Community
Security and Compliance Blog Posts
Security & compliance of business operations are critical in this age of rising cyber threats, increasing compliance regulations, and rapid technological change. SAP customers, partners and SAP employees put great effort in to meet those risks and work towards effective security outcomes and cyber resilient systems. We benefit from each others' challenges and successes to protect the business processes and services we all depend on. Join us here for blog posts and thought leadership regarding the security and compliance of SAP software and cloud services, as well as secure development, deployment, and operational practices, whether on-premise or cloud.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

We did it... SAP confirmed it is NIST CSF Tier 3

VanessaBarber
Associate
Associate
‎2024 Sep 24 10:35 PM
4,268

NISTCSF_tier3.jpg

 By Vanessa Barber and Hedayatollah Hosseini from SAP SE and Dr. Peter Westphal from EY

At SAP, cybersecurity is paramount. We know that our customers trust us to provide solutions that help them keep business-critical data and systems safe. That’s why we’ve implemented the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF v1.1), achieving Tier 3 alignment.

Addressing cybersecurity risks isn't just about having strong defenses, it's about building trust with our customers and partners. By achieving Tier 3 with the NIST CSF implementation, we are not only demonstrating that SAP strategically manages its cybersecurity risk, but that we also prioritize our improvements and make informed investment decisions to address these cybersecurity risks head-on.

Sebastian Lange, Chief Security Officer, SAP SE.

 

What is the NIST CSF

The NIST CSF is a set of guidelines designed to help manage and mitigate cybersecurity risks. It provides a structured approach to the assessment of and commitment to continuously improving an organization’s ability to identify, detect, protect, and respond to and recover from cyberattacks.

 

How we achieved Tier 3 Status

The journey began in 2021 when, at the direction of SAP’s Chief Security Officer, SAP engaged a third-party audit company to conduct a comprehensive NIST cybersecurity assessment to determine the status of its security posture aligned with the NIST CSF. We convened the top security experts to lead the charge and began our journey to fully implement the NIST CSF. Following this launch, SAP initiated activation workshops moderated by security experts to develop a common blueprint for SAP’s cybersecurity organization. This blueprint led to the identification of gaps and priorities, which were discussed and aligned with the Lines of Businesses through a series of calibration workshops, culminating in the successful closure of all identified gaps by the end of 2023, two months ahead of schedule.

“Our achievement of Tier 3 in the NIST CSF implementation signifies not only our commitment to robust cybersecurity and strategic management of cybersecurity risks, but also our dedication to transparency and trust with our customers and partners.”

Marielle Ehrmann, Chief Security Compliance & Risk Officer, SAP SE.

 

How we performed the NIST CSF self-assessment

As the NIST CSF focuses on self-assessment and does not involve a third-party audit, certification, or scoring, SAP jointly developed with EY its very own self-assessment methodology - aligned with the principles of an organization managing its own risk. This methodology was reviewed and validated by a global independent audit firm, and the results of the self-assessment were further reviewed and validated by a second, global independent auditor.

 

What’s in it for SAP and our customers

Achieving NIST CSF Tier 3 not only fosters trust in SAP's products and services but also demonstrates our commitment to keeping customers safe and processes and data protected. Furthermore, SAP's achievement shows proactive management of cyber risks while also assisting customers in enhancing their own cybersecurity measures. To support customers in this endeavor, SAP plans to share insights gained from its implementation and release the jointly developed assessment framework with EY for use by other organizations.

 

What’s next?

Looking forward, SAP aims to incorporate changes from the recently released NIST CSF v2.0 into its framework and become a more adaptive cybersecurity organization capable of addressing the challenges posed by AI and new, emerging technologies and responding effectively to a continuously increasing threat landscape.

 

Learn more

To find out more about our NIST CSF implementation and self-assessment methodology, check our recently published brochure “How SAP is safeguarding its customers: Implementing the NIST Cybersecurity Framework achieving Tier ...

2 Comments