openSAP - Information Security Management in A Nutshell - All - Slides

Week 1 Unit 1:
Information Security
Goals
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ © Prof. Dr. Paulus | Hochschule Mannheim 1
Information Security Goals
Information security – An unequal arms race (1)
The statistic presents the

recorded number of data
breaches and records exposed
in the United States between
2005 and 2016. In the last
measured year, the number of
data breaches in the United
States amounted to 1093, with
close to 36.6 million records
exposed.
© Statista
© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 2

Information security – An unequal arms race (2)
Businesses Hackers
 Attack intelligence  Attacks from abroad –

needs many experts often no prosecution
 Everything needs to be  Usage of high level of
protected automation
 Every link in the chain  Any asset of value
must be strong might be interesting
 One successful attack
may be enough

Reasons for setting up an information security program
Risk
reduction Preventing information loss
Compliance With regulations
Contracts Fulfilling customer / partner requirements

Insert unit title
Slide title
First level
▪ Second level
– Third level

Why should you do it now?
Why should you do it now?
Digital Transformation Nation State Activities Supply Chain Requirements
 Intelligent devices  Capability of a trustworthy digital  Security risks propagate through the
transformation becomes a supply chain
 Fully networked differentiator for nation states
 Organizations delegate the risk
 Autonomous behavior (location advantage)
through security requirements in
 Information security has become a contracts and SLAs
core component of national security
strategies
 This approach requires participation
of businesses
Fast-growing attack surface for Increasing number of legal Information security as a

your information information security requirements prerequisite in many sectors

What are the goals of an information security program?
Business Processes Information

Continuity Availability Availability
Fast resumption Integrity Integrity
Accountability Confidentiality
Resilience

Data privacy – New European regulation in place
The European General Data Protection New approach

Regulation Risk-based
In place since May 2016 Using a management system
Will be enforced starting May 2018
▪ Can be integrated into an information security
▪ Fines of up to €20 million or 4% of global annual management system
turnover for the preceding financial year,
▪ Freedom of choice for subjects
whichever is greater
▪ Full transparency where and for which purpose
personally identifiable data is used
▪ Opt-out, requiring deletion of data
Integrate privacy requirements

into your information security
program!

Identify your ‟Crown jewels”
You cannot protect all your information

Follow a risk-based approach
▪ Crown jewels
Information that may be subject to espionage or targeted sabotage
High level of protection required
Examples: secret recipes, customer data
▪ Core infrastructure
Information and systems that are required to run your daily business
Standard level of protection required
Crown jewels
Example: ERP systems, e-mail services, document stores…
Core infrastructure
▪ General business information
Information that is not critical
General business information

Key takeaways
• Major requirements for an information security program:

Address the risks that come with digital transformation
Be compliant with new legislation
Fulfill the security requirements of your customers / partners
• Major protection goals:

At business level: Continuity – Fast resumption – Resilience
At process level: Availability – Integrity – Accountability
At information level: Availability – Integrity – Confidentiality
In addition: Integrate data protection requirements
• How to achieve these goals:

Follow a risk-based approach: Identify your ‟crown jewels” and your core infrastructure
Formulate strategic security goals as part of a security policy – the security goals must support the
strategic business goals!

Copyright © Prof. Dr. Paulus, Hochschule
Copyright © 2017 Prof. Dr. Sachar Paulus, Hochschule Mannheim. All content/information present here is the exclusive property of Prof. Dr. Sachar
Paulus, Hochschule Mannheim. The content/information contained here is correct at the time of publishing. No material from here may be copied,
modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from Prof. Dr. Sachar
Paulus, Hochschule Mannheim. Unauthorized use of the content/information appearing here may violate copyright, trademark and other applicable
laws, and could result in criminal or civil penalties.

