching for code issues which can’t be quickly patched due to resource constrains. Document these issues, applied remediations and future considerations.  Require developers and contractors to prepare security plans for each app systems and authorize using of these systems on the basis of risk management and security control assessment results.
TO REDUCE ATTACK SURFACE AREA AND BLOCK ATTACKERS BEFORE THEY IMPACT THE COMPANY PROCESS SECUREARCHITECTURE ACCESSCONTROL AWARENESS&TRAINING DATASECURITY PREVENT
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To limit rights of authorized users and prevent unauthorized use of an IT system. 1. Secure the network, servers and endpoint devices:  Establish procedures and baseline security requirements to users and applications for granting access to IT systems services and endpoint devices.  Implement two-factor authentication.  Restrict access to administrative IT services and anonymous access to critical web- services. 2. Implement role-based access control to all systems functionality:  Define user and administrative roles to communicate with IT systems. Establish organization subjects that may occupy the role, objects and actions that will available for the role. Document privileges that may be granted to defined roles.  Restrict access to admin or superuser profiles to administrators.  Restrict unauthorized access to critical transactions, programs, remote function calls, database tables, web-services and other entities. 3. Enforce Segregation of Duties controls according to business process rules:  Create SOD matrix according to business process rules and best practices  Enforce SOD controls in all systems  Audit override of access control mechanisms: SOD conflicts, role based access conflicts.  Access Rules. Users and application access to IT systems is based on need, documented and implements principles of least privileges and segregation of duties.  Access Mechanisms. Procedures for granting, changing and revoking access to IT systems are established throw-out the network, OS, DBMS and application layers.  Access Control Reports. Access control mechanisms are continuously tested and comply to access rules. PREVENT ACCESS CONTROL
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To provide personnel and contractors cybersecurity awareness education and trainings to perform their duties and responsibilities. 1. Enlist commitment of Board and C-level executives:  Choose an IT security education provider and organize security awareness workshops.  Maintain cybersecurity awareness of managers and senior executives by regular digest of recent news.  Demonstrate commitment of senior executives to secure operation of all systems by personal example and budget allocation. 2. Provide IT security trainings for SAP BASIS and security teams:  Identify education goals and provide role-based security trainings and practical exercises to SAP BASIS team.  Identify education goals and provide role-based security trainings and practical exercises to security teams.  Test security awareness of SAP BASIS and security teams by periodic assessments and simulation system anomalous behavior. 3. Provide awareness training to SAP and IT users:  Prepare trainings materials, choose courses and third-party education providers.  Provide basic and refresher security awareness training to SAP and IT users and contractors.  Monitor awareness by regular tests, simulating insider threats and anomalous system behavior.  Training Materials. Training goals are identified for each category of IT systems stakeholders and adequately addressed by awareness training and education materials.  Training Records. Education and trainings are tracked and provided on regular bases and in case of system changes.  Knowledge Assessment Reports. Level of cybersecurity awareness is identified and managed for all stakeholders. PREVENT AWARENESS AND TRAINING
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To enforce requirements to confidentiality, integrity and availability of information in IT systems on the data layer.  Data Inventory. Data assets are identified and linked to relevant organization’s information assets.  Data Flows. Data flows between SAP and critical systems and external systems are identified along with requirements to protection of the represented information.  Data Security Reports. Organization receives assurance the data in SAP or critical systems at rest and in transit is protected in accordance with the value of represented information. PREVENT DATA SECURITY 1. Classify data assets according to its value to organization  Identify data representing information assets in IT systems, their location and related contractual, regulatory and legal requirements influencing security of the data.  Establish an approach to label security attributes of data in IT systems: metadata, visual marking, handling rules, etc.  Develop data handling rules and procedures for enforcing data security during acquiring, modification, removal, transfers, and disposition of IT system assets. 2. Protect data-in-transit using SSL/TLS or MFA  Document data flows between critical application systems and external systems along with requirements security requirements to the connections.  Implement cryptographic mechanisms to prevent unauthorized disclosure and detect changes to data.  Authenticate connected parties using certificates and PKI services, network controls and additional safeguards. 3. Protect data-at-rest by encryption, secure storage location and tokenization  Employ cryptographic mechanisms to prevent unauthorized disclosure and detect changes in stored data and system configuration.  Remove from online storage and store off-line in a secure location defined data assets.  Conduct regular audits of systems configuration, data security controls and handling procedures.
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To ensure security of all IT solutions through-out all components, connections, infrastructure and security controls. 1. Protect IT perimeter:  Protect and securely configure routers, firewalls and use proxy for external connections.  Secure connections between critical internal systems and external systems (OT/ICS): proxy, SSO, etc.  Choose an approach to document architecture of all IT systems systems: users, data, connections, security domains, security controls and services, technical solutions. 2. Secure communications:  Create application communication schema if relevant.  Ensure that all connections are documented and secured (access is limited and connection credentials are stored securely).  Review that other connections to SAP and critical systems (database, XI, SOAP, J2EE, HANA, etc.) are justified by need and securely configured. 3. Integrate infra or application security and enterprise security:  Categorize application systems and identify boundaries between these systems and other enterprise subsystems.  Allocate and implement in all infra or application systems common security controls according to enterprise security policy.  Examine all critical systems connections, interfaces, security-relevant dependencies among subsystems and select security controls for interconnections.  Infra and Application Security Architecture. All IT systems components and interdependencies are identified and documented.  Security Controls. Common security services and specific application security controls are documented.  IT Technical Solutions. Technical solutions for security controls are selected. PREVENT SECURE ARCHITECTURE
TO RECOGNIZE THREATS, CONDITIONS AND POSSIBLE SIGNS OF COMPROMISE PROCESS DATA LEAKAGE EVENTMANAGEMENT THREATDETECTION USERBEHAVIOR DETECT
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation DETECT EVENT MANAGEMENT  Audit Events. The list of events to monitor is identified.  Event Databases. Event data is collected inside data stores.  Event Collecting Procedures. Procedures for collecting required set of events are established for all source systems. To collect information on IT security related events. 1. Configure security audit log: • Identify set of events to monitor inside all IT systems. • Configure IT systems to store data related to identified set of security events. • Regularly review security events and disseminate findings among interested parties. 2. Collect security-related events: • Aggregate data related to specific event from different sources (Windows AD, SAP logs, HTTP, Gateways logs and connected systems). • Convert event records to standardized format. • Establish thresholds and alert rules for specific combination of events. 3. Monitor all IT network, systems, personnel and external service provider activities:  Document auditable events, processing rules and event sources.  Create event database, store data from diverse event sources and enrich it by context information.  Protect security-related data: encrypt event records, move data to separate location or third party storage provider, ensure non-repudiation and long-time preservation of event records.
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To detect attacks and possible threats to IT systems. 1. Configure IDS/IPS systems to detect attack signatures:  Acquire and maintain updated attack signatures database for IDS/IPS system.  Subscribe to threat feeds from vendors and research teams for 0-day attack signatures.  Ensure traffic of all critical systems is monitored by IDS/IPS solutions. 2. Manually review all security events:  Select threats to monitor inside critical IT applications and identify data sources for them.  Review system logs, traces and special reports to detect attacks.  Use information about security attacks to assess cybersecurity risks. 3. Monitor potential attacks, security event combinations and anomalies:  Documentdetectionrulesfordiscoveringattacksandpotentialthreatstoinformationassets insideIT systems andinfrastructurecomponents.  Automate continuous gathering threat data, applying detection rules and generating threat notification.  Integrate threat detection capabilities with incident respond process and automate creation of incidents.  Threat Catalogue. List of possible threats and attacks is identified.  Threat Data Sources. For each threat data collection rules are documented and implemented.  Threat Detection Rules. For each threat detection rules are created. DETECT THREAT
