The Global IT Security & Risk Office is very proud to announce that we have won an award for Security Management in 2012.
The IT Security Awards were provided on October 16th, 2012 at the IT Security Conference IT-SA in Nuremberg. Ralph Salomon & Maximilian Adrian, SAP AG, as well as their colleagues Claudia Scholl und Juri Frommer obtained on-site the award for the development and implementation of an IT Security Management Strategy 2015.
A very experienced Jury of ten experts selected the best projects and activities in the categories Management Security, Web/Internet Security and product innovation of the year. Now the winners of the IT Security Awards 2012 are nominated.
Winner of the category Management Security
The Global IT Security & Risk Office (SAP AG) obtained an award in the category Management Security for developing an IT Security Management Strategy 2015. The internal Information Security Management System as well as the Risk Management System was completely revised and standardized for this IT Security Management Strategy 2015. The ISO standards 9001 - Quality Management, 27001 - Security Management & 22301 - Business Continuity as well as ISF best practice approaches were considered.
This new approach was taken to simplify processes and to increase efficiency in IT Security Management, Risk Management, Internal Control System, Reporting and in the related IT Operation Processes by using SAP internal tools (GRC 10.0).
Short description of the project
- Development of an IT Security Management Strategy 2015 including complete revision and standardization of the internal Information Security Management System as well as the IT Risk Management Methodology
- The ISO Standards 9001 Quality Management, 27001 Security Management & 22301 Business Continuity were consolidated and taken into account
- This IT Security Management Strategy is based on the ISACA model as well as on the Standard of Good Practice (ISF - Information Security Forum)
- The Security Management System has be confirmed with 3 certificates by an accredited institution
Thanks a lot to the whole IT SRO Team and the very good collaboration with all the stakeholders and contributors of the Internal Control System as well as for the hard work within this project and during the external audit!!!
Getting this award would not have been possible without having so experienced and good team members as we have them within Global IT and especially the IT SRO department...
The Project vision
Point of departure
- Fragmented solutions for IT Quality Management, IT Security Management and IT Risk Management already existed in the past. This lead to duplication of work in the operational units as well as to a time-consuming reporting.
- The goal is to revise the current Management and Control System. A fully integrated approach covering the Quality, Information Security & Business Continuity Management requirements is to be developed based on the Standard of Good Practice (ISF).
- This new approach is to simplify processes and to increase efficiency in IT Security Management, Risk Management, Control System, Reporting and related IT Operation Processes by using internal tools (GRC 10.0).
The way how it worked...
- Mapping of different ISO requirements to existing assets, resultant risks and implemented control systems for SAP Global IT.
- This was followed by a complete revision of the Information Security Management System and adaption to the new guidelines of the ISO Standards.
- The SAP Risk Management System has been converted into version GRC 10.0. Other tools as for example the ISF Business Impact Analysis Tools have been deployed.
- All employees and process owner of the Information Security Management System within Global IT have been informed about the changes in the Internal Control System and Risk Management.
- The training was provided through recorded and individual, on-site sessions.
Timeframe & Milestones
- RACI mapping to the „Standard of Good Practice“ (ISF)
- Summary of the requirements arising from the ISO Standards (9001, 27001, 22301)
- Creation of a Risk-Control-Matrix
- Adjustment of the Information Security Management Systems
- Adaption of the related IT Standards & Processes
- Risk Management: GRC 10.0 Upgrade Project
8 months of hard work went into the complete revision of the Information Security Management System including the Internal Control System...