As our world becomes increasingly digital and mobile, the changes give businesses incredible advantages – while also opening new avenues for Cybersecurity threats. Standards and frameworks like ISO27000 or NIST CSF help customers to address Cybersecurity by advising how to establish processes and guidelines to secure information. DIME is the meta-framework for enabling information security compliance in SAP landscapes.
Why Information Security Compliance?
Companies need to comply with a large number of legal requirements, regulations, industry standards, contracts, internal policies and guidelines. Frequently, those obligations define requirements for IT systems and processes to ensure information security.
Pain points organizations face include: A comprehensive overview of binding obligations affecting IT and applicable to the entity cannot be displayed. It cannot be displayed whether and, if so, how those binding obligations are fulfilled by the organization. Organizations often lack capabilities to implement and to monitor compliance with relevant obligations.
(c) SAP
Obligations and contracts contain requirements for IT systems in order to protect and to secure information - Example for Supervisory Requirements for IT: BAIT
German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin), Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT, BAIT):
The MaRisk law incorporates risk management requirements of Basel agreements into German law. BAIT concretizes and explains in more detail MaRisk requirements and how organizations shall address information security:
“The organization shall continue to be required to apply generally established standards to the arrangement of the IT systems and the related IT processes […]. These standards include, […] standard ISO/IEC 2700X of the International Organization for Standardization.”
BAIT lists 70+ obligation requirements in the areas of
- IT-Strategy and IT-Governance
- Information risk management
- Information security management
- User access management
- IT-Projects, Application development
- IT-Operations
- Outsourcing and other external procurement of IT services
In order to comprehensively address the requirements resulting from obligations like BAIT, entities need to execute four key steps:
- Determine the current information security compliance posture
- Define the strategic target image for information security compliance
- Build an information security compliance transformation roadmap
- Establish Information Security Compliance Management based on DIME methodology
Before the DIME roll-out phase starts, the organization, assesses the first three points by conducting an APoV based assessment, the so called Phase Zero or Pre-Transformation activities:
(c) SAP
Workshop DIME Methodology: The methodology workshop illustrates the DIME approach and is the forum to elaborate on the pre-transformation activities and the subsequent transformation roadmap.
INITIAL ASSESSMENTS: DIME initial assessments are conducted to determine the current status of the SAP-landscape with regards to information security. A dedicated compliance assessments identifies stakeholders and provides information regarding obligations relevant for the organization. Based on the assessment results (technical, organizational and compliance requirements identified), a well known standard or framework addressing this requirements is selected (e.g. ISO 2700x or NIST CSF), serving as a basis for the DIME implementation. In case one of the named standards is already in place, it can be extended with the DIME specific aspects for ISCM in SAP-landscapes.
TARGET IMAGE: The target image results from the relevant compliance obligations and their requirements for information security, as well as from the selected standard for implementing the controls. The target image describes the to-be information security compliance management capabilities, the abilities to constantly monitor ISCM, together with the desired maturity level of information security compliance management (based on ISACAs CMMI).
Fit/Gap Analysis: The results from the initial assessments, together with the defined target image, provide the input for a fit/gap analysis, to identify areas of improvement for managing information security compliance. The Fit/Gap Analysis populates the Compliance Risk Register. Each gap will be recorded as a potential compliance risk. During DIME Compliance Initiatives, compliance risks undergo a detailed risk assessment. Compliance risks will be addressed using SAPs Cybersecurity and Compliance Reference Architectures and Secure Operations Map. The results of Fit/Gap also provide an overview of the current situation of information security maturity.
Transformation roadmap: The first milestone of the transformation roadmap addresses the IT-GRC foundation by updating the entities information security strategy & objectives, organizational roles & responsibilities, together with introducing technical capabilities required to operate the DIME cycle. During the first DIME Cycle, the Compliance Initiative to be implemented addresses the information security compliance gaps with the highest risks. Subsequent cycles close remaining gaps, enhance existing capabilities and address new risks and requirements identified.
Addressing ISCM based on the DIME Meta Framework:
DIME (Define, Implement, Monitor, Evaluate) is a meta framework defining a 360° cycle for managing information security compliance (ISCM). DIME also defines the required building blocks to operate ISCM.
(c) SAP
DIME can be implemented based on well known standards and norms like ISO2700x / BSI Grundschutz, COBIT Focus Area Information Security, NIST Cybersecurity Framework or ISF Standard of Good Practice. DIME does not require to implement the full range, it focuses on the ISCM relevant aspects. It defines reference and integration points between those norms and SAP specific models for managing ISCM in SAP-landscapes, like SAPs Cybersecurity and Compliance Reference Architectures as well as SAPs Secure Operations Map.
The DIME Cycle comprises for phases, based on the DIME foundation:
FOUNDATION: Assess the as-is situation, develop the target image and the to-be maturity level to form the transition roadmap for IS compliance management. Enroll the ISCM profile by updating the entities information security strategy & objectives, organizational roles & responsibilities. Establish required capabilities to operate the DIME Cycle.
(c) SAP
DEFINE: Specify Compliance Initiatives (CIs) by identifying and documenting compliance obligations to be addressed. Perform CI risk assessment and develop business case. Translate the CI obligations into requirements. Define / update objectives for information security compliance monitoring.
IMPLEMENT: Define a matrix of requirements with required controls and measures to cover the CI obligations. Design / update the Compliance Initiative controls and measures, based on risk assessment results. Enhance the SAP landscape by implement missing information security capabilities. Deploy the Compliance Initiative controls.
MONITOR: Gather and aggregate data for metrics and KPIs. Establish a dashboard for information security monitoring scorecards (metrics and KPIs). Review and analyze data for further evaluation, as well as for taking corrective and preventive action.
EVALUATE: Benchmark internally against maturity. levels or externally against peers. Develop a roadmap to increase maturity levels. Work out recommendations to further reduce compliance risk.
Conclusio
The DIME methodology enables entities to address their information security compliance obligations in a structured way, based on well known standards. The dedicated focus on SAP landscapes with the integration of SAP Reference Architectures, SAP's Secure Operations Map and SAP Consulting Cybersecurity Services etc, provides the optimal set of capabilities to enable a 360° management system for information security compliance.
What is
your biggest challenge related to Information Security Compliance?
Oliver Derksen
M. A. Risk & Compliance Management, CISA | Principal Technology Consultant