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To detect deviations of user behavior from typical in IT systems. 1. Review privilege accounts activities:  Identify privilege accounts and critical actions to monitor in IT systems: account and role operations, creation of data connections, modifying transactions, etc.  Create list of reports and logs to monitor privileged account actions.  Configure automated notification of the critical events. 2. Establish profiles for user behavior and detect anomalies:  Baseline behavior profiles for infra and application users and roles.  Establish anomaly behavior thresholds and notification rules.  Report anomalous user’s behavior to responsible personnel or roles. 3. Monitor business activities and SOD conflicts in real time:  Implement automated process of anomalous behavior detection and notification.  Audit override of access control mechanisms: SOD conflicts, role based access conflicts in real time.  Augment anomaly detection rules by business context from external sources: HR data, DLP, IAM, endpoint solutions and physical access control systems.  Critical Actions Reports. Information on the actions with critical system objects is collected.  Baseline Behavior Profiles. Normal behavior profiles of infra and application users are determined.  Anomaly Detection Rules. Signs of suspicious behavior are identified. DETECT USER BEHAVIOR
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To detect data leakages in IT systems. 1. Identify data leakage conditions in custom code and configuration:  Identify pre-disposing data leakage configuration settings of an application system or services.  Review custom developed code for possible data leakage conditions.  Implement visual marking of exported reports from IT systems. 2. Analyze security events to detect possible data leakage:  Develop an approach to trace security attributes of data records in logs.  Define leakage detection rules on the basis of collected security events.  Regularly review reports and event records to discover data leakage. 3. Monitor data flows and devices to detect data leakage in real time:  Monitor data flows on a network level.  Monitor endpoint devices and servers for presence of sensitive data exported from all systems such as document transfer, cloud sync, emails, ftp etc.  Automate detection and notifying of possible data leakage event combinations.  Data Marking Practice. The order of marking exported data reports and data flows is defined.  Leakage Conditions. The configuration settings that create conditions to data leakage are defined.  Leakage Detection Rules. Signs of possible data leakage are identified and configured. DETECT DATA LEAKAGE
TO INVESTIGATE ISSUES, DESIGN AND IMPLEMENT CHANGES TO SECURITY CONTROLS, AND LEARN FROM EXTERNAL ENVIRONMENT PROCESS MITIGATION INCIDENTRESPONSE CLEARCOMMUNICATIONS CONTINUOUSANALYSIS IMPROVEMENTS RESPOND
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation RESPOND INCIDENT RESPONSE  Incident Definitions. Possible IT security incidents are identified, categorized, have assigned data sources and correlation rules.  Incident Cases. Information on detection and responding to security incidents is stored and tracked.  Incident Response Plans. Plans of actions to respond most significant and common incidents are prepared. To systematically respond to violation or threat of violation of IT security policies and practices. 1. Develop IT security event correlation rules and incident alert threshold:  Define possible attack vectors, select related signs of an incident and sources: alerts, logs, publicly available information and people.  Establish incident response team and staff it with people with appropriate skills. Provide them ways and means of communication, proper hardware and software.  Profile networks and IT systems, understand normal behavior and perform event correlation. 2. Develop cybersecurity incidents response and recovery plans:  Define factors for prioritizing incidents: functional, security and recoverability of incidents.  Develop incidents response procedures for various kinds of cybersecurity incidents: containment, eradication, recovery and investigation.  Establish rules for notification of different parties: C-level executives, system owners, system and network administrators, other incident response teams, legal department (if appropriate). 3. Automate incident response procedures:  Implement automated process of incident response: security event analysis, incident identification, response and investigation.  Regularly review effectiveness, analyze and improve incident response procedures and correlation rules.  Prepare to consult with external resources: CERTs, peer organizations, contractors with incident response and forensic expertise.
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation RESPOND CONTINUOUS ANALYSIS To provide insights into state of IT security. 1. Develop IT security metrics:  Identify stakeholders of security measures and goals of measurement.  Document security metrics: goals, formulas, targets, implementation evidences, frequencies, responsible parties, data sources, etc.  Report on a regular basis on the state of IT security to stakeholders using security metrics. 2. Automate tracking of IT security metrics and analyze trends:  Implement automated process of collecting, calculating and tracing of IT security trends.  Create IT security dashboards and notifications for various parties.  Use security metrics to manage IT security processes: connect metrics to process goals, collect data and analyze results, identify and apply corrective actions, set new target levels for metrics. 3. Develop IT forensic investigation procedures:  Prepare IT systems for data collection: perform regular backups, enable auditing, forward critical event records to centralized log servers, maintain baseline system configurations.  Identify forensic goals and create guidelines for carrying out common forensic procedures: acquiring the data from SAP or other critical application systems, preserving integrity of evidence, examining and analyzing data, case reporting.  Build and maintain skill of forensic team by ongoing trainings, education and hands-on exercises.  IT Security Metrics. Metrics for security controls and processes are identified.  IT Security Dashboards. Security data is analyzed and presented in dashboards.  Forensic Procedures. Guidelines on gathering evidence from systems are prepared.
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation RESPOND CLEAR COMMUNICATIONS To establish structure for IT/PCN security responsibility in a business and provide means for clear communications between its members. 1. Develop IT security metrics:  Identify stakeholders of security measures and goals of measurement.  Document security metrics: goals, formulas, targets, implementation evidences, frequencies, responsible parties, data sources, etc.  Report on a regular basis on the state of IT security to stakeholders using security metrics. 2. Automate tracking of IT security metrics and analyze trends:  Implement automated process of collecting, calculating and tracing of IT security trends.  Create IT security dashboards and notifications for various parties.  Use security metrics to manage IT security processes: connect metrics to process goals, collect data and analyze results, identify and apply corrective actions, set new target levels for metrics. 3. Develop IT forensic investigation procedures:  Prepare IT systems for data collection: perform regular backups, enable auditing, forward critical event records to centralized log servers, maintain baseline system configurations.  Identify forensic goals and create guidelines for carrying out common forensic procedures: acquiring the data from SAP or other critical application systems, preserving integrity of evidence, examining and analyzing data, case reporting.  Build and maintain skill of forensic team by ongoing trainings, education and hands-on exercises.  Security Responsibilities. Responsibilities on secure operating of IT systems are identified and assigned.  Security Roles Delineation. Security roles and responsibilities of BASIS, IT security team and other parties are delineated.  Cyber Threat Information. Information about cyber security threats is shared with external parties.
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation RESPOND MITIGATION  Knowledge Base. Information on IT security controls and best practices is collected, stored and provided to all stakeholders.  Security CMDB. Changes to IT security configuration are managed consistently.  Security Workarounds. Security workarounds and their implications are identified. To design, model and make changes to security of IT systems. 1. Develop IT security controls knowledge base: •Compile IT security guidelines, recommendations and standards for application developers, administrators and users. • Create collaborative environment for sharing experience and knowledge management on the IT security and administrative topics (company portal, forum, Wikipedia, etc.) • Encourage personnel to share knowledge and learn security topics. 2. Implement task and change management practices for all IT systems:  Baseline system configurations and maintain versions of configuration.  Implement formal change management for configuration and track change requests and approvals.  Detect unapproved changes in configuration and investigate reasons for them. 3. Deploy virtual patching and automatic correction tools for IT security issues:  Document security issues, which are unable to be resolved at the time.  Develop workarounds: virtual patching, network filtering, event detection controls, etc.  Automate mitigation of detected issues with corrective controls.
STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation RESPOND IMPROVEMENTS To learn from external events and improve IT security processes 1. Continuously analyze security updates and threats:  Analyze relevant security updates and disseminate security notifications and security alerts to members of Security and SAP BASIS teams.  Study announcements about successful attacks and threats to critical systems and redistribute it over organization.  Monitor security bulletin boards, hacker forums and hacker underground (P2P networks, community forums and social networks). 2. Attend IT security events and trainings:  Join SAP or IT security communities and follow up security vendors, research centers and most recognizable security professionals.  Participate in security conferences, online events and meetups.  Attend trainings and courses, choose certification tracks for key security staff. 3. Assess effectiveness of all IT systems security controls:  Prepare questionnaires, tools and guidelines to assess IT systems security controls and effectiveness and efficiency of security processes.  Map automatic technical checks to IT security controls and use automated tools to obtain assessment results.  Use security controls assessment results to improve IT systems security plans and carry out corrective actions.  Improvements Suggestions. Suggestions on improvement of IT security controls based on security events and news.  Controls Assessments. Results of assessment efficiency of IT security controls.

