NO MONKEY Security Matrix

The NO MONKEY Security Matrix combines the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), and our own IPAC model (Integration, Platform, Access, Customization). We put these two models together to create a holistic governance model for application security in SAP.

Since the inception of the NIST CSF, security specialists refer to this framework as a guide for general cybersecurity. Our IPAC Model, on the other hand, was created by us to help focus the NIST CSF into SAP-specific security topics.

The NIST Cybersecurity Framework

The NIST CSF provides guidance on how organizations can assess and improve their ability to prevent, detect, and respond to cyber-attacks. The main focus is prioritizing and managing cybersecurity risk. It has five main functions, with 23 categories to narrow down on specific cybersecurity topics. The functions, which are shown in our matrix and presented on the NIST website, are the following:

  • Identify

    Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

  • Protect

    Develop and implement appropriate safeguards to ensure delivery of critical services.

  • Detect

    Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

  • Respond

    Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

  • Recover

    Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

The functions provide an overview of what each course and training will be about. We reference the categories to help define the learning goals in each lesson. This helps focus the learning goals, so each person can learn what is important to them without having to go through long courses with information they already know.

To learn more about the NIST CSF, you can read about it here.

The IPAC Model

Since the NIST CFS is not specifically designed for SAP, we have come up with these four different security areas to focus the security topics to an SAP application. The areas are;

  • Integration

    Focus of different integration scenarios within SAP systems themselves, as well as third-party tools integrating with an SAP environment.

  • Platform

    Consideration of the vulnerabilities, hardening, and configuration of the SAP software.

  • Access

    Consideration of access control and user authorizations measures and methodologies of SAP software.

  • Customization

    Consideration of the customization of SAP software - including change management, custom code, business customizing, legacy interfaces, and add-ons.

Applying the Matrix

The matrix is the basis for our courses and our classroom trainings. All of our lessons fall within one of the cross-sections. Not only is it is easier for you to know exactly what each course is going to cover, but it allows you to decide what courses fit your lesson plan without having to read long descriptions.

We also use this to show what areas within your company are the strongest and what could use more attention. Interested in seeing how? Contact us, and we can show you how to apply the matrix to your company!