Professional Documents
Culture Documents
Information Security
Goals
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ © Prof. Dr. Paulus | Hochschule Mannheim 1
Information Security Goals
Information security – An unequal arms race (1)
© Statista
Businesses Hackers
Risk
reduction Preventing information loss
First level
▪ Second level
– Third level
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ © Prof. Dr. Paulus | Hochschule Mannheim 5
Information Security Goals
Why should you do it now?
Intelligent devices Capability of a trustworthy digital Security risks propagate through the
transformation becomes a supply chain
Fully networked differentiator for nation states
Organizations delegate the risk
Autonomous behavior (location advantage)
through security requirements in
Information security has become a contracts and SLAs
core component of national security
strategies
This approach requires participation
of businesses
▪ Crown jewels
Information that may be subject to espionage or targeted sabotage
High level of protection required
Examples: secret recipes, customer data
▪ Core infrastructure
Information and systems that are required to run your daily business
Standard level of protection required
Crown jewels
Example: ERP systems, e-mail services, document stores…
Core infrastructure
▪ General business information
Information that is not critical
General business information
Copyright © 2017 Prof. Dr. Sachar Paulus, Hochschule Mannheim. All content/information present here is the exclusive property of Prof. Dr. Sachar
Paulus, Hochschule Mannheim. The content/information contained here is correct at the time of publishing. No material from here may be copied,
modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from Prof. Dr. Sachar
Paulus, Hochschule Mannheim. Unauthorized use of the content/information appearing here may violate copyright, trademark and other applicable
laws, and could result in criminal or civil penalties.
Contact Information:
open@sap.com
Week 1 Unit 2:
Security Risk
Management
Security Risk Management
What is a risk?
Risk categories:
Strategic risks
Product and market risks
Financial risks
Operational risks
In most cases, information security risks are operational risks
Accept
If the risk is acceptably low – budget
for risk occurrence
Reduce
Choose adequate risk mitigation
measures
Transfer
Use contracts, insurance
Avoid
Stop relevant business activities
First level
▪ Second level
– Third level
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ © Prof. Dr. Paulus | Hochschule Mannheim 4
Security Risk Management
How to identify risks
Thorough
analysis of all
Ask every business and
manager supporting
processes
Structured
questionnaire, Brainstorming
cross-checked
Likelihood Damage
Fix a period where probability is estimated In USD, EUR, …
Typically 3 or 5 years
Two options for financial impact estimation
Could also be a frequency (i.e. > 1) Estimate the different aspects of damage (direct
costs, indirect costs, third-party damage,
Estimating probabilities company valuation loss, …)
Systemic risks (e.g. hurricanes): use statistical
information Estimate the costs of restoring the original status
after the damage has occurred
Non-systemic risks (e.g. hacker attacks): estimate
capability and information of attackers
3 …
11 4 …
Likelihood >
Danger
Motivation
Probability Value
Capability
Probability Value
Security
Threats Have impact on control Have impact on
Assets
Requires certain The impact after the control is in place is characterized by a new pair of
assumptions to be fulfilled likelihood and damage (= risk reduction)
𝐶: 𝑙, 𝑑 ⟼ 𝑙 ′ , 𝑑 ′
But in many cases, this does not make sense.
𝑙 ∗ 𝑑 − 𝑙 ′ ∗ 𝑑′
𝑅𝑂𝑆𝐼𝐶,𝑅 ≔ Taking into account the strategic alignment of
𝑐 the controls (considered as change projects),
ROSI can be used to identify a portfolio of
If 𝑅𝑂𝑆𝐼𝐶,𝑅 is > 1, then the control is efficient. security controls that is best suited to address
a company‘s security risks.
In an advanced security risk management, risks, corresponding controls, and their status should be
reported regularly.
Damage
Likelihood Status of
No. Risk Likelihood Damage Control Control cost after
after control control
control
Sabotage of Hardware firewall
1 production 20 5M separating industrial and 0.05M 0.1 5M active
computers office networks
Encryption of data at rest
Espionage of in
2 40 2M for all systems storing 0.2M 0.1 5M
secret recipes preparation
recipes
Loss of
company
3 0.5 10M Fire extinguishing system 1M 0.5 1M to be started
information
through fire
• There are two major security risk models: with and without a
baseline security concept
Choose the one that suits your environment best; the simple model is
easier to start with
Copyright © 2017 Prof. Dr. Sachar Paulus, Hochschule Mannheim. All content/information present here is the exclusive property of Prof. Dr. Sachar
Paulus, Hochschule Mannheim. The content/information contained here is correct at the time of publishing. No material from here may be copied,
modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from Prof. Dr. Sachar
Paulus, Hochschule Mannheim. Unauthorized use of the content/information appearing here may violate copyright, trademark and other applicable
laws, and could result in criminal or civil penalties.