More Related Content

PDF
We Need To Talk About IT Architecture
Alan McSweeney
 
PPTX
Cybersecurity Risk Management Tools and Techniques (1).pptx
ClintonKelvin
 
PDF
Great visual cv with timeline
✔️ Henk de Ruiter
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PDF
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Nicholas Davis
 
PDF
The Future of Business Process With Nintex
David J Rosenthal
 
PPTX
Compensation
Jahnavireddy Konala
 
We Need To Talk About IT Architecture
Alan McSweeney
 
Cybersecurity Risk Management Tools and Techniques (1).pptx
ClintonKelvin
 
Great visual cv with timeline
✔️ Henk de Ruiter
 
Application Security - Your Success Depends on it
WSO2
 
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Nicholas Davis
 
The Future of Business Process With Nintex
David J Rosenthal
 
Compensation
Jahnavireddy Konala
 

What's hot (20)

PPTX
SOC and SIEM.pptx
SandeshUprety4
 
PPSX
Next-Gen security operation center
Muhammad Sahputra
 
PDF
When and How to Set up a Security Operations Center
Komand
 
PDF
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
PPT
SOC presentation- Building a Security Operations Center
Michael Nickle
 
PDF
Lessons Learned from the NIST CSF
Digital Bond
 
PDF
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
PPTX
Security operation center (SOC)
Ahmed Ayman
 
