Enterprise resource planning (ERP) systems automate and integrate the majority of a company’s business processes, producing consistency. They do this by sharing common data and practices across an organization, leveraging one-time data entry, and providing access to information in real time. To help in this working environment, ISACA recently released a go-to reference book for auditors that they can dog-ear with sticky note flags sticking out of the top and return to year after year.
Since the 1990s, businesses have been managing their operations with ERPs, which have enabled centralized control over operations by implementing a common data model and integrated business processes. SAP has been a leader in ERP systems from the beginning and uses a process-driven approach to match business processes with application processes.
SAP’s core product is SAP ERP (also called Enterprise Core Component [ECC] 6.0). SAP ERP is configurable and integrated across modules. This creates a system that is flexible but also complex. Because of the complexity and variability of configuration across industries, many companies are starting to use automated tools to assist in tracking and monitoring compliance. Systems such as SAP Governance, Risk, and Compliance (GRC) are common in large organizations to monitor and manage on-going compliance. Information technology auditors are also finding that it takes an SAP-specific skillset to audit these systems. This knowledge is required to understand the risks and the controls that mitigate those risks.
The ISACA Security, Audit and Controls Features of SAP ERP 4th Edition brings together detailed information related to SAP ERP-specific risks, controls, and testing procedures. The handbook is separated into modules that cover the risk and controls, followed by testing procedures for both configuration and security. The book was designed as a long-term reference guide for auditors working in an SAP environment—a handbook written by auditors for auditors.
The 4th Edition provides an update of previous sections and adds sections for Finance, Controlling, Human Resources, and Security with a focus on SAP ECC 6.0. The handbook walks through each of these new sections in detail with the same methodology used to cover the other areas (risk, mitigating controls, and testing procedures). In addition, this latest version also comes with downloadable audit plans that are COBIT 5 compliant. It is nearly a completely new book!
The 4th edition was a great opportunity for Deloitte Advisory and ISACA work jointly to rewrite and build upon a great foundation to produce a new edition that refreshes and expands the scope of the original book.
Ben Fitts Deloitte Advisory
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP.
Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Favoring a more integrated approach to cybersecurity, businesses are taking a hard look at ways to improve security by increasing spend, developing talent and managing policies. But the price tag associated with these changes begs the question: How much does one need to spend in order to gain footing against attackers?
In a recent column for SecurityWeek, Scott Gainey discusses this question, as well as an initial report released by the World Economic Forum which attempts to develop a common framework qualifying the risk and impact associated with cyberattacks. Read Scott’s full article here.
When governments routinely address cybersecurity as part of their policy, you know that the topic is of national interest. When vulnerabilities are found in—and researchers demonstrate attacks against—computer systems in medical devices, automobiles and airplanes, you know that the significance extends even farther.
While that kind of recognition is important for the profession as a whole and is certainly impactful, there’s another area in which cybersecurity is gaining interest that is arguably more impactful to most practitioners on a day-to-day basis: increase in cultural interest.
TV shows (e.g., CSI: Cyber, Mr. Robot) and movies (e.g., Blackhat) that popularize the topic serve to guide younger professionals toward the discipline. You know that the cultural awareness has been firmly established when a movie like The Duff (a lighthearted teenage comedy) both features a hacker as a main character and incorporates security as a significant plot point.
When it comes to talent retention and acquisition for those in (or running) a security organization, understanding that this phenomenon exists – and knowing how to get it working in your favor – can be part of a security manager’s broader plans.
Leveraging cultural interest
Junior roles in any organization are the hardest to fill. Why? Because leaders tend to have more experience than the candidates they seek to hire; as a consequence, the folks in their virtual “rolodex” are those that they’ve worked with or collaborated with in the past – i.e., those with (most likely) a similar amount of work experience to their own.
Moreover, the folks moving into those junior roles are those more likely to be newer to the workforce. A recent study from the Brookings Institution found that 64% of millennials (those born between 1980 and 2000) would prefer to make US $40,000 at a job they love (i.e., one they find interesting and engaging) vs. US $100,000 at a boring job. In other words, the work they value most is that which is most interesting. An increase in cultural interest on the topic of security means a corresponding uptick in the ability of security managers to find the best and brightest for their teams. That said, it’s up to those same managers to retain them once they’re there.
This is where job rotation and cross-training within the organization can play a very beneficial role. Because, let’s face it, there are some jobs that are less interesting than others but still need to get done. Understanding that fulfillment and interest tie directly to employee satisfaction (and thereby attrition rate), periodically “refreshing” staff (sharing the load for those less interesting tasks) helps keep those folks from getting bored (and antsy to look outside the organization for more fulfilling work). Additionally, rotation of duties can help deepen internal understanding of the organization, cross-pollinate valuable skills and build a depth of experience for future leaders.
