1 / 25

Secure mySAP ERP and Enforce Accountability for SOX Compliance with Biometrics

Secure mySAP ERP and Enforce Accountability for SOX Compliance with Biometrics. Cyndi Wolf, Polk County Public Schools  Thomas Neudenberger, realtime North America Inc.  . Email: cyndi.wolf@polk-fl.net or thomas@realtimenorthamerica.com. Learning Points .

manton
Download Presentation

Secure mySAP ERP and Enforce Accountability for SOX Compliance with Biometrics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure mySAP ERP and Enforce Accountability for SOX Compliance with Biometrics Cyndi Wolf, Polk County Public Schools  Thomas Neudenberger, realtime North America Inc.   Email: cyndi.wolf@polk-fl.net or thomas@realtimenorthamerica.com

  2. Learning Points • SAP Security and ALL compliance efforts (SoD) are solely based on password protected USER Profiles • Passwords are not secure and offer very limited protection and no accountability at all • Damages include severe financial losses, espionage, bad press, image loss, lawsuits, compliance violations, etc. • Experts agree… Biometrics is the most promising solution approach

  3. Expert Statements – SAP Movie http://realtimenorthamerica.com/download/Expert_statements.wmv

  4. 5 Facts about IT Security 1. Data theft and espionage is a rapidly growing crime* 2. Intruders target user profiles with extended authorizations • Profiles are protected with passwords that offer very limited protection 4. Long-term damages include financial damages, image loss declined stock, law suits and compliance violations • Without biometrics deterring, prevention and conviction is impossible *$ 400 Mio in damages at Dupont Espionage Case

  5. Statistics: Threat in numbers… Intellectual property theft costs U.S. companies between $200 billion and $250 billion a year in sales U.S fraud costs were $52.6 billion in 2005 Counterfeit Facts, Page 44, CSO Magazine, January 2006 Article ID Theft, Page 70,SC Magazine January 2006, referring to Better Business Bureau survey 92% of corporations and government agencies detected computer security breaches in the last 12 months 82% of all passwords are written down(SAP-Info Online) 40% say they share passwords frequently (Source: Rainbow) 95% result in significant financial losses (Source Gartner)

  6. Recent News about Hackers Hackers shift focus from ‘causing damage’ to ‘stealing data’ 2003: $168.000 ( Average loss from Theft per company ) 2004: $355.000 ( Average loss from Theft per company ) 2005: ? One of the Largest (reported) Computer Crimes: Scott Levine of Snipermail.com stole over 8.2 gigabytes of data from Acxiom Corp (Apr. 02 – Aug. 03) BY DECRYPTING PASSWORDS TO GAIN ACCESS!!!

  7. Customer Pain Points • SAP Logon: Unauthorized users use or share SAP User ID’s even at different locations at the same time • HR: Protecting and securing HR information including heath insurance info, salaries and social security numbers • Finance: Prevent tempering with payment release, salaries wire transfers, requesting or changing budgets • Balance Sheets: Access to critical company information • Research Data: Research data is stolen or changed • Purchasing: Unauthorized users purchase unauthorized items • Workflow Approval: People use supervisors passwords • Fast User Switching: Users are supposed to log in and out for minimum tasks but never do (bank, hospital, warehouse etc.) • Remember multiple passwords that could require up to 15 characters • True Identity Management / Compliance (Sarbanes-Oxley, Section 404, Internal Controls)

  8. The 3 Ways to Protect -- I There are 3 ways to protect physical or data access: 1. What you know… 2. What you have… 3. Who you are…

  9. The 3 Ways to Protect -- II What you have… Smart Cards / Tokens / Keys What you know… Passwords / PIN / Codes Who you are… Biometrics – Fingerprint etc.

  10. The 3 Ways to Protect -- III Lawyers love these 2 ways and call it: SODDI Biometrics is the only true protection since the user will be UNIQUELY identified!!! Smart Cards and Tokens can still be lost, stolen or passed on – and the user can not be identified or held responsible… Passwords are historically accepted to attempt protecting computer systems… They offer limited protection and no identity management at all !!!