PDF
Vulnerability Management
asherad
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PPTX
Microsoft Threat Protection
Thierry DEMAN
 
PDF
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
PDF
Vulnerability and Patch Management
n|u - The Open Security Community
 
PPTX
Security Operation Center Fundamental
Amir Hossein Zargaran
 
PDF
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
PPTX
Endpoint Protection
Sophos
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
PPTX
Cybersecurity Awareness Training
Dave Monahan
 
PDF
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
PDF
Information security management system (isms) overview
Julia Urbina-Pineda
 
SOC and SIEM.pptx
SandeshUprety4
 
Next-Gen security operation center
Muhammad Sahputra
 
When and How to Set up a Security Operations Center
Komand
 
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Lessons Learned from the NIST CSF
Digital Bond
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
Security operation center (SOC)
Ahmed Ayman
 
Vulnerability Management
asherad
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Microsoft Threat Protection
Thierry DEMAN
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Vulnerability and Patch Management
n|u - The Open Security Community
 
Security Operation Center Fundamental
Amir Hossein Zargaran
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
Endpoint Protection
Sophos
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Cybersecurity Awareness Training
Dave Monahan
 
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
Information security management system (isms) overview
Julia Urbina-Pineda
 
Ad

Similar to Cybersecurity Assessment Framework - Slideshare.pptx (20)

PDF
CCISO_Certification_Training_Course-Outline.pdf
priyanshamadhwal2
 
PDF
Cyber Security Risk Mitigation Checklist
timsnp
 
PDF
Ch06 Policy
phanleson
 
PDF
Ch08 8 Information Security Process it-slideshares.blogspot.com
phanleson
 
PDF
Vulnerability Assessment Checklist A Key Element in Cybersecurity
SafeAeon Inc.
 
PDF
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
SBWebinars
 
PDF
Ch09 Information Security Best Practices
phanleson
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
PPT
Developing an Information Security Program
Shauna_Cox
 
PPT
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
PDF
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
cveiga12
 
PDF
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
cveiga12
 
PPT
Six Keys to Securing Critical Infrastructure and NERC Compliance
Lumension
 
PPTX
crisc Domain1 Governance PPT Slide shows
AjazMemon4
 
PPTX
D1 security and risk management v1.62
AlliedConSapCourses
 
PPTX
Manage Network Security of HNS level-4 .pptx
nahomtilahun29
 
PPT
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
PDF
Crucial Steps to Cyber Resilience: A Guide to Effective VAPT
ShyamMishra72
 
PPT
RiskWatch for Credit Unions™
CPaschal
 
CCISO_Certification_Training_Course-Outline.pdf
priyanshamadhwal2
 
Cyber Security Risk Mitigation Checklist
timsnp
 
Ch06 Policy
phanleson
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
phanleson
 
Vulnerability Assessment Checklist A Key Element in Cybersecurity
SafeAeon Inc.
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
SBWebinars
 
Ch09 Information Security Best Practices
phanleson
 
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
Developing an Information Security Program
Shauna_Cox
 
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
cveiga12
 
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
cveiga12
 
Six Keys to Securing Critical Infrastructure and NERC Compliance
Lumension
 
crisc Domain1 Governance PPT Slide shows
AjazMemon4
 
D1 security and risk management v1.62
AlliedConSapCourses
 
Manage Network Security of HNS level-4 .pptx
nahomtilahun29
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Crucial Steps to Cyber Resilience: A Guide to Effective VAPT
ShyamMishra72
 
RiskWatch for Credit Unions™
CPaschal
 
Ad

Recently uploaded (20)

PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
PDF
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Mustafa Kuğu
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PPTX
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
PDF
“A New Era of 3D Sensing: Transforming Industries and Creating Opportunities,...
Edge AI and Vision Alliance
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Configure Apache Mutual Authentication
Antonino Piraino
 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
What is a Computer? Input Devices /output devices
GulJan8
 
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Mustafa Kuğu
 
Five Habits of High-Impact Board Members
OnBoard
 
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
“A New Era of 3D Sensing: Transforming Industries and Creating Opportunities,...
Edge AI and Vision Alliance
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 

