Building a Bullet-Proof Cybersecurity Program with SAP Process Control and SAP Risk Management

Cyberattacks, like the May 2017 WannaCry attack, can be devastating, but a breach can easily be prevented with appropriate monitoring and controlling of your critical SAP data.

Read Q&A transcript with EY’s Natalie Reuss to find out how you can use SAP Process Control to manage and evaluate common vulnerability areas. Get answers to questions like:

If you haven’t already, subscribe to SAPinsider Online for free today!

Kendall Hatch: Hi everyone, we’re about to get underway with today’s Live Q&A, Building a Bullet-Proof Cybersecurity Program with SAP Process Control and SAP Risk Management. Thanks to everyone who has already asked questions, and thanks to you all for joining us. We’re excited to get to your questions! To everyone watching live, please enter your questions below.

We’re joined today by Natalie Reuss from EY. Natalie is a speaker at the upcoming SAPinsider GRC conference, Feb. 12-15 in Las Vegas. To learn more about the event or to register, please click here. Thanks for joining us, Natalie!

Natalie Reuss: Hi everyone! Thank you SAPinsider for having me today and thank you to everyone who has joined! I am excited to present this topic in Vegas coming up in February, and happy to answer any questions today.

Comment from Iago Fortes: Which are the most typical cybersecurity controls to be set up in Process Controls?

Natalie Reuss: A typically cybersecurity control framework would follow NIST 800-53; however, from a risk and control framework perspective we have seen a number of different paths taken. From the automated control monitoring standpoint, we typically see detection security monitoring over SAP systems as the most comment types of control (i.e., review of failed logons, changes to standard users, security configuration changes, and debugging access). From the entity side, we usually see controls related to governance or education/awareness and understanding of cybersecurity policies, acknowledge acceptable use, etc. The survey functionality can be used to manage Third-Party Security Risk Management Assessments/Audits. And of course, your entire cybersecurity framework can be setup and maintained in SAP Process Control as your global controls repository (maintain single source of truth, assign control ownership, etc.)

Comment from Guest: SAP Process Control versus SAP Solution Manager (newest one) – is there some overlapping? Because you can monitor/take care of processes, tracking/get reports, etc., in both. A bit confusing, please explain differences. Which one is more powerful?

Natalie Reuss: The difference would be that SAP Process Control helps you track issue management procedures through workflow. So, for example, the SAP monitoring/reports could be automatically delivered to a particular user only when an exception scenario occurs; the user could then send the report to another individual in SAP Process Control to alert them on the remediation action; the progress of that remediation action could be monitored; and of course, the documentation of the resolution and subsequent re-testing could automatically be performed (or monitored through the use of standard reporting).

Comment from Ed: How do you integrate SAP Process Control with SAP Risk Management to quantify cyberattack impacts?

Natalie Reuss: If your cybersecurity control frame exists in PC you can tag drivers, impacts, and key risk indicators to the overall risk of ‘cyberattacks’. From there, you can maintain the preventative (i.e., response catalog in RM) and corrective (i.e., cyber controls/policies in PC) risk responses you have, which can be used to drive analysis through simulation such as a Monte Carlo scenario. This uses the concept of inferential statistical probability to provide a picture of the Total Loss Exposure.

Comment from Renee: What are some easy steps I can take in the short term to improve my SAP cybersecurity program?

Natalie Reuss:

SAP Process Control automated monitoring (continuous controls monitoring) over SAP security/cyber risks is a no-brainer in my opinion. It’s definitely ‘low-hanging fruit’ to significantly minimize the risk exposure. Once you identify key scenarios that you would want to be alerted on if they occur, you would set them up in PC and only be alerted when those specific exception scenarios occur. So, it’s basically exception-based monitoring, which also minimizes impact on the business.

Comment from Andreas: How can we recover after an attack?

Natalie Reuss: Part of identifying risks in your cybersecurity program is also identifying responses. Each potential vulnerability can essentially have a response to either mitigate the risk, transfer the risk, accept it, or avoid it. For those risks that you have to mitigate, make sure you have a fully documented strategy to respond. In recent news, there was a large ride share company that just got into some hot water over essentially hiding the fact that they had a leak over employee data. They could have had a documented cyber response process to be performed, and made every employee sign an acknowledgement once a quarter (for example) to push accountability and education across the company.

Comment from Atul: What are some of the most common vulnerability areas I can cover with PC?

Natalie Reuss: Vulnerabilities can exist across multiple domains; however, PC can help you address common vulnerability areas in the asset management, detectability, and third-party risk management space. For the IT asset example, in SAP Process Control there is a functionality called manual control performance where you can document the steps performed to complete a control. HR/employee supervisors could document each step completed as part of an employee off-boarding checklist, which would include physically obtaining all IT assets. If a step was missed or completed incorrectly (i.e., mobile phone was not obtained), an alert/issue could be sent to IT to immediately wipe the IT asset if necessary. You could test that each control was performed through the year and have to maintain minimal testing information from an audit perspective since the documentation is already in the system.

Comment from Luis Cruz: Is there any chance to automate a cybersecurity control using PC o RM? If yes, can you please mention an example.

Natalie Reuss: SAP Process Control to identify an internal security breach over privileged access or unusual scenarios. You could create an automated rule to identify unusual patterns that could indicate intrusion (i.e., multiple failed logons, times of logons, debug access, changes to specific user IDs, approval of multiple payments to the same vendor, etc.).

Comment from Kendall: Natalie, what are some watch outs for adding a cyber regulation to a PC system that already has SOX regulation?

Natalie Reuss: A couple things to consider when adding another regulation to your existing framework. First, you will want to identify if any of the controls being added apply to both regulations – you only want to add those once and tie to SOX and cybersecurity, for example. Second, there is a limit of the total number of regulations that the system can handle, so you will want to make sure you are not exceeding the limit (I believe the limit is over 40 regulations). Third, if you are utilizing the automated monitoring feature in PC for the existing SOX regulation and plan to also utilize it for the cybersecurity regulation, there is no way to segregate those functions within the scheduler (which is just a training item to make sure that the administrators truly understand what they are scheduling). For those concerned about other security items, it is easy to segregate control owners/process owners/organization owners, etc., between regulations (including what they can view from a control perspective).

Kendall Hatch: That about wraps up our time for today. If you’d like to learn more, Natalie will be presenting a session on this topic at the SAPinsider GRC conference in Las Vegas, Feb. 12-15. Thank you all for your questions today. We’ll be compiling a transcript of this chat and will send out an email when it’s posted.

Natalie, thanks for joining us today!

Natalie Reuss: Thanks Kendall! Happy new year to everyone!