Erp risks security checklist and priorities for change
Download
1 / 31

ERP Risks, Security Checklist, and Priorities for Change - PowerPoint PPT Presentation


  • 120 Views
  • Uploaded on

ERP Risks, Security Checklist, and Priorities for Change. Joy R. Hughes VPIT and CIO George Mason University Co-chair STF. AGENDA. Genesis of the ERP Security Project Sunguard Focus Groups 2006 Security Professionals Conference - BOF Comparison of Opinions Checklist Survey Deal-Killers.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'ERP Risks, Security Checklist, and Priorities for Change' - filbert


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Erp risks security checklist and priorities for change l.jpg

ERP Risks, Security Checklist, and Priorities for Change

Joy R. Hughes

VPIT and CIO

George Mason University

Co-chair STF


Agenda l.jpg
AGENDA

  • Genesis of the ERP Security Project

  • Sunguard Focus Groups

  • 2006 Security Professionals Conference - BOF

  • Comparison of Opinions

  • Checklist

  • Survey

  • Deal-Killers


Genesis l.jpg
Genesis

STF hearing how difficult it is to know how to configure the new ERP & its 3rd party products, like reporting

STF hearing about the overhead of managing access roles

States passing laws requiring CISOs to certify new software is secure


Sunguard focus groups l.jpg
Sunguard Focus Groups

  • STF approached Sunguard

  • 3rd party market research firm at BUG

  • Virginia IT Auditors & STF Input

  • MR firm- structured & open ended questions

  • CIOs and directors of admin systems


Security professionals l.jpg
Security Professionals

  • BOF at last year’s conference

  • Mostly security officers, some CIOs

  • Reviewed BUG outcomes

  • Added SP perspective


Compare opinions l.jpg
Compare Opinions

  • How do the opinions on ERP security differ or match with respect to the Security Professionals at the 2006 BOF and the CIOS and Directors of Admin Systems at the 2006 BUG?


Enterprise idm l.jpg

Enterprise IdM

CIOs in Focus Groups

E-IdM should control ERP

Security Professionals

…and all other enterprise apps

But…what about schools that don’t have an E-IdM?


Lack of process documentation l.jpg

Lack of Process Documentation

CIOs in Focus Group

Real Problem

Security Professionals

“Thumbs down” on procurement


Masking encryption of sensitive data l.jpg

Masking/Encryption of Sensitive Data

CIOs in Focus Group

Say they have it, but not always where you need it and it severely impacts performance

Security Professionals

“Thumbs down” on procurement


Weak passwords pins l.jpg

Weak Passwords/PINS

CIOs in Focus Group

We’re managing despite this

Security Professionals

“Thumbs down” on procurement because violates state & institutional policy


Pre implementation security consulting l.jpg

Pre-Implementation Security Consulting

CIOs in Focus Group

Lack time and mind share

Security Professionals

Institution and vendor need to invest in this


More secure reporting systems l.jpg

More Secure Reporting Systems

CIOs in Focus Group

It’s a problem, but we’re managing

Security Professionals

Violates institutional and state policy, but can’t be blamed on the vendor


Security checklist l.jpg
Security Checklist

Purpose:

- enable better procurement decisions

- provide SPs with a tool to use to meet state requirements

- influence vendors to make security improvements


Erp security checklist topics l.jpg
ERP Security Checklist Topics

  • Managing Roles and Responsibilities

  • Passwords, IDs and PINs

  • Data Standards and Integrity

  • Process Documentation

  • Exporting Sensitive Data


Sample from roles responsibilities l.jpg
Sample from Roles/Responsibilities

  • Is there a web-based tool that allows you to see the access that has been provided to a user with respect to the fields/tables/forms in the product, its underlying database, and integrated third party products and reporting tools?


Sample from roles responsibilities16 l.jpg
Sample from Roles/Responsibilities

  • Can the vendor provide you with the names of institutions similar to yours that have implemented role based security on a wide variety of roles so that you can assess the person hours that will be needed to implement and maintain role based security?


Sample from pins ids passwords l.jpg
Sample from PINs/IDs/Passwords

  • Does the system require strong passwords?

  • Are the IDs randomly or sequentially generated? Are they at least 8 characters long?


Sample from data standards integrity l.jpg
Sample from Data Standards/Integrity

  • Are data fields encrypted at the database level?

  • Is each standardized data field adequately documented in a data dictionary?

  • As the institution articulates the standards/rules that define a data field, do these standards/rules then become part of a data dictionary?


Sample from data standards integrity19 l.jpg
Sample from Data Standards/Integrity

  • Can the vendor provide you with the names of institutions similar to yours that have implemented features such as:- encrypted data fields- audit trails on data fields so that you can determine the effect on performance of implementing these features on all the fields that need to be protected?


Sample from process documentation l.jpg
Sample from Process Documentation

  • Are there visual representations of processes, role approvals, security checkpoints, data flow, and tables touched/accessed during each process?

  • Are there clear and complete work flow diagrams?


Erp security survey l.jpg
ERP Security Survey

  • Created from the items on the checklist

  • Respondents: Subscribers to EDUCAUSE listserv for admin system management (mostly Directors of Admin Systems)

  • Survey closed March 15, 2007


Complete the survey l.jpg
Complete the Survey

  • Ten minutes (okay to select “don’t know” option)

  • Use the red pencil to circle the “deal killers”

  • After you’re done, we’ll look at how the listserv respondents answered the questions.


Security flaws survey l.jpg
Security Flaws – Survey

  • No information is provided on the implications of providing a role with access to a particular field, table or form (e.g. “giving permission to access this form will allow the user to navigate to another form and change grades even though the grade field is not visible on this form”).


Security flaws survey24 l.jpg
Security Flaws – Survey

  • Can not define context-sensitive roles (e.g. this user can perform function for specified records only at a specified point in the processing cycle).


Security flaws survey25 l.jpg
Security Flaws - Survey

  • If a user is allowed to process sensitive data in the ERP, one can’t restrict that user from downloading the data.

  • Products that are supposed to be integrated with the vendor’s ERP do not have a consistent role based architecture.


Security flaws survey26 l.jpg
Security Flaws - Survey

  • There is no tool provided that allows you to see the access that has been provided to a user with respect to the fields/tables/forms in the ERP, its underlying database, and integrated third party products and reporting tools.


Security flaws survey27 l.jpg
Security Flaws - Survey

  • The ERP roles can not be managed by the institution’s identity management system.

  • Strong passwords are not required.

  • Encryption and auditing of special fields degrades performance.


Security flaws survey28 l.jpg
Security Flaws - Survey

  • There is insufficient work flow and process documentation.

  • Critical processes, such as payroll, can not be run first in audit mode.


Deal killers system must haves l.jpg
DEAL KILLERS: System Must Haves

  • Strong passwords; SSNs can’t be the IDs

  • Role based access – granular and context sensitive

  • Link to the institution’s enterprise Identity Management System so that the IdM controls access and authorization to the ERP.

  • Encrypt all fields that the state or feds require you to protect, and not degrade performance; encrypt data at rest


Deal killers system must haves30 l.jpg
DEAL KILLERS: System Must Haves

  • Link to a utility that shows all access for each user (fields, tables, forms, etc.)

  • Link to a utility that shows who has access to certain key fields, forms, etc.

  • Provide reports that show who has been downloading sensitive data

  • Process and workflow documentation


Www educause edu security l.jpg
www.educause.edu/security

Joy HughesCIO and VPITGeorge Mason University

jhughes@gmu.edu