Cybersecurity Assessment Framework - Slideshare.pptx

  • 6. TO UNDERSTAND IT SYSTEM'S ENVIRONMENT, PROACTIVELY PRIORITIZE AND ADDRESS SYSTEM EXPOSURES PROCESS RISKMANAGEMENT ASSETMANAGEMENT BUSINESSENVIRONMENT VULNERABILITYMGT SECUREDEVELOPMENT PREDICT
  • 7. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation PREDICT ASSET MANAGEMENT  Inventory of Assets. All systems, servers, applications, information assets, personnel and devices, related information systems and information flows are identified and updated on a regular manner.  Criticality Assessments. Assets are prioritized according to their importance to business.  Acceptable Use Requirements. Rules, responsibilities of and requirements to the acceptable use are developed. 1. Create an Inventory of Assets:  Develop a classification schema and templates to describe different types of assets: systems, servers, applications, services, information assets and devices.  Establish procedures for creating and updating Inventory of Assets during procurement, using and retention of the assets.  Inventory assets and identify stakeholders of the assets: administrators, owners, users and third-parties. 2. Assess criticality of the assets:  Elicit and document contractual, regulatory and internal requirements to information assets.  Develop an approach and procedure to assign and review criticality level of assets.  Mark assets according to their criticality level.  Document requirements to acceptable use of assets of different types and criticalities during the lifecycle of assets.  Develop guidelines and controls for protecting assets according to their criticality level. 3. Develop complete specification of all systems:  Inventory all modules, services and software on assets.  Determine connections and information flows between assets, internal and external information systems and data providers for each of the system.  Establish requirements to third parties, vendors, contracts and contractors regarding security of all systems. To communicate information about assets in IT systems, security category of the assets, rules of acceptable use and protection requirements.
  • 8. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation  Business Context: organization’s business processes, activities, stakeholders and resilience requirements to all systems are identified and prioritized.  Continuity Plans: All cybersecurity requirements are identified and addressed by continuity controls.  Supplier Catalogue: suppliers and associated contracts are identified, cybersecurity requirements to suppliers are established and monitored in contracts and service deliveries. To provide business context, ensure cybersecurity continuity of all systems and address cybersecurity in supplier relationships. 1. Identify Business Context:  Identify organization’s activities and business processes (procurement to pay, order to cash and so on), corresponding internal systems, external information systems and services required to achieve organization’s purposes.  Identify stakeholders of business processes.  Gather resilience requirements to all systems that support organization’s activities.  Inform assessment of asset criticality by performing criticality analysis of corresponded business functions. 2. Prepare Continuity Plans:  Develop requirements for cybersecurity of all system in adverse situations: e.g. under attack or during recovery.  Document plans, response and recovery procedures for maintaining cybersecurity of all systems in case of disruptive event.  Integrate cybersecurity continuity controls with organization’s business continuity or disaster recovery activities. 3. Maintain Supplier Catalogue:  Identify and mandate cybersecurity controls and requirements (notification, incident management, screening, audit, compliance and so on) to contracts to specifically address supplier access to the organization's IT systems.  Establish and agree cybersecurity requirements with each supplier that may access SAP or any critical systems. Review requirements during changes to supplier agreements, development of any new application and systems.  Establish, Monitor, review and audit supplier adherence to agreements regarding cybersecurity. Implement monitoring process for managing supplier audit trails, records of security events, operational problems and failures disruptions related to the service delivered. PREDICT BUSINESS ENVIRONMENT
  • 9. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation  Cybersecurity Policy. Organizational information security policy addresses IT cybersecurity objectives, threat environment and controls.  Security Processes. Cybersecurity processes and procedures, roles and responsibilities are established and aligned with internal roles and external partners.  Control Procedures. Legal, regulatory and operational requirements regarding cybersecurity of all systems are identified, enforced and controlled. To develop cybersecurity policies, roles, responsibilities and procedures to ensure IT cybersecurity is understood and integrated to organization operational and management processes PREDICT GOVERNANCE 1. Establish IT Cybersecurity Policy:  Define cybersecurity objectives and guiding principles, assign general responsibilities for cybersecurity and communicate them to employees and relevant external parties.  Establish an approach to communicate and address risks associated with the operation and use of all applications in context of organizational operations risk management.  Demonstrate top management leadership and commitment with respect to cybersecurity. 2. Develop security processes:  Develop descriptions for all relevant to organization Security Processes.  Define systems cybersecurity roles and responsibilities. Assign them to internal roles, organizational positions and external parties.  Implement cybersecurity review in all management phases of IT projects: project objectives should include cybersecurity goals; necessary security controls are identified and security assessment is a part of acceptance and testing of all systems. 3. Implement control procedures:  Document and keep up to date all relevant to IT systems legislative statutory, regulatory and contractual requirements.  Develop specific controls and individual responsibilities to meet relevant compliance requirements.  Prepare questionnaires and technical procedures to evaluate compliance of IT security controls and processes.
  • 10. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To provide cybersecurity assurance in IT systems by assessing vulnerabilities and reducing attack vectors 1. Regularly perform IT security audits and penetration tests:  Develop an annual scan plan to ensure gradual coverage of all IT systems.  Conduct vulnerability assessments and security audits for IT systems in use, before acceptance and in development.  Systematically assess IT security controls through internal and external penetration tests.  Communicate security assessments results in terms of security breach, fraud and compliance risks. 2. Repeatedly scan all systems for vulnerabilities, recommend and track remediations:  Prepare and maintain scan profiles for assets according to applicable compliance requirements, security policies and protection guidelines.  Prioritize remediation activities according to asset criticality, vulnerability risk and estimated effort.  Develop remediation plans to address security issues in applications, security controls and infrastructure.  Maintain remediation knowledge database with description of executed corrections, applied patches, secure configurations and context considerations. 3. Monitor vulnerabilities, remediations and threats online from public and private sources and threat intelligence feeds  Monitor information about security vulnerabilities, new remediations and threats on vendor and third-parties web-sites, mailing lists, newsgroups and other notification services  Collect Threat Intelligence feeds and review them in regards to IT Security threats.  Stay up to date with latest research publications and security events.  Scan Plans. Security testing covers all systems.  Scan Profiles. Relevant IT risks, compliance and technical policies are translated into scan profiles and technical checks.  Remediation Plans. Organization develops and implements remediation plans to address vulnerabilities in IT systems. PREDICT VULNERABILITIES MANAGEMENT
  • 11. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation  Threat Model. The organizational approach to IT cybersecurity risks is established.  Risk Register. Risks from operation and use of IT systems are identified, prioritized and estimated.  Risk Responds. Appropriate courses of actions to accept, avoid, mitigate or transfer IT cybersecurity risk are identified, evaluated and implemented. To make decisions on addressing possible adverse impacts from the operation and use of IT systems 1. Create threat model for IT systems:  Identify scope (organizational entities, IT systems, etc.) for cybersecurity risk management activities and align them with enterprise risk management.  Create threat model for all systems: document and approve risks assessment methodology: threat sources, vulnerabilities, attack scenarios and impacts.  Develop risk assessment and response guidance. 2. Assess likelihoods and estimate business impacts of cybersecurity risks: • Identify threats to and vulnerabilities in IT systems and infrastructure. • Analyze likelihood of cybersecurity risks using vulnerability assessment results, surveying subject matter experts and business impact analysis. • Determine the risk to organizational operations if identified threats exploit identified vulnerabilities. 3. Automate risk management and develop risk response plans:  Automate risk management by integrating Vulnerability Management, GRC platforms and Incident Response solutions.  Identify and implement alternative courses of actions to respond to IT cybersecurity risks determined during the risk assessment.  Create plans for monitoring the effectiveness of risk response measures and risk monitoring triggers. PREDICT RISK MANAGEMENT
  • 12. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To ensure security during IT systems development and acquisition. PREDICT SECURE DEVELOPMENT  IT Security Requirements. Cybersecurity requirements to all IT systems in development are identified and addressed by security controls.  Development Standards and Processes: IT system development occur with standard processes that consider secure practices and are documented and repeatable.  Security Plans. All IT systems have security plans in place describing implemented security controls and solutions. 1. Develop basic security requirements to configuration of servers, networks, IT applications and endpoints:  Separate development, testing and production environments.  Develop secure transport procedures.  Assign and control access rights of developers (developer access keys and developer authorizations). 2. Create secure development standards and processes:  Prepare development and coding standards, which includes checking of developed systems for vulnerabilities (code issues, obsolete statements, missing authorization checks, etc.)  Provide security trainings for development team.  Ensure quality assurance plans address IT security requirements: adherence to standards, passing of security assessments, proper documentation. 3. Automate secure development processes:  Automate secure development process in ITSM. Integrate code scanning tools into automated development workflow.  Use virtual patching for code issues which can’t be quickly patched due to resource constrains. Document these issues, applied remediations and future considerations.  Require developers and contractors to prepare security plans for each app systems and authorize using of these systems on the basis of risk management and security control assessment results.
  • 13. TO REDUCE ATTACK SURFACE AREA AND BLOCK ATTACKERS BEFORE THEY IMPACT THE COMPANY PROCESS SECUREARCHITECTURE ACCESSCONTROL AWARENESS&TRAINING DATASECURITY PREVENT
  • 14. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To limit rights of authorized users and prevent unauthorized use of an IT system. 1. Secure the network, servers and endpoint devices:  Establish procedures and baseline security requirements to users and applications for granting access to IT systems services and endpoint devices.  Implement two-factor authentication.  Restrict access to administrative IT services and anonymous access to critical web- services. 2. Implement role-based access control to all systems functionality:  Define user and administrative roles to communicate with IT systems. Establish organization subjects that may occupy the role, objects and actions that will available for the role. Document privileges that may be granted to defined roles.  Restrict access to admin or superuser profiles to administrators.  Restrict unauthorized access to critical transactions, programs, remote function calls, database tables, web-services and other entities. 3. Enforce Segregation of Duties controls according to business process rules:  Create SOD matrix according to business process rules and best practices  Enforce SOD controls in all systems  Audit override of access control mechanisms: SOD conflicts, role based access conflicts.  Access Rules. Users and application access to IT systems is based on need, documented and implements principles of least privileges and segregation of duties.  Access Mechanisms. Procedures for granting, changing and revoking access to IT systems are established throw-out the network, OS, DBMS and application layers.  Access Control Reports. Access control mechanisms are continuously tested and comply to access rules. PREVENT ACCESS CONTROL
  • 15. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To provide personnel and contractors cybersecurity awareness education and trainings to perform their duties and responsibilities. 1. Enlist commitment of Board and C-level executives:  Choose an IT security education provider and organize security awareness workshops.  Maintain cybersecurity awareness of managers and senior executives by regular digest of recent news.  Demonstrate commitment of senior executives to secure operation of all systems by personal example and budget allocation. 2. Provide IT security trainings for SAP BASIS and security teams:  Identify education goals and provide role-based security trainings and practical exercises to SAP BASIS team.  Identify education goals and provide role-based security trainings and practical exercises to security teams.  Test security awareness of SAP BASIS and security teams by periodic assessments and simulation system anomalous behavior. 3. Provide awareness training to SAP and IT users:  Prepare trainings materials, choose courses and third-party education providers.  Provide basic and refresher security awareness training to SAP and IT users and contractors.  Monitor awareness by regular tests, simulating insider threats and anomalous system behavior.  Training Materials. Training goals are identified for each category of IT systems stakeholders and adequately addressed by awareness training and education materials.  Training Records. Education and trainings are tracked and provided on regular bases and in case of system changes.  Knowledge Assessment Reports. Level of cybersecurity awareness is identified and managed for all stakeholders. PREVENT AWARENESS AND TRAINING
  • 16. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To enforce requirements to confidentiality, integrity and availability of information in IT systems on the data layer.  Data Inventory. Data assets are identified and linked to relevant organization’s information assets.  Data Flows. Data flows between SAP and critical systems and external systems are identified along with requirements to protection of the represented information.  Data Security Reports. Organization receives assurance the data in SAP or critical systems at rest and in transit is protected in accordance with the value of represented information. PREVENT DATA SECURITY 1. Classify data assets according to its value to organization  Identify data representing information assets in IT systems, their location and related contractual, regulatory and legal requirements influencing security of the data.  Establish an approach to label security attributes of data in IT systems: metadata, visual marking, handling rules, etc.  Develop data handling rules and procedures for enforcing data security during acquiring, modification, removal, transfers, and disposition of IT system assets. 2. Protect data-in-transit using SSL/TLS or MFA  Document data flows between critical application systems and external systems along with requirements security requirements to the connections.  Implement cryptographic mechanisms to prevent unauthorized disclosure and detect changes to data.  Authenticate connected parties using certificates and PKI services, network controls and additional safeguards. 3. Protect data-at-rest by encryption, secure storage location and tokenization  Employ cryptographic mechanisms to prevent unauthorized disclosure and detect changes in stored data and system configuration.  Remove from online storage and store off-line in a secure location defined data assets.  Conduct regular audits of systems configuration, data security controls and handling procedures.