Thank You!
Contact Information:
open@sap.com
Week 1 Unit 2:
Security Risk
Management
Security Risk Management
What is a risk?
A risk is potential damage
Risk categories:
Strategic risks
Product and market risks
Financial risks
Operational risks
In most cases, information security risks are operational risks

Risk treatment options
Accept
If the risk is acceptably low – budget
for risk occurrence
Reduce
Choose adequate risk mitigation
measures
Transfer
Use contracts, insurance
Avoid
Stop relevant business activities

Insert unit title
Slide title
First level
▪ Second level
– Third level

How to identify risks
How to identify risks
Thorough
analysis of all
Ask every business and
manager supporting
processes
Structured
questionnaire, Brainstorming
cross-checked

Risk valuation
Risk = Likelihood * Damage In local currency
Likelihood Damage
Fix a period where probability is estimated In USD, EUR, …
Typically 3 or 5 years
Two options for financial impact estimation
Could also be a frequency (i.e. > 1) Estimate the different aspects of damage (direct
costs, indirect costs, third-party damage,
Estimating probabilities company valuation loss, …)
Systemic risks (e.g. hurricanes): use statistical
information Estimate the costs of restoring the original status
after the damage has occurred
Non-systemic risks (e.g. hacker attacks): estimate
capability and information of attackers

Risk valuation
Risk matrix: Risk inventory:
4,5 1 No. Risk L D

1 Sabotage of production 2 4
6,7 2,3 computers
2 Espionage of secret recipes 3 3
12 8,9,10
Damage >
3 …
11 4 …
Likelihood >

Two options for security risk models: General setup
Danger
Attackers Generate Threats Have impact on

Assets
Motivation
Probability Value
Capability

Two options for security risk models: (a) without existing baseline security concept
Simple model High amount of

data
Easy to valuate
The impact is characterized risks Does not take
by likelihood and damage existing measures
Holistic view into account
Danger
Threats Have impact on

Assets
Probability Value

Two options for security risk models: (b) with existing baseline security concept
Only “exceptional” Rather complex;

risks are Assumptions may
considered be wrong;
View is limited by
baseline security
Baseline
concept
security
concept
Threats Makes use of Makes use of

Vulnerability Assets
Requires certain The impact is characterized by likelihood and damage, but we

assumptions to be fulfilled consider only what is due to the existence of the vulnerability

Security controls
A security control is a risk mitigation measure.

The cost of a security control is opportunity cost.
A security control is characterized by a risk

reduction and a cost (invest and operation cost)
Security
Threats Have impact on control Have impact on
Assets
Requires certain The impact after the control is in place is characterized by a new pair of
assumptions to be fulfilled likelihood and damage (= risk reduction)

Efficiency of controls
If the risks are considered to be independent
events, then we can aggregate the Return on
To compare the efficiency of controls, we define
Security Invest for a control 𝐶:
the Return on Security Invest
(of a control 𝐶 for a risk 𝑅 = (𝑙, 𝑑) with a cost 𝑐
over a defined time period):
𝑅𝑂𝑆𝐼𝐶 ≔ ෍ 𝑅𝑂𝑆𝐼𝐶,𝑅
𝑅
𝐶: 𝑙, 𝑑 ⟼ 𝑙 ′ , 𝑑 ′
But in many cases, this does not make sense.
𝑙 ∗ 𝑑 − 𝑙 ′ ∗ 𝑑′
𝑅𝑂𝑆𝐼𝐶,𝑅 ≔ Taking into account the strategic alignment of
𝑐 the controls (considered as change projects),
ROSI can be used to identify a portfolio of
If 𝑅𝑂𝑆𝐼𝐶,𝑅 is > 1, then the control is efficient. security controls that is best suited to address
a company‘s security risks.

Regular risk reporting
In an advanced security risk management, risks, corresponding controls, and their status should be
reported regularly.
Damage
Likelihood Status of
No. Risk Likelihood Damage Control Control cost after
after control control
control
Sabotage of Hardware firewall
1 production 20 5M separating industrial and 0.05M 0.1 5M active
computers office networks
Encryption of data at rest
Espionage of in
2 40 2M for all systems storing 0.2M 0.1 5M
secret recipes preparation
recipes
Loss of
company
3 0.5 10M Fire extinguishing system 1M 0.5 1M to be started
information
through fire

Key takeaways
• Risks must be identified, valued, and addressed

Options are: Avoidance, Reduction, Transfer, Acceptance.
• Visualize your risks and your actual risk status

A visualization allows improved decision making.
• In general, security risks need to be reduced by controls

Controls need to be chosen by efficiency, e.g. by using the ROSI model.
• There are two major security risk models: with and without a
baseline security concept
Choose the one that suits your environment best; the simple model is
easier to start with


