erp risks, security checklist, and priorities for change
DESCRIPTION
ERP Risks, Security Checklist, and Priorities for Change. Joy R. Hughes VPIT and CIO George Mason University Co-chair STF. AGENDA. Genesis of the ERP Security Project Sunguard Focus Groups 2006 Security Professionals Conference - BOF Comparison of Opinions Checklist Survey Deal-Killers. - PowerPoint PPT PresentationTRANSCRIPT
ERP Risks, Security Checklist, and Priorities for Change
Joy R. HughesVPIT and CIO
George Mason UniversityCo-chair STF
AGENDA
Genesis of the ERP Security ProjectSunguard Focus Groups2006 Security Professionals Conference - BOF Comparison of OpinionsChecklistSurveyDeal-Killers
Genesis
STF hearing how difficult it is to know how to configure the new ERP & its 3rd party products, like reporting
STF hearing about the overhead of managing access roles
States passing laws requiring CISOs to certify new software is secure
Sunguard Focus Groups
STF approached Sunguard
3rd party market research firm at BUG
Virginia IT Auditors & STF Input
MR firm- structured & open ended questions
CIOs and directors of admin systems
Security Professionals
BOF at last year’s conference
Mostly security officers, some CIOs
Reviewed BUG outcomes
Added SP perspective
Compare Opinions
How do the opinions on ERP security differ or match with respect to the Security Professionals at the 2006 BOF and the CIOS and Directors of Admin Systems at the 2006 BUG?
Enterprise IdM
CIOs in Focus Groups E-IdM should control ERP
Security Professionals …and all other enterprise apps
But…what about schools that don’t have an E-IdM?
Lack of Process Documentation
CIOs in Focus Group Real Problem
Security Professionals “Thumbs down” on procurement
Masking/Encryption of Sensitive Data
CIOs in Focus Group Say they have it, but not always where you need it and it severely impacts performance
Security Professionals “Thumbs down” on procurement
Weak Passwords/PINS
CIOs in Focus Group We’re managing despite this
Security Professionals “Thumbs down” on procurement because violates state & institutional policy
Pre-Implementation Security Consulting
CIOs in Focus Group Lack time and mind share
Security Professionals Institution and vendor need to invest in this
More Secure Reporting Systems
CIOs in Focus Group It’s a problem, but we’re managing
Security Professionals Violates institutional and state policy, but can’t be blamed on the vendor
Security Checklist
Purpose:
- enable better procurement decisions
- provide SPs with a tool to use to meet state requirements
- influence vendors to make security improvements
ERP Security Checklist Topics
Managing Roles and Responsibilities
Passwords, IDs and PINs
Data Standards and Integrity
Process Documentation
Exporting Sensitive Data
Sample from Roles/Responsibilities
Is there a web-based tool that allows you to see the access that has been provided to a user with respect to the fields/tables/forms in the product, its underlying database, and integrated third party products and reporting tools?
Sample from Roles/Responsibilities
Can the vendor provide you with the names of institutions similar to yours that have implemented role based security on a wide variety of roles so that you can assess the person hours that will be needed to implement and maintain role based security?
Sample from PINs/IDs/Passwords
Does the system require strong passwords?
Are the IDs randomly or sequentially generated? Are they at least 8 characters long?
Sample from Data Standards/Integrity
Are data fields encrypted at the database level?
Is each standardized data field adequately documented in a data dictionary?
As the institution articulates the standards/rules that define a data field, do these standards/rules then become part of a data dictionary?
Sample from Data Standards/Integrity
Can the vendor provide you with the names of institutions similar to yours that have implemented features such as:
- encrypted data fields
- audit trails on data fields
so that you can determine the effect on performance of implementing these features on all the fields that need to be protected?
Sample from Process Documentation
Are there visual representations of processes, role approvals, security checkpoints, data flow, and tables touched/accessed during each process?
Are there clear and complete work flow diagrams?
ERP Security Survey
Created from the items on the checklist
Respondents: Subscribers to EDUCAