A Practical Guide to Cybersecurity Governance for SAP

2.1 What is a cybersecurity framework?

A cybersecurity framework is a structured and detailed list of requirements that define how information technology systems, software, and networks should be managed.

The first cybersecurity framework acknowledged federally in the U.S. was developed by the National Institute of Standards and Technology (NIST). NIST started cybersecurity framework research in 2013, (see: History and Creation of the Framework – https://www.nist.gov/cyberframework/online-learning/history-and-creation-framework) after the President of the United States issued Executive Order 13636, requiring the creation of a set of standards and processes for identifying and managing cyber risk. The first iteration of a cybersecurity framework from NIST was released in February 2014. Prior to this, there were multiple guidelines from different organizations and companies that attempted to codify risk and automate the management and detection of risks and prevent data loss. The creation of this framework pulled all the different guidelines together into a single point of reference. This gave security practitioners a toolset for education about and management of risk that was tool-agnostic.

In this book, we cover the most widely used current and emerging cybersecurity frameworks in the U.S. We provide an overview of:

• CIS Critical Security Controls (https://www.cisecurity.org/controls) defined by The Center for Internet Security (CIS)
• NIST Security and Privacy Controls for Information Systems and Organizations (https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final), Special Publication 800-53 Rev. 5 (NIST SP 800-53 Rev. 5)
• Cybersecurity Maturity Model Certification (CMMC) (https://dodcio.defense.gov/cmmc/)

We do a deep dive into NIST SP 800-53 Rev. 5 and CMMC. We have chosen these two frameworks because NIST SP 800-53 is the global industry standard for the majority of risk management tools. The new CMMC framework’s requirements on supply chain security are based heavily on the NIST SP 800-53 foundation. We dive into CMMC to help security practitioners prepare for this new requirement moving forward.

CMMC is driven by a requirement to secure the U.S. Department of Defense (U.S. DoD) supply chain against cyber risk. This requirement is not just for direct U.S. DoD contractors and suppliers—it will also impact the suppliers of those contractors, suppliers, and other U.S. government agencies that supply or contribute to U.S. DoD. If your customer is a supplier for the U.S. government in any way, your company will be asked for its state of cyber hygiene according to the CMMC requirements. This requirement is similar to a direct customer or supplier of your company wanting to know that your cloud provider has a current positive audit on their System and Organization Controls (SOC 1, SOC 2, SOC 3) reports.

System and Organization Controls reports evaluate the audit controls of a cloud provider or other service organization. The reports have different levels of complexity.

The Statement on Standards for Attestation Engagements number 16 (SSAE 16) is an audit control report that is used to create the SOC 1 report.

• SOC 1 (also known as SSAE 16): a report on internal controls over financial reporting
• SOC 2: an audit report of an organization’s information systems relevant to security, availability, processing integrity, confidentiality, or privacy
• SOC 3: an audit report similar to a SOC 2 but that does not include the testing performed and is used for marketing purposes