Thank You!
open@sap.com
Week 1 Unit 3:
Security Control Types
Security controls
Security Controls
Dual Control Security Do have different nature
Principle Guards
Need to be (well) chosen
Form a security concept
Network Need to be checked for effectiveness

Segregation
Security Concept

Security controls
Security controls have different natures, and can be seen from different perspectives
Manual
Automated

Security controls – Examples (1)
• Firewalls
• Anti-Virus
• Encryption
• Doors
• Keys
• Fence
• Dual control:
• Segregation of duties

Security controls – Examples (2)
Manual
Automated
Guards checking identities Access card system

Security controls grouping – Examples
• All controls that protect an

SAP system
• All controls that protect
patents
• All controls that

prevent access
• All controls that
assure confidentiality
of data in transit • All controls performed by the
IT department
• All controls performed by HR
• All controls performed by the
housing service

Security controls form a security concept – Two examples
Authorizations in
a given system
Identity in a given
system
Password Password
strength handling
Access to the
Length No storage
network allowed
Character
types Regular
Access to a Complexity change
building History Clear desk
policy

Sources for security controls
There are many sources for good security controls.

Pick a repository that suits your needs well.
Some security controls may be mandatory for your business.
IT Baseline NIST Cybersecurity

ISO 27001 COBIT
Protection Framework
Unified Compliance
ISA 99 HIPAA PCI-DSS
Framework

Control groups according to ISO 27001 (1)
Security Policies Organization of Human resource Asset Access Control

Information security Management
Security
Business
Prior to Responsibilities requirements
Internal employment for assets
organization
User access
Management management
direction for During Information
information employment classification
security User
responsibilities
Mobile devices
and teleworking Termination or
change of Media handling System and
employment application
access control

Cryptography Physical and Operations Operations Communications

Environmental Security (1) Security (2) Security
Security
Operational
Control of
procedures and
operational Network
responsibilities
Secure areas software security
Protection from management
malware Technical
Cryptography
vulnerability
controls
management
Backup
Information
Equipment Information transfer
Logging and systems audit
monitoring considerations

System Acquisition, Supplier Relationships Information Security Information Security Compliance

Development and Incident Management Aspects of Business
Maintenance Continuity Management
Security
requirements
of information Security in supplier Information Information
systems relationships security continuity security reviews
Management of
Security in
information
development
security
and support
incidents and
processes
improvements
Compliance
Supplier service
with legal and
delivery Redundancy
contractual
Test data management
requirements

Key takeaways
• Security controls are the risk mitigating activities in your

organization.
They can have different natures, and can be grouped from different
perspectives.
• Security controls need to form a security concept – they need to

“match”.
If not, the effect of these measures may be contradictory.
• Follow a security standard that best suits your needs.

A good baseline is the ISO/IEC 27001 standard.


Thank You!
open@sap.com
Week 1 Unit 4:
Security Management
Processes:
Prevention, Detection,
Response
Security Management Processes: Prevention, Detection, Response
The security management process phases
Prevent Detect React

The Deming cycle
Plan
Initial
Risk (Define
Analysis requirements)
Act Do
(Improve (Implement
effectiveness) controls)
Check
(Measure
effectiveness)

Prevent processes
Policy Review policy Get management

Yearly Adapt changes
management content approval
Investigate
Risk Perform risk Adjust security controls and
Monthly Report current risk
management rating controls vulnerability
status
Audit Define audit

Yearly Perform audits Identify findings Correct findings
management goals
Vulnerability Identify system Collect vulnerability Perform

Daily Adjust risk rating
management landscape information corrective action

Prevent processes – Interaction
Policy Review policy Get management

Adapt changes
management content approval
Investigate
Risk Perform risk Adjust security controls and
Report current risk
management rating controls vulnerability
status
Audit Define audit

Perform audits Identify findings Correct findings
management goals
Vulnerability Identify system Collect vulnerability Perform

Adjust risk rating
management landscape information corrective action

Detect processes
Incident Implement Define anomaly Define alerting

Alert
detection sensors patterns thresholds
Incident Define reporting

Identify reporters Report incidents
reporting template

React processes
Incident Define Execute Decide about Create forensic

management emergency plan emergency plan crisis copy
Implement
Analyze Improve
corrective
incident controls
measures
Crisis Train crisis

Identify crisis team Alert crisis Run crisis mode
management team

Information flow
Top
Crisis team management
Head of
CISO department
ISO Business
Process
IT Facilities …

Key takeaways
• Security activities can be understood as business processes.

