1 / 22

Security in ERP Systems By Jason Rhodewalt & Marcel Gibson

Security in ERP Systems By Jason Rhodewalt & Marcel Gibson. Why is ERP Security Important?. All of the business's vital data Employee/customer personal data Social Security Numbers Credit Card Numbers Addresses. Background of Security Problem. Hacking began in the ‘70s

ebiddle
Download Presentation

Security in ERP Systems By Jason Rhodewalt & Marcel Gibson

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in ERP Systems By Jason Rhodewalt & Marcel Gibson

  2. Why is ERP Security Important? All of the business's vital data Employee/customer personal data Social Security Numbers Credit Card Numbers Addresses

  3. Background of Security Problem • Hacking began in the ‘70s • Simple wiretaps or “blue boxes” • Today, complex malicious programs • Estimated that 1 and 4 US computers infected with a virus • Signs that viruses are becoming professionally made for monetary/ political incentives

  4. Background of Security Problem

  5. Background of Security Problem

  6. Legal Considerations Sarbanes-Oxely CEO liability External tampering Internal tampering Auditing

  7. Legal Considerations – cont. California Civil Act SB 1386 Companies must notify customers of compromised data Applies even to companies not incorporated in California Notification must be in a timely matter

  8. Legal Considerations – cont. McLaren v Microsoft Corp (1999) Suspended employee has personal data on work machine and password protected Microsoft access files – employee sues for right to privacy Employee looses Work computer and work email are Microsofts property

  9. ERP System Authentication Not only employees need access Customers, suppliers, and 3rd party software developers Local and remote access

  10. Passwords User names and passwords Don't use SSN! Custom user names are like 2nd password Strong passwords Combination of uppercase/lower case words and numbers

  11. Encryption Algorithms Encrypting data protects it from unauthorized viewing Blowfish Algorithm (1993) RC4 Algorithm(1987)

  12. Unauthorized Access Easiest method: Guess a password Use random user names and strong passwords Try all the combinations Limit log on attempts Only allow access from certain IP addresses Tough to implement with remote access Phishing Educate the end users

  13. Unauthorized Access – cont. Phishing Educate end-users Key-logging software Limit installation privileges on public machines

  14. Auditing and Monitoring • Authorization and authentication protocols allow ERP systems to keep a detailed account of system events • Auditing required by statute • Can be very costly and time consuming.

  15. Auditing and Monitoring –cont. Steps to prepare for audits: Ask the auditors what they are looking for before an audit. Ask them for their audit objectives, if any pre-audit checklists. Make sure to list perceived risks. Sort them in descending order with the highest risks at the top, along with the controls you created to mitigate them. Document your preventative controls, and have detective controls in place to show they work. Document the change management process. Keep a current and accurate asset inventory of hardware and software. Document all internal audit procedures.

  16. RFID Technology Used to track parts and products through supply chain Passive electronics Included in shipments and/or product packaging

  17. RFID Technology –cont.

  18. Using RF ID Data Immediate decisions Will we be on time this week? Executive decisions Should we build this part first? Should we build this product? Cash-To-Cash time

  19. What to do in case of a breach!!! • Asses the situation/ level of breach • Report the breach to proper authorities • FBI • Management • Person effected • Track/ investigate the breach • Seal breach and rectify the problem

  20. Disaster Recovery • The purpose of disaster recovery is to ensure that in the event of a disaster, all business operations can continue relatively smoothly, including security. • Plan ahead: a good plan might save the entire company.

  21. Disaster Recovery –cont. Setup a secondary site Mirror content in real time at secondary site Implement Disaster Recovery Plan Test, rehearse, and test some more Continuously update plan Be aware, disasters will happen!

  22. Image Reference Enron picture http://www.ba.metu.edu.tr/~adil/BA-web/enron1.jpg RF ID http://www.uktelematicsonline.co.uk/html/rfid.html Phishing http://wearecentralpa.com/content/community/callforaction Encryption http://www.yessoftware.com/products/features.php?product_id=1

More Related