  • 17. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To ensure security of all IT solutions through-out all components, connections, infrastructure and security controls. 1. Protect IT perimeter:  Protect and securely configure routers, firewalls and use proxy for external connections.  Secure connections between critical internal systems and external systems (OT/ICS): proxy, SSO, etc.  Choose an approach to document architecture of all IT systems systems: users, data, connections, security domains, security controls and services, technical solutions. 2. Secure communications:  Create application communication schema if relevant.  Ensure that all connections are documented and secured (access is limited and connection credentials are stored securely).  Review that other connections to SAP and critical systems (database, XI, SOAP, J2EE, HANA, etc.) are justified by need and securely configured. 3. Integrate infra or application security and enterprise security:  Categorize application systems and identify boundaries between these systems and other enterprise subsystems.  Allocate and implement in all infra or application systems common security controls according to enterprise security policy.  Examine all critical systems connections, interfaces, security-relevant dependencies among subsystems and select security controls for interconnections.  Infra and Application Security Architecture. All IT systems components and interdependencies are identified and documented.  Security Controls. Common security services and specific application security controls are documented.  IT Technical Solutions. Technical solutions for security controls are selected. PREVENT SECURE ARCHITECTURE
  • 18. TO RECOGNIZE THREATS, CONDITIONS AND POSSIBLE SIGNS OF COMPROMISE PROCESS DATA LEAKAGE EVENTMANAGEMENT THREATDETECTION USERBEHAVIOR DETECT
  • 19. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation DETECT EVENT MANAGEMENT  Audit Events. The list of events to monitor is identified.  Event Databases. Event data is collected inside data stores.  Event Collecting Procedures. Procedures for collecting required set of events are established for all source systems. To collect information on IT security related events. 1. Configure security audit log: • Identify set of events to monitor inside all IT systems. • Configure IT systems to store data related to identified set of security events. • Regularly review security events and disseminate findings among interested parties. 2. Collect security-related events: • Aggregate data related to specific event from different sources (Windows AD, SAP logs, HTTP, Gateways logs and connected systems). • Convert event records to standardized format. • Establish thresholds and alert rules for specific combination of events. 3. Monitor all IT network, systems, personnel and external service provider activities:  Document auditable events, processing rules and event sources.  Create event database, store data from diverse event sources and enrich it by context information.  Protect security-related data: encrypt event records, move data to separate location or third party storage provider, ensure non-repudiation and long-time preservation of event records.
  • 20. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To detect attacks and possible threats to IT systems. 1. Configure IDS/IPS systems to detect attack signatures:  Acquire and maintain updated attack signatures database for IDS/IPS system.  Subscribe to threat feeds from vendors and research teams for 0-day attack signatures.  Ensure traffic of all critical systems is monitored by IDS/IPS solutions. 2. Manually review all security events:  Select threats to monitor inside critical IT applications and identify data sources for them.  Review system logs, traces and special reports to detect attacks.  Use information about security attacks to assess cybersecurity risks. 3. Monitor potential attacks, security event combinations and anomalies:  Documentdetectionrulesfordiscoveringattacksandpotentialthreatstoinformationassets insideIT systems andinfrastructurecomponents.  Automate continuous gathering threat data, applying detection rules and generating threat notification.  Integrate threat detection capabilities with incident respond process and automate creation of incidents.  Threat Catalogue. List of possible threats and attacks is identified.  Threat Data Sources. For each threat data collection rules are documented and implemented.  Threat Detection Rules. For each threat detection rules are created. DETECT THREAT
  • 21. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To detect deviations of user behavior from typical in IT systems. 1. Review privilege accounts activities:  Identify privilege accounts and critical actions to monitor in IT systems: account and role operations, creation of data connections, modifying transactions, etc.  Create list of reports and logs to monitor privileged account actions.  Configure automated notification of the critical events. 2. Establish profiles for user behavior and detect anomalies:  Baseline behavior profiles for infra and application users and roles.  Establish anomaly behavior thresholds and notification rules.  Report anomalous user’s behavior to responsible personnel or roles. 3. Monitor business activities and SOD conflicts in real time:  Implement automated process of anomalous behavior detection and notification.  Audit override of access control mechanisms: SOD conflicts, role based access conflicts in real time.  Augment anomaly detection rules by business context from external sources: HR data, DLP, IAM, endpoint solutions and physical access control systems.  Critical Actions Reports. Information on the actions with critical system objects is collected.  Baseline Behavior Profiles. Normal behavior profiles of infra and application users are determined.  Anomaly Detection Rules. Signs of suspicious behavior are identified. DETECT USER BEHAVIOR
  • 22. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation To detect data leakages in IT systems. 1. Identify data leakage conditions in custom code and configuration:  Identify pre-disposing data leakage configuration settings of an application system or services.  Review custom developed code for possible data leakage conditions.  Implement visual marking of exported reports from IT systems. 2. Analyze security events to detect possible data leakage:  Develop an approach to trace security attributes of data records in logs.  Define leakage detection rules on the basis of collected security events.  Regularly review reports and event records to discover data leakage. 3. Monitor data flows and devices to detect data leakage in real time:  Monitor data flows on a network level.  Monitor endpoint devices and servers for presence of sensitive data exported from all systems such as document transfer, cloud sync, emails, ftp etc.  Automate detection and notifying of possible data leakage event combinations.  Data Marking Practice. The order of marking exported data reports and data flows is defined.  Leakage Conditions. The configuration settings that create conditions to data leakage are defined.  Leakage Detection Rules. Signs of possible data leakage are identified and configured. DETECT DATA LEAKAGE
  • 23. TO INVESTIGATE ISSUES, DESIGN AND IMPLEMENT CHANGES TO SECURITY CONTROLS, AND LEARN FROM EXTERNAL ENVIRONMENT PROCESS MITIGATION INCIDENTRESPONSE CLEARCOMMUNICATIONS CONTINUOUSANALYSIS IMPROVEMENTS RESPOND