  11. 20 Ways to get anybody's Password: • Look in drawers or on the “yellow sticky note” • Look over shoulders of co-workers (shoulder Surfing) • Ask colleagues – 40% admit to sharing passwords • Get emergency password (at security guard) • Call hotline to get password reset for any user • Check unencrypted .ini files • Try SAP default password for SAP* - 06071992 • Key Catcher, Password Cracker – Now: Recovery Tools • Monitoring / Sniffers (transfer from GUI not encrypted) • Or simply associate with owner (pet, family, hometown) Download the “Fishing for Passwords” document at www.bioLock.us

  12. Verification versus Identification Advanced Identification: Searches Database of 100’s or 1000’s of biometric templates Uniquely identifies Thomas and launches Thomas System Might identify and reject Thomas based on authorization Smart card or Logon / Biometrics Thomas Tasks or Attempts will be logged in an auditing log file Old Verification: SAP User/ Password

  13. Independent Additional Protection bioLock Finance IT HR

  14. Protect selected – NOT all – Users NO NEED to protect! Until now you had to worry about protecting access for ALL SAP Users… • bioLock will protect individual functions in the system • You only need to protect the users that have access to those functions • ALL OTHERS will not be able to access them anyway – even SAP ALL • Functions can either be protected Globally or on Individual Basis • You only have to worry about a few hundred Users Protected:

  15. Security Level - Overview SECURITY SAP System Level I Level II Transactions Level III Any Field Protect The King - Not The Castle!* *Quote Keynote Speech RSA 2007 with Bill Gates

  16. bioLock “sits” on top of SAP Security Additional bioLock Security Existing SAP Security bioLock will not “touch” or change your existing security roles or profiles!

  17. Why should any company invest in biometrics? • Prevent critical lawsuits, image loss and bad press • Protect themselves from monetary damages and espionage • Comply with mandatory regulations such as: • HIPAA • The California Act • Data Protection Act • FDA (Part 11-Electronic Records) • Sarbanes-Oxley Act – Section 404 Biometric technology will prevent most attacks, log uniquely identified users and their activities, and ‘scare off’ potential attackers !!!

  18. Sarbanes Oxley – Overview • In 2001/2002 some of the largest US companies went bankrupt – like Enron or WorldCom • Their management had hidden and changed financial data and betrayed investors • In 2002 The Sarbanes-Oxley Act was made law to establish better controlling and accounting transparency • The strongest focus is on Internal Controls • An average US company spends $1Mio for Every $1Billion of Revenue every year on SOX compliance • Using Compliance Tools for SoD Without biometrics “TRUE” SoD can’t be accomplished!

  19. Prevent jail time for your management • Certifying SOX Statements under Section 906fines up to $1Mio + 10 years in jail • WILLFUL certifying same statementfines up to $5Mio + 20 years in jail • Enron CEO was facing 45 years for corporate trialand 120 years for personal trials • Fact is: No Management has any control of which Internal or External person could change any statements or data • Biometrics will only allow authorized users to make changes, but more importantly, will uniquely identify them and their activities

  20. Don’t Let this happen to your management

  21. Introduction:Polk County Public Schools • The eighth-largest school districtin Florida and among the largest 40 nationally • Nearly 93,000 students at almost 160 school sites • Largest employer in Polk Countywith more than 11,500 employees, half of whom are teachers • Bartow High’s International Baccalaureate School was ranked by Newsweek magazine in 2006 as #169 of the nation's top 1,000 public high schools Abdu Taguri, CIO

  22. The Security Challenge:Polk County Public Schools True Story explained : At the school district a lady in the finance department paid most of her personal bills from the school district’s accounts. She would create fake invoices from non existing vendors over the exact amounts and than paid her personal bills with school funds. Her setup was so perfect that she got away with it for a long time. Unfortunately “as a joke” one of her personal vendors called the school district and asked for a job opening. When asked for a reason he answered that he was looking for an employer that would pay his personal bills. It was fortunate for the school that this person tried to make a joke and ended up stopping a financial fraud on a large scale. This story was presented by Cindy Wolf, Director of Systems Integration, who was in the schools finance department, when it happened • User ID’s and passwords are written down and posted on or near workstations at an alarming rate • SAP is used for most of the district’s business processes: HR, Payroll, Finance, Asset Management, Purchasing, Warehousing, Work Orders, Project Systems • Security is role-based and assigned via position on the org chart; User IDs are maintained on HR Infotype 0105 • Concern for “Accountability” of the principal as the CEO of the individual school • “Delegation” of responsibility to school secretary via User ID and password sharing • “True Story”

  23. Biometric Approach:Polk County Public Schools • Logon to the principal’s SAP User ID is protected to prevent: • unauthorized access • well-intentioned “delegation” • Transactions protected: • Requisition release • Payroll (time entry) approval • Biometric segregation of duty • Electronic signature in workflow (future)

  24. Do we need this ‘High Level Security’? This is your “Security” now… This is Security we suggest: Live Demo following now… Contact realtime at info@bioLock.us or 1877-bioLock to schedule a personalized online education for your team!

  25. Session Code 0910

More Related