Contact Information:
open@sap.com
Week 1 Unit 3:
Security Control Types
Security Control Types
Security controls
Security Controls
Dual Control Security Do have different nature
Principle Guards
Need to be (well) chosen
Security Concept
Security controls have different natures, and can be seen from different perspectives
Manual
Automated
• Firewalls
• Anti-Virus
• Encryption
• Doors
• Keys
• Fence
• Dual control:
• Segregation of duties
Manual
Automated
Guards checking identities Access card system
Authorizations in
a given system
Identity in a given
system
Password Password
strength handling
Access to the
Length No storage
network allowed
Character
types Regular
Access to a Complexity change
building History Clear desk
policy
Unified Compliance
ISA 99 HIPAA PCI-DSS
Framework
Security
requirements
of information Security in supplier Information Information
systems relationships security continuity security reviews
Management of
Security in
information
development
security
and support
incidents and
processes
improvements
Compliance
Supplier service
with legal and
delivery Redundancy
contractual
Test data management
requirements
Copyright © 2017 Prof. Dr. Sachar Paulus, Hochschule Mannheim. All content/information present here is the exclusive property of Prof. Dr. Sachar
Paulus, Hochschule Mannheim. The content/information contained here is correct at the time of publishing. No material from here may be copied,
modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from Prof. Dr. Sachar
Paulus, Hochschule Mannheim. Unauthorized use of the content/information appearing here may violate copyright, trademark and other applicable
laws, and could result in criminal or civil penalties.
Contact Information:
open@sap.com
Week 1 Unit 4:
Security Management
Processes:
Prevention, Detection,
Response
Security Management Processes: Prevention, Detection, Response
The security management process phases
Plan
Initial
Risk (Define
Analysis requirements)
Act Do
(Improve (Implement
effectiveness) controls)
Check
(Measure
effectiveness)
Investigate
Risk Perform risk Adjust security controls and
Monthly Report current risk
management rating controls vulnerability
status
Investigate
Risk Perform risk Adjust security controls and
Report current risk
management rating controls vulnerability
status
Implement
Analyze Improve
corrective
incident controls
measures
Top
Crisis team management
Head of
CISO department
ISO Business
Process
IT Facilities …
Copyright © 2017 Prof. Dr. Sachar Paulus, Hochschule Mannheim. All content/information present here is the exclusive property of Prof. Dr. Sachar
Paulus, Hochschule Mannheim. The content/information contained here is correct at the time of publishing. No material from here may be copied,
modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from Prof. Dr. Sachar
Paulus, Hochschule Mannheim. Unauthorized use of the content/information appearing here may violate copyright, trademark and other applicable
laws, and could result in criminal or civil penalties.
Contact Information:
open@sap.com
Week 1 Unit 5:
Security Awareness
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ © Prof. Dr. Paulus | Hochschule Mannheim 1
Security Awareness
Perceived security versus real security
First level
▪ Second level
– Third level
With good communication,
we can turn employees from
the biggest security risk into
the best security measure.
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ © Prof. Dr. Paulus | Hochschule Mannheim 3
Security Awareness
Goal of security awareness
In a company
context, we want
our employees to
take the right
security decisions.
© NSSLabs.com
High Competence
Security awareness research shows that
people can be divided into four groups:
The uninvolved
The naive Fatalist Sovereign
The fatalist Low Motivation High Motivation
The sovereign
We need to address both motivation and
competence:
Uninvolved Naive
Motivation is addressed by security awareness.
Low Competence
Competence is addressed by security training.
© SAP SE
© SAP SE
To document the effect of security awareness and training, monitor / measure the user’s behavior on a regular basis.
0. 1. 2.
Normalization Measurement Measurement
Copyright © 2017 Prof. Dr. Sachar Paulus, Hochschule Mannheim. All content/information present here is the exclusive property of Prof. Dr. Sachar
Paulus, Hochschule Mannheim. The content/information contained here is correct at the time of publishing. No material from here may be copied,
modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from Prof. Dr. Sachar
Paulus, Hochschule Mannheim. Unauthorized use of the content/information appearing here may violate copyright, trademark and other applicable
laws, and could result in criminal or civil penalties.
Contact Information:
open@sap.com
Week 1 Unit 6:
Organizational
Requirements
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ © Prof. Dr. Paulus | Hochschule Mannheim 1
Organizational Requirements
Define your information security goals in a security policy!
Policy
2. Responsibilities
Standards
3. Processes
Procedures
4. Sanctions
A security policy must be endorsed by executive
management
Writes security
The (Chief) Information Security Officer policy and
is responsible for the well-functioning standards
May act as
of the ISMS: Implements
first responder
security risk
in case of
management
imminent
processes
danger
• He is NOT responsible for the security
The CISO
of the organization! department:
Takes care of
Moderates
security
security
awareness
management
and training
meetings
programs
Management Management
Board Board
Management
CISO CISO
Board
ISOs for
Dept 1 Dept 2 Dept 3 Dept 1 Dept 2 Dept 3
Depts
Compliance
Requirements
• legal
• contractual
Risk Management GRC
• management
Security
Cultural aspects
Awareness
HR
CISO
Risk reporting Risk
Security SLAs
Risk treatment manage- Legal Incidents that require
according to risk policy ment prosecution
Complian
ce Fulfillment of security-relevant
legal requirements
© Prof. Dr. Paulus | Hochschule Mannheim open.sap.com Slide 12
Organizational Requirements
Key takeaways
• The partners in your supply chain play an important role in the security of your
organization.