Processes can be grouped into Prevent – Detect – React.
• Prevent processes: policy, risk, audit and vulnerability management.

Prevent processes need coordinated interaction, specifically risk reporting and controls
improvement.
• Detect processes: incident detection, incident reporting.

Detect processes require an excellent understanding of the information system
landscape.
• React processes: incident management, crisis management.

React processes need a clear escalation path.


Thank You!
open@sap.com
Week 1 Unit 5:
Security Awareness
Security Awareness
Perceived security versus real security
People tend to perceive security unrealistically.
We make security decisions every day – based on our perception.

Some people say that the users of IT systems are the biggest security risk.

Insert unit title
Slide title
First level
▪ Second level
– Third level
With good communication,
we can turn employees from
the biggest security risk into
the best security measure.
Security Awareness
Goal of security awareness
In a company
context, we want
our employees to
take the right
security decisions.
© NSSLabs.com

Security Awareness
Change of behavior needs motivation and competence
High Competence
Security awareness research shows that
people can be divided into four groups:
The uninvolved
The naive Fatalist Sovereign
The fatalist Low Motivation High Motivation
The sovereign
We need to address both motivation and
competence:
Uninvolved Naive
Motivation is addressed by security awareness.
Low Competence
Competence is addressed by security training.
© Deutschland sicher im Netz e.V.

Security Awareness
Key success factors for security awareness
Questions established Has its own Escapes standard

behavior brand communication paths
Fits company Is discussed Adapts to different Endorses company

culture amongst employees target groups identification

Security Awareness
Some examples: campaign start
© SAP SE

Security Awareness
Some examples: ongoing messaging
© SAP SE

Security Awareness
Key success factors for security training
Using recent, real- Should be in sync with

world examples techn security solutions
Fits company Thematically

learning culture focused
Small learning bites Offers immediate help for

daily employee problems

Security Awareness
Process view
Security Identify Identify user Develop Execute

awareness company culture types awareness program awareness activities
Security Identify Identify training Develop training

Offer trainings
training know-how status areas concept

Security Awareness
Measuring improvements
To document the effect of security awareness and training, monitor / measure the user’s behavior on a regular basis.
Given the effort needed, a yearly measurement is appropriate.
Campaign Campaign ...
• Initial • Awareness • Perform • Address • Perform

assessments / kick-off assessments / learnings from assessments /
questionnaires • First trainings questionnaires measurement questionnaires
• Awareness
activities
• Trainings
0. 1. 2.
Normalization Measurement Measurement

Security Awareness
Key takeaways
• Security awareness enables you to turn employees from a major

risk to a premium security control.
In general, to achieve this, we need to change employees’ behavior.
• Separating security awareness and security training is a key

success factor.
Security awareness is suitable to address the motivation of employees to
behave with security in mind.
Security training is meant to address the decision-making competence of
employees.
• To document success, measure regularly, e.g. through

questionnaires.


Thank You!
open@sap.com
Week 1 Unit 6:
Organizational
Requirements
Organizational Requirements
Define your information security goals in a security policy!
Structure of a Security Policy Security Governance

1. Security Goals Framework
• Strategic business goals of the organization
• Information security goals must support the strategic
business goals of an organization
Policy
2. Responsibilities
Standards
3. Processes
Procedures
4. Sanctions
A security policy must be endorsed by executive
management

Management accountability
First and foremost, management is always accountable.