There’s a cultural phenomenon at work; at least for the moment, security has the interest of the media. The impact of this in the short term could mean an upcoming reduction in the pain we all feel as a result of the much-discussed security skills gap (an issue ISACA’s Cybersecurity Nexus [CSX] aims to address)—but for those thinking longer term, planning now for a way to hone, develop and retain those folks once they’re through the doors is time well spent.
Ed Moyle Director of Emerging Business and Technology at ISACA
Want to see for yourself how well our VM-Series firewall works with Amazon Web Services? You can. Head here to access a guided tour of Palo Alto Networks VM-Series using hands-on lab exercises in AWS.
The Test Drive lasts about one hour and allows you to build policies, troubleshoot, execute a simulated attack that is then blocked, and perform forensics. Following your Test Drive, you can view licensing options for the VM-Series to determine the best fit for your needs.
Securing your AWS public cloud is crucial, but you also need to do so without compromising business productivity. Our recently released PAN-OS 7.0 includes the ability to select and purchase pre-defined VM-Series firewall bundles for AWS using hourly or annual subscriptions. Learn more about VM-Series for AWS here.
For many years, a topic of conversation in the utilities space has been that the traditional corporate IT and operational technology (OT) worlds are converging.
In the IT world, it’s the hardware, software, network resources and other devices used for back-end functions that perform various business operations, such as sales, development, maintaining customer information, billing, and revenue collection. Predominantly, these devices are located in offices, server rooms and data centers. In the OT world, there are field-based devices that are used to perform actual operations. These OT systems are usually proprietary technologies, which are vendor-specific. They operate in a real-time or near to real-time environment.
So, the convergence of the IT and OT worlds is about integrating operational technologies, such as SCADA, remote terminal units, sensors, meters and smart meters. These technologies are working in real time or near to real time with IT systems to ultimately promote a single view of an organization’s information and process management to help ensure that every user, application, sensor, switch or other device has the right information, in the right format, at the right time.
With these operational benefits in mind, we now need to think about cybersecurity threats that the converged IT and OT worlds create for utilities. Unlike systems in the IT world, where they can be (sometimes are) updated with service packs, new releases and bug fixes, systems in the OT world are rarely, if ever, updated. It’s very common, if not the norm, that these systems are running the same software they were initially set up with, which, in many cases, can be 10 or more years old.
Furthermore, these devices have very little security capability because they were installed at a time when, even with an “air gap” or physical separation from systems in the IT world, they were considered to be “secure.” Traditional firewalls were used to create the silos between the two worlds. Whilst still being used today, they alone are not enough. In the OT world, where security lags, this will usually be a softer target than in the IT world, and so, compensating measures, such as physical perimeter and cyber perimeter protections, will always be more important for OT than for IT.
In the IT world, the number of applications, devices and services now used creates a larger attack surface, which creates a bigger target, if left unprotected, or a focus is placed on preventing new or unknown attacks. If the basic hygiene (patching operating systems and applications) is not maintained on these systems, this could allow for a compromise. Take a look at the US-CERT’s recently released alert regarding the 30 most prevalent vulnerabilities in targeted attacks that took place in 2014. The startling fact is that vulnerabilities from 2012 and backwards comprise more than half of the list.
Moreover, once a host is compromised, it would allow for an attack to “cross over” to the OT world. One recent example is a targeted attack against a German steel mill where the blast furnace suffered “massive” damage [1]. Attackers were able to compromise the steel mill’s IT network and, from there, reach into the OT network.
So what are the fundamentals needed to secure this environment?
We need to see what is traversing our systems and understand the risks by gaining visibility. Whilst many people may see this as an arduous process, the capability exists in most advanced network appliances, which can provide deeper visibility with no disruption to daily operations in either the IT or OT worlds. Once that is done, a process can begin to segment the OT systems into security zones based on risk profiles and security requirements to control who the users accessing the systems are and what applications they are using. This allows a “least privileged” access model, in which only explicitly authorized protocols, applications, and users are allowed.
Network segmentation is an effective method to reduce the scope of attack and reduce risk, but only if it is deployed correctly with prevention in mind. Merely turning a device on and logging does not give you the control needed. Protecting data with tighter segmentation, based on application whitelisting, a user access control model based on least privileged access, and systematically inspecting all payloads, including those of authorized applications, will reduce risk significantly, enabling security teams and advanced security tools to operate at their best.
Additional security best practices that should be implemented to complement the convergence should include organizational processes, such as the establishment of ongoing risk management procedures, routine self-assessments, periodic security audits and reviews with teams skilled on a streamlined approach to focus on least privilege and inspect and prevent attacks from crossing between the two worlds.
Cybersecurity needs to be an integral part of the conversation about IT and OT convergence. For all of the operational benefits convergence brings, it also carries significant risk. Proactive cybersecurity as part of that convergence is the most effective way to mitigate that risk. If treated as an afterthought, the chances of success are much lower.