Deliver secure products and services – and mandate those from your suppliers.
Copyright © 2017 Prof. Dr. Sachar Paulus, Hochschule Mannheim. All content/information present here is the exclusive property of Prof. Dr. Sachar
Paulus, Hochschule Mannheim. The content/information contained here is correct at the time of publishing. No material from here may be copied,
modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from Prof. Dr. Sachar
Paulus, Hochschule Mannheim. Unauthorized use of the content/information appearing here may violate copyright, trademark and other applicable
laws, and could result in criminal or civil penalties.
Contact Information:
open@sap.com
Week 1 Unit 7:
Legal Conditions for
Certifying Security
Management Systems
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ © Prof. Dr. Paulus | Hochschule Mannheim 1
Legal Conditions for Certifying Security Management Systems
What is a certification?
CERTIFIED CERTIFIED
Green BS ISO/IEC
books 1993 7799 2000 27001
Practice 17799
...
Information Security Management Guideline for process control systems specific
ISO 27019 to the energy industry
The European NIS directive (to be implemented in local law in Europe until Internet
2018) has similar requirements. Services
In the U.S., sector-specific requirements (healthcare, government) require
similar / near to ISO 27001 certifications.
IT Service
SOX companies should implement ISO 27001 as well. Providers
Some organizations demand certifications from their (IT) suppliers.
Scope
▪ Business area (organization, process, information system
landscape) where the ISMS is enforced.
Protection targets
▪ Security properties of the information used in the scope that
the ISMS should ensure.
Statement of Applicability
▪ Set of security controls that are considered necessary to
ensure the protection targets in the scope of the ISMS.
Management Review
▪ Results and necessary corrective activities of an internal
ISMS pre-audit, accepted and committed by management.
Certification Strategy
One group-wide
SoA SoA SoA SoA SoA SoA ISMS
Synergies
MR MR MR MR MR MR
Copyright © 2017 Prof. Dr. Sachar Paulus, Hochschule Mannheim. All content/information present here is the exclusive property of Prof. Dr. Sachar
Paulus, Hochschule Mannheim. The content/information contained here is correct at the time of publishing. No material from here may be copied,
modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from Prof. Dr. Sachar
Paulus, Hochschule Mannheim. Unauthorized use of the content/information appearing here may violate copyright, trademark and other applicable
laws, and could result in criminal or civil penalties.
Contact Information:
open@sap.com
Week 1 Unit 8:
Key Takeaways
© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ © Prof. Dr. Paulus | Hochschule Mannheim 1
Key Takeaways
Follow a top-down process to identify your information security goals
25th of May
Major requirements for an information security
program:
Address the risks that come with digital transformation
Be compliant with new legislation
Fulfill the security requirements of your customers / partners
Visualize your risks and your actual risk status. 6,7 2,3
A visualization allows improved decision making. 12 8,9,10
In general, security risks need to be reduced by 11
controls.
Controls need to be chosen by efficiency, e.g. by using the
ROSI model.
NIST Unified
IT Baseline
ISO 27001 COBIT Cybersecurity ISA 99 HIPAA PCI-DSS Compliance
Protection
Framework Framework
High Competence
Security awareness enables you to turn
employees from a major risk to a premium
security control.
In general, to achieve this, we need to change
employees’ behavior.
Fatalist Sovereign
Low High
Separating security awareness and security
Motivation Motivation
training is a key success factor.
Security awareness is suitable to address the motivation
of employees to behave with security in mind.
Security training is meant to address the decision-
Uninvolved Naive
making competence of employees.
Management
Board
The accountability stays with management.
Responsibilities for operational activities should be delegated
CISO
appropriately.
The enablement of the CISO role is key to success. Dept 1 Dept 2 Dept 3
There are different options for the organizational setup – it is important
to match the company culture.
ISO ISO ISO
The IT department plays an important role in information
security.
Business
It should concentrate on delivering secure and security services. Business Layer process
Deliver secure products and services – and mandate those from your
suppliers. Application Network
Infrastructure Buildings
servers services
• To start, determine your risk landscape and deduce initial mitigating controls.
Be agile: Foster people interaction instead of focusing on risk responsibility.
• To engage the organization, define and assign security roles and implement security
management processes.
People need to understand that there is no 100% security – instead, reaction capabilities are key.
Copyright © 2017 Prof. Dr. Sachar Paulus, Hochschule Mannheim. All content/information present here is the exclusive property of Prof. Dr. Sachar
Paulus, Hochschule Mannheim. The content/information contained here is correct at the time of publishing. No material from here may be copied,
modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from Prof. Dr. Sachar
Paulus, Hochschule Mannheim. Unauthorized use of the content/information appearing here may violate copyright, trademark and other applicable
laws, and could result in criminal or civil penalties.
Contact Information:
open@sap.com