A delegation / assignment of responsibilities is key to success!
Management Overall
Board accountability
• Describe responsibilities in the security
policy
• Request regular reports on the actual ISMS process
security risk status (e.g. quarterly, monthly) responsibility CISO
• Take decisions on security risk treatment, (once given)
incl. budget and execution responsibilities
• Develop / support a security strategy
aligned with the company strategy Dept 1 Dept 2 Dept 3
• Implement and control an information
security management system (ISMS) Responsibility for security within their departments
(once assigned)

Employees
Employees need to follow the rules
• Rules need to be defined

Do‘s
• Rules need to be communicated Dont‘s
• Rules need to be enforced
Develop security standards (as part of the

security governance framework)

Employees
Employees need to understand the rules

and act accordingly:
• Rules must be explained

• Employees must be trained
• Employees must think in the correct way
Perform security awareness and trainings

The CISO department
Writes security
The (Chief) Information Security Officer policy and
is responsible for the well-functioning standards
May act as
of the ISMS: Implements
first responder
security risk
in case of
management
imminent
processes
danger
• He is NOT responsible for the security
The CISO
of the organization! department:
Takes care of
Moderates
security
security
awareness
management
and training
meetings
programs

The CISO department: organizational options
Service-oriented Decentral, coordinated Staff function
Management Management
Board Board
Management
CISO CISO
Board
ISOs for
Dept 1 Dept 2 Dept 3 Dept 1 Dept 2 Dept 3
Depts
CISO ISO ISO ISO Dept 1 Dept 2 Dept 3

Governance, risk, and compliance – An organizational option
Compliance
Requirements
• legal
• contractual
Risk Management GRC
• management
Security

The IT department in the security context (1)
The IT department offers IT

services.
This is where many
vulnerabilities reside.
The business departments

use IT services.
This is where the risks can
be estimated.

The IT department in the security context (2)
The IT department is a service unit Requests to the IT department:

• It does not define security levels, or security requirements • Provide IT services with baseline
• It provides services with defined security properties security
• Provide IT security services (firewalls,
patch management, …)
Business
Business Layer
process • Provide security service levels
(guaranteed response times when
vulnerabilities become known)
Technical Areas for cooperation:

IT Housing
Services • Security-related strategic decisions
(bring your own device, open
innovation areas, cloud usage …)
Infrastructure
Application Network
Buildings • Technical enforcement of security rules
servers services (password strength, authorizations,
identity management, encryption)
Responsibilities along the supply chain
We are interconnected along the supply Control the security to suppliers,
chains customers, and partners
The risks propagate along both directions • To suppliers and partners: formulate security
• From suppliers requirements (“security service level
agreements”)
• From customers
• To customers: fulfill their requirements, offer
secure-by-design products and services
Risk propagation Risk propagation
Supplier of your Customer of

Your supplier Your company Your customer
supplier your customer
 Cooperate with supply and customer departments!

Interaction with other central functions
Cultural aspects
Awareness
HR
Common controls for Data Internal Awareness

security & privacy protection comms Policy communication
CISO
Risk reporting Risk
Security SLAs
Risk treatment manage- Legal Incidents that require
according to risk policy ment prosecution
Complian
ce Fulfillment of security-relevant
legal requirements
Key takeaways
• Develop a security policy and corresponding standards

The accountability stays with management, responsibilities for operational activities should be
delegated appropriately.
• The enablement of the CISO role / function / department is key to success.

There are different options for the organizational setup – it is important to match the company
culture.
• The IT department plays an important role in information security.

It should concentrate on delivering secure and security services.
• The partners in your supply chain play an important role in the security of your
organization.
Deliver secure products and services – and mandate those from your suppliers.


Thank You!
open@sap.com
Week 1 Unit 7:
Legal Conditions for
Certifying Security
Management Systems
Legal Conditions for Certifying Security Management Systems
What is a certification?
A certification is a confirmation of certain A security certification is a confirmation of

characteristics of an object, person, or organization. security characteristics of objects, people, or
organizations.
This confirmation is often, but not always, provided
by some form of external review, education,
assessment, or audit.
CERTIFIED CERTIFIED

Types of certification
People certification Product certification Organization

certification
• Skills ▪ Functional
• Competencies properties ▪ Process maturity
▪ Non-functional ▪ Minimum standard
properties of activities

Certification of information security management systems: history
Green BS ISO/IEC
books 1993 7799 2000 27001
1989 Code of 1995 ISO/IEC 2005
Practice 17799

The ISO 2700X family
ISO 27000 Information Security Management Systems: Overview and Vocabulary
ISO 27001 Information Security Management Systems: Requirements
ISO 27002 Information Security Management: Code of Practice
ISO 27003 Information Security Management Systems: Implementation Guidelines
ISO 27004 Information Security Risk Management
...
Information Security Management Guideline for process control systems specific
ISO 27019 to the energy industry

Where is a certification of an ISMS required?
Certification requirements vary by region.

In Germany, critical infrastructure providers need a certification according Critical
to ISO 27001. Infrastructures
• Services more than 500,000 citizens

• In defined sectors (energy, health,…) SOX
• In addition: web and communication service providers
The European NIS directive (to be implemented in local law in Europe until Internet
2018) has similar requirements. Services
In the U.S., sector-specific requirements (healthcare, government) require
similar / near to ISO 27001 certifications.
IT Service
SOX companies should implement ISO 27001 as well. Providers
Some organizations demand certifications from their (IT) suppliers.

What is required for a 27001 certification?
▪ A working information security

management system (ISMS).
▪ All decisions and activities
must be documented and their
documentation retained.
▪ In addition, additional
documentation is necessary.
Then, go for an audit!

What is required for a 27001 certification?
Scope
▪ Business area (organization, process, information system
landscape) where the ISMS is enforced.
Protection targets
▪ Security properties of the information used in the scope that
the ISMS should ensure.
Statement of Applicability
▪ Set of security controls that are considered necessary to
ensure the protection targets in the scope of the ISMS.
Management Review
▪ Results and necessary corrective activities of an internal
ISMS pre-audit, accepted and committed by management.

Best practice example from an energy provider (Germany)
Certification Strategy
Scope Scope Scope Scope Scope Scope
One group-wide
SoA SoA SoA SoA SoA SoA ISMS
Synergies
MR MR MR MR MR MR
Cert Cert Cert Cert Cert Cert

Key takeaways
• ISMS certifications are organizational certifications.

They aim to ensure the maturity of the ISMS processes.
• The major standard for ISMS certification is ISO/IEC 27001.

The ISO/IEC 27001 family offers a series of specialized standards and best practices on
information security management.
• Legal requirements for an ISMS certification are growing.

Most prominently, critical infrastructure providers in Europe (NIS directive), and specifically in
Germany.
• The certification requires a working ISMS, excellent documentation in the ISMS

and some additional activities.
If the scope is well chosen, the efforts are reasonable.


Thank You!
open@sap.com
Week 1 Unit 8:
Key Takeaways
Key Takeaways
Follow a top-down process to identify your information security goals
25th of May
Major requirements for an information security
program:
Address the risks that come with digital transformation
Be compliant with new legislation
Fulfill the security requirements of your customers / partners
Major protection goals:

At business level: Continuity – Fast resumption – Resilience
At process level: Availability – Integrity – Accountability
At information level: Availability – Integrity – Confidentiality
In addition: Integrate data protection requirements
Crown jewels
How to achieve these goals:
Follow a risk-based approach: Identify your ‟crown jewels” and Core infrastructure
your core infrastructure
Formulate strategic security goals as part of a security policy – General business information
the security goals must support your strategic business goals!

Key Takeaways
Know your information security risks
Risks must be identified, valued, and addressed.

Options are: Avoidance, Reduction, Transfer, Acceptance. 4,5 1
Visualize your risks and your actual risk status. 6,7 2,3
A visualization allows improved decision making. 12 8,9,10
In general, security risks need to be reduced by 11
controls.
Controls need to be chosen by efficiency, e.g. by using the
ROSI model.
There are two major security risk models: with and

without a baseline security concept.
Choose the one that suits your environment best; the simple
model is easier to start with.

Key Takeaways
Choose and implement adequate security controls
Security controls are the risk mitigating activities in your

organization.
They can have different natures, and can be grouped from different
perspectives.
Security controls need to form a security concept – they

need to “match”.
If not, the effect of these measures may be contradictory.
Follow a security standard that best suits your needs.

A good baseline is the ISO/IEC 27001 standard.
NIST Unified
IT Baseline
ISO 27001 COBIT Cybersecurity ISA 99 HIPAA PCI-DSS Compliance
Protection
Framework Framework

Key Takeaways
Implement security management processes
Security activities can be understood as business

processes. Prevent Detect React
Processes can be grouped into Prevent – Detect – React.
Prevent processes: policy, risk, audit and

vulnerability management.
Prevent processes need coordinated interaction, specifically risk
reporting and controls improvement.
Detect processes: incident detection, incident

reporting.
Detect processes require an excellent understanding of the
information system landscape.
React processes: incident management, crisis

management.
React processes need a clear escalation path.