  • 24. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation RESPOND INCIDENT RESPONSE  Incident Definitions. Possible IT security incidents are identified, categorized, have assigned data sources and correlation rules.  Incident Cases. Information on detection and responding to security incidents is stored and tracked.  Incident Response Plans. Plans of actions to respond most significant and common incidents are prepared. To systematically respond to violation or threat of violation of IT security policies and practices. 1. Develop IT security event correlation rules and incident alert threshold:  Define possible attack vectors, select related signs of an incident and sources: alerts, logs, publicly available information and people.  Establish incident response team and staff it with people with appropriate skills. Provide them ways and means of communication, proper hardware and software.  Profile networks and IT systems, understand normal behavior and perform event correlation. 2. Develop cybersecurity incidents response and recovery plans:  Define factors for prioritizing incidents: functional, security and recoverability of incidents.  Develop incidents response procedures for various kinds of cybersecurity incidents: containment, eradication, recovery and investigation.  Establish rules for notification of different parties: C-level executives, system owners, system and network administrators, other incident response teams, legal department (if appropriate). 3. Automate incident response procedures:  Implement automated process of incident response: security event analysis, incident identification, response and investigation.  Regularly review effectiveness, analyze and improve incident response procedures and correlation rules.  Prepare to consult with external resources: CERTs, peer organizations, contractors with incident response and forensic expertise.
  • 25. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation RESPOND CONTINUOUS ANALYSIS To provide insights into state of IT security. 1. Develop IT security metrics:  Identify stakeholders of security measures and goals of measurement.  Document security metrics: goals, formulas, targets, implementation evidences, frequencies, responsible parties, data sources, etc.  Report on a regular basis on the state of IT security to stakeholders using security metrics. 2. Automate tracking of IT security metrics and analyze trends:  Implement automated process of collecting, calculating and tracing of IT security trends.  Create IT security dashboards and notifications for various parties.  Use security metrics to manage IT security processes: connect metrics to process goals, collect data and analyze results, identify and apply corrective actions, set new target levels for metrics. 3. Develop IT forensic investigation procedures:  Prepare IT systems for data collection: perform regular backups, enable auditing, forward critical event records to centralized log servers, maintain baseline system configurations.  Identify forensic goals and create guidelines for carrying out common forensic procedures: acquiring the data from SAP or other critical application systems, preserving integrity of evidence, examining and analyzing data, case reporting.  Build and maintain skill of forensic team by ongoing trainings, education and hands-on exercises.  IT Security Metrics. Metrics for security controls and processes are identified.  IT Security Dashboards. Security data is analyzed and presented in dashboards.  Forensic Procedures. Guidelines on gathering evidence from systems are prepared.
  • 26. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation RESPOND CLEAR COMMUNICATIONS To establish structure for IT/PCN security responsibility in a business and provide means for clear communications between its members. 1. Develop IT security metrics:  Identify stakeholders of security measures and goals of measurement.  Document security metrics: goals, formulas, targets, implementation evidences, frequencies, responsible parties, data sources, etc.  Report on a regular basis on the state of IT security to stakeholders using security metrics. 2. Automate tracking of IT security metrics and analyze trends:  Implement automated process of collecting, calculating and tracing of IT security trends.  Create IT security dashboards and notifications for various parties.  Use security metrics to manage IT security processes: connect metrics to process goals, collect data and analyze results, identify and apply corrective actions, set new target levels for metrics. 3. Develop IT forensic investigation procedures:  Prepare IT systems for data collection: perform regular backups, enable auditing, forward critical event records to centralized log servers, maintain baseline system configurations.  Identify forensic goals and create guidelines for carrying out common forensic procedures: acquiring the data from SAP or other critical application systems, preserving integrity of evidence, examining and analyzing data, case reporting.  Build and maintain skill of forensic team by ongoing trainings, education and hands-on exercises.  Security Responsibilities. Responsibilities on secure operating of IT systems are identified and assigned.  Security Roles Delineation. Security roles and responsibilities of BASIS, IT security team and other parties are delineated.  Cyber Threat Information. Information about cyber security threats is shared with external parties.
  • 27. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation RESPOND MITIGATION  Knowledge Base. Information on IT security controls and best practices is collected, stored and provided to all stakeholders.  Security CMDB. Changes to IT security configuration are managed consistently.  Security Workarounds. Security workarounds and their implications are identified. To design, model and make changes to security of IT systems. 1. Develop IT security controls knowledge base: •Compile IT security guidelines, recommendations and standards for application developers, administrators and users. • Create collaborative environment for sharing experience and knowledge management on the IT security and administrative topics (company portal, forum, Wikipedia, etc.) • Encourage personnel to share knowledge and learn security topics. 2. Implement task and change management practices for all IT systems:  Baseline system configurations and maintain versions of configuration.  Implement formal change management for configuration and track change requests and approvals.  Detect unapproved changes in configuration and investigate reasons for them. 3. Deploy virtual patching and automatic correction tools for IT security issues:  Document security issues, which are unable to be resolved at the time.  Develop workarounds: virtual patching, network filtering, event detection controls, etc.  Automate mitigation of detected issues with corrective controls.
  • 28. STEPS OUTCOMES PURPOSE BASELINE FUTURE STATE PREDICT PREVENT DETECT RESPOND Navigation RESPOND IMPROVEMENTS To learn from external events and improve IT security processes 1. Continuously analyze security updates and threats:  Analyze relevant security updates and disseminate security notifications and security alerts to members of Security and SAP BASIS teams.  Study announcements about successful attacks and threats to critical systems and redistribute it over organization.  Monitor security bulletin boards, hacker forums and hacker underground (P2P networks, community forums and social networks). 2. Attend IT security events and trainings:  Join SAP or IT security communities and follow up security vendors, research centers and most recognizable security professionals.  Participate in security conferences, online events and meetups.  Attend trainings and courses, choose certification tracks for key security staff. 3. Assess effectiveness of all IT systems security controls:  Prepare questionnaires, tools and guidelines to assess IT systems security controls and effectiveness and efficiency of security processes.  Map automatic technical checks to IT security controls and use automated tools to obtain assessment results.  Use security controls assessment results to improve IT systems security plans and carry out corrective actions.  Improvements Suggestions. Suggestions on improvement of IT security controls based on security events and news.  Controls Assessments. Results of assessment efficiency of IT security controls.