Reading Sample
3.1 What is a framework?
A framework is a set of guidelines laid out to create standardization across processes. Frameworks are the tools used to implement standards. The terms frameworks and standards are often used interchangeably. For the purposes of this chapter, we will use them separately with their common definitions:
- Framework—a basic structure or system of rules underlying a system; a concept that facilitates decision making
- Standards—a rule, principle, technique, process or template designed to provide consistency to planning, development, operation, implementation and governance
A framework is the foundation of questions that guide the creation, understanding, and education of standards and policies. Standards can be self-governing, but the framework provides high level governance to ensure the standards are being met and monitored. Where things get tricky is when there are different frameworks that govern different types of data.
Frameworks are tools to create structure and stability
Frameworks provide a structured set of topics to use to evaluate a system or software. They can be used for any hardware, software, network or data management process to create stability and security.
3.1.1 Frameworks defined
Frameworks are used to streamline operations, processes and audits. The point of a framework is to ask the right questions of the right areas. These questions are not just for the technology but also for the technology consumers and practitioners. Gaps, overlaps and redundancies in processes are often identified while implementing a framework.
The phases of implementation
An implementation or expansion of a framework to include additional systems or areas is done in phases. Each control within the framework requires a question, an answer, documentation, a plan, education, implementation, and governance/audit steps. As you can see, these steps touch on each layer of the cybersecurity program definition we discussed in the previous chapter.
Data Types and Frameworks
The data diagram shown in Figure 3.1 depicts different types of data stored within a network perimeter. For each data type there are different frameworks, governance rules, and internal and external access requirements, as well as different levels of confidentiality. These are like ripples in a pool and intersect with other data types, frameworks and regulatory requirements. To understand this ripple effect, some examples below demonstrate different frameworks/regulations and take a deeper look at a few of the most popular frameworks.
Data type examples include:
- Personally identifiable information (PII)—names, addresses, and government identification numbers
- Protected health information (PHI)—health data, diagnosis, and chronic illness data
- Intellectual property (IP)—any creations of the mind, such as inventions, documentation, designs, and art used in commercial applications
- Financial Data—corporate profit and loss, and account information
- Master Data—suppliers, supply types, material types, and amounts
- Confidential Data—contract negotiation data, long term planning, and new product development
Figure 3.1: Data types and regulations, with overlaps
Examples of regulations are:
- HIPAA—Health Insurance Portability and Accountability Act (USA)
- GDPR—General Data Protection Regulation (EU)
- COBIT 2019—Control Objectives for Information Technologies
- NIST CIS Controls—National Institute of Standards in Technology Center for Internet Security Controls 7.1
- CMMC—Cybersecurity Maturity Model Certification (USA)
- SOX—Sarbanes-Oxley Act (USA), Section 404 (Management Assessment of Internal Controls)
Different data types have different framework and governance requirements. Table 3.1 shows some of the frameworks, with an overlap in the data types.
Table 3.1: Framework to data type cross reference
3.1.2 Popular frameworks
The most common cybersecurity-focused frameworks in use are the NIST CIS Controls, the GDPR, and the CMMC.
NIST CIS Controls
The National Institute of Standards in Technology Center for Internet Security Controls 7.1 is a prioritized set of recommended practices for securing a wide range of systems and controls. This framework asks questions of all aspects of an organization and is divided into three cats: basic, foundational and organizational.
NIST CIS Controls are evolving
The NIST CIS Controls and cybersecurity frameworkis the most commonly used framework. It is used to institute control, create a plan for improved security and the ability to audit processes. It is constantly evolving so be sure to keep up to date with changes by checking the NIST.gov website for the latest updates.
The basic category includes the review of assets, vulnerability management, administrative privileges, secure configurations of hardware, and audit log analysis. These are considered basic and are the highest priority for organizations of any size. An example of a basic category goal is: to maintain an accurate and updated inventory of all technology assets including details of the asset, status of use and connectivity to the network.
The foundational category includes email and web browser protection, malware defense, network port and protocol control, data recovery, secure configuration of network hardware, network boundary defenses and data protection. This is the second set of controls implemented due to escalating complexity. An example of a foundational category goal is: to ensure that only fully supported web browsers and email clients are allowed within the organization, with the latest version supplied by the vendor.