Key Takeaways
Implement security awareness and training
High Competence
Security awareness enables you to turn
employees from a major risk to a premium
security control.
In general, to achieve this, we need to change
employees’ behavior.
Fatalist Sovereign
Low High
Separating security awareness and security
Motivation Motivation
training is a key success factor.
Security awareness is suitable to address the motivation
of employees to behave with security in mind.
Security training is meant to address the decision-
Uninvolved Naive
making competence of employees.
To document success, measure regularly, e.g. Low Competence

through questionnaires.
© Deutschland sicher im Netz e.V.

Key Takeaways
Support the management system with an appropriate organization
Management
Board
The accountability stays with management.
Responsibilities for operational activities should be delegated
CISO
appropriately.
The enablement of the CISO role is key to success. Dept 1 Dept 2 Dept 3
There are different options for the organizational setup – it is important
to match the company culture.
ISO ISO ISO
The IT department plays an important role in information
security.
Business
It should concentrate on delivering secure and security services. Business Layer process
The partners in your supply chain play an important role in

the security of your organization. Technical Services IT Housing
Deliver secure products and services – and mandate those from your
suppliers. Application Network
Infrastructure Buildings
servers services

Key Takeaways
When and how to get your ISMS certified
ISMS certifications are organizational certifications. Critical

They aim to ensure the maturity of the ISMS processes. Infrastructures
The major standard for ISMS certification is ISO/IEC 27001.
• The ISO/IEC 27001 family offers a series of specialized standards SOX

and best practices on information security management.
• Legal requirements for an ISMS certification are growing.
Internet
• Most prominently, critical infrastructure providers in Europe
Services
(NIS directive), and specifically in Germany.
• The certification requires a working ISMS, excellent
documentation in the ISMS, and some additional activities.
IT Service
Providers
• If the scope is well chosen, the efforts are reasonable.

Key Takeaways
Getting started
• Implementing an Information Security Management System is not difficult.

A systematic approach is needed to address the ever-changing threat landscape.
• To start, determine your risk landscape and deduce initial mitigating controls.
Be agile: Foster people interaction instead of focusing on risk responsibility.
• To engage the organization, define and assign security roles and implement security
management processes.
People need to understand that there is no 100% security – instead, reaction capabilities are key.
• To sustain the effectiveness of your Information Security Management System, build

an information security culture and maybe think about a certification.
The awareness of your staff is key to success; a certification is a market differentiator.


Thank You!
open@sap.com

openSAP - Information Security Management in A Nutshell - All - Slides

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

openSAP - Information Security Management in A Nutshell - All - Slides

Uploaded by

Copyright:

Available Formats

Week 1 Unit 1:

The statistic presents the

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 2

 Attack intelligence  Attacks from abroad –

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 3

Compliance With regulations

Contracts Fulfilling customer / partner requirements

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 4

Information Security Goals

Digital Transformation Nation State Activities Supply Chain Requirements

Fast-growing attack surface for Increasing number of legal Information security as a

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 6

Business Processes Information

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 7

The European General Data Protection New approach

Integrate privacy requirements

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 8

You cannot protect all your information

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 9

• Major requirements for an information security program:

• Major protection goals:

• How to achieve these goals:

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 10

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 11

A risk is potential damage

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 2

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 3

Security Risk Management

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 5

Risk = Likelihood * Damage In local currency

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 6

Risk matrix: Risk inventory:

4,5 1 No. Risk L D

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 7

Attackers Generate Threats Have impact on

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 8

Simple model High amount of

Threats Have impact on

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 9

Only “exceptional” Rather complex;

Threats Makes use of Makes use of

Requires certain The impact is characterized by likelihood and damage, but we

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 10

A security control is a risk mitigation measure.

A security control is characterized by a risk

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 11

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 12

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 13

• Risks must be identified, valued, and addressed

• Visualize your risks and your actual risk status

• In general, security risks need to be reduced by controls

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 14

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 15

Form a security concept

Network Need to be checked for effectiveness

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 2

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 3

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 4

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 5

• All controls that protect an

• All controls that

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 6

© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 7