The organizational category includes security awareness training, application software security, incident management, and penetration tests. This level of control is not needed for smaller companies and requires a more in-depth cybersecurity program. An example of an organizational category goal is: to train workforce members to identify and manage sensitive information.
Key definitions
- IGs (CIS Controls Implementation Groups)—self-assessed categories based on organization size and relevant cybersecurity attributes
- Controls—the first-level category of system or data being managed
- Sub-controls—the second-level detailed goal(s) organized by asset type and security function
Key principles
- Offense informs defense—the use of information gathered from actual attacks creates the foundation to build an effective defense.
- Prioritization—implement the controls that bring the greatest risk reduction first.
- Measurements and metrics—create common metrics in language that is understood by executives, information technology practitioners, auditors and security officials.
- Continuous diagnostics and mitigation—continually monitor, measure and validate to ensure quality diagnostic data and mitigating controls.
- Automation—automate defense mechanisms to allow the controls to be continuously measured and scaled.
For more information, refer to: http://cissecurity.org.
GDPR
The General Data Protection Regulation is a regulatory framework that manages data privacy for the European Union but which has a global impact. Any company collecting personal data for people residing in any European Union country is required to comply with this regulation. At its core definition, GDPR requires data integrity, accuracy, security, and transparency for any personal data gathered, as well as giving the data subject the ability to update their own data or request it be deleted. This means that companies that collect personal data for their use must prove that they keep it safe and must also give data subjects the right to update their data or have it forgotten completely. Historically, once user data was in a list, that data was there forever; it could be bought and sold as a commodity regardless of its accuracy or risk. GDPR addresses those historic principles, placing governance requirements, legal accountability, and fines around data.
GDPR integrates with all other frameworks
At its core, GDPR does not manage the end-to-end global information technology footprint of a company as other frameworks do, but integrates it into other frameworks. It places privacy requirements at every level of data utilization—gathering the data from the user, coding and processing that data, and storing and managing the data long-term.
Key definitions
- Chapter—high-level grouping of the different governance classifications
- Articles—the classification of the provisions include general provisions, principles, rights of the data subjects, etc.
- Recitals—the detailed requirements of the article (for example, Article 1—subject-matter and objectives, Recital 1—data protection as a fundamental right)
- Personal data—personally identifiable data (name, address, country, etc.)
- Data processing—the work being done by the program
- Data subject—the data being used by the data processing
- Data controller—the person responsible for the personal data use and storage
- Data processor—the person that processes personal data at the request of the data controller
Key principles
- Lawfulness, fairness and transparency—the processing and management of personal data must be lawful, fair and transparent
- Purpose limitation—use of the personal data is limited to the reason for which it was collected
- Accuracy—personal data must be kept accurate and up-to-date as much as possible
- Storage limitation—personal data must only be stored for as long as necessary for the purpose it was collected
- Integrity and confidentiality—personal data must be processed and stored in a way that ensures integrity and confidentiality
- Accountability—GDPR compliance must be demonstrable by data processor
Privacy rights
- The right to be informed—the right to know what is being done with data
- The right of access—the ability to know what data is being stored and the ability to change that data
- The right to rectification—the ability to request changes or corrections to stored personal data
- The right to erasure—the right to have your data removed (also known as the right to be forgotten)
- The right to restrict processing—the right to restrict what is being done with personal data
- The right to data portability—the right to move personal data
- The right to object—the right to stop the use of personal data
- Rights in relation to automated decision making and profiling—the right to know what decisions are made through automation without human interaction
For more information, refer to: https://gdpr.eu/.
CMMC
The Cybersecurity Maturity Model Certification is a new framework developed by the United States Under Secretary of Defense for Acquisition working with the Department of Defense (DOD), Universities and federally funded research centers. The CMMC framework was developed with the intention of protecting the supply chain for the military and US government, and applies to any company or agency that provides goods or services for the government.
CMMC will create growth in cybersecurity
The CMMC is a new framework and certification process. There will be tremendous growth in cybersecurity practice implementation in the coming years as it evolves to protect critical infrastructure.
The CMMC was developed in response to cyber threats and breaches within the DOD supply chain that compromised classified and controlled unclassified information. These attacks resulted in the loss of critical intellectual property from suppliers and the use of supplier networks to launch successful and unsuccessful attacks against the defense and supply chain networks.
Key definitions
- DIB (defense industrial base)—made up of over 300,000 companies that provide goods and services to the DOD supply chain
- Cyber hygiene—practices required to maintain system health and improve security
- Capabilities—achievements to ensure cybersecurity objectives are met. Each domain is made up of a set of capabilities. There are 43 capabilities.
- Domains—a set of capabilities that are based on cybersecurity best practices. There are 17 domains within CMMC.
- Processes—required procedures or activities that are necessary to achieve a capability level. There are five processes across five levels to measure process maturity.
- Practices—specific technical activities required to achieve a specific level of cybersecurity maturity.
- CMMC level—there are five levels of cybersecurity maturity measured against specific processes and practices. There are 171 practices across five levels to measure capabilities.
- Maturity model—a set of indicators that determine progress in a domain and that are auditable against established requirements.
- Certification—the result of a process audit that validates the execution of practices, resulting in CMMC level validation and certification.
Key principles
- Protect federal contract information
- Protect controlled unclassified information
- Implement standardized and measurable cyber hygiene across the DIB
- Implement a certification process and artifact for entities bidding on federal contracts, streamlining the supplier evaluation process. Different levels of maturity are required based on the sensitivity of the information to be protected; the required maturity level escalates for higher levels of data sensitivity.
For more information, refer to: https://www.acq.osd.mil/cmmc.
The CMMC provides a framework, or roadmap, for a company to mature its cybersecurity practices through a set of levels (see Figure 3.2). The higher the maturity level, the greater the consideration in the contract bid and retention process. Companies are required to maintain their level certification throughout the entire relationship with the government and submit audit results to prove certification maintenance.
Figure 3.2: CMMC maturity levels
The CMMC provides a cross reference of the most common security frameworks in use for each of its domains in the CMMC Model Appendices. Companies that already use an existing framework can easily see where they need to improve in order to comply with the CMMC.
3.1.3 Which frameworks work best with which SAP modules?
Looking at the six frameworks reviewed in this chapter, the best options are the NIST CIS Controls and the CMMC. These are more comprehensive and better able to address the breadth and depth of data stored and used in SAP. Apart from the SOX regulations, the other frameworks are addressed using either NIST or CMMC. The benefit of the CMMC over NIST is that it comes with a clear plan on what to do to incrementally improve system security. Using NIST CIS Controls or CMMC requires an organized plan, financial investment, and a multi-year implementation to bring SAP into compliance with a framework.
NIST framework widely accepted
All frameworks can be applied to SAP, but in pracice the NIST model has the maturity and global acceptance by SAP and its integration partners. This acceptance means easier implementation at the customer level.
3.1.4 How does using a framework for security create control?
Using a framework creates control in all the areas in which it is applied. It creates an opportunity and offers the right questions to ask in order to improve the security and processes around SAP. It impacts security, change management, patch application, note application, testing processes, archiving, disaster recovery, user access management, and more. In the next chapter, we will dive into some specifics on how the seemingly vague questions apply to SAP, and how using them improves the risk profile of the landscapes. Once a framework is applied to SAP, it is possible to make measurable assessments of risk and make decisions about the priority of impacts to the SAP landscape.
4 Reconciling SAP cybersecurity to frameworks and regulatory compliance requirements
Reconciling SAP Cybersecurity to frameworks and regulatory requirements involves a cross section of people from SAP Security, SAP Basis server administration, network administration, and business users. Including all these people gives a well-rounded view of the system set-up, and an understanding of how the business uses the different modules. This chapter will walk through the process of evaluating SAP for inclusion in a cybersecurity program.
All contents. Learn more. Discover now.
et.training - Your learning platform for SAP software
- Access to all learning content1
- Regular new releases
- Intelligent search algorithm
- Innovative reading experience
- Customized learning paths
- Certificates & QA tests2
1 You get access to all learning content. Online trainings, certificates are NOT part of the flat rate.
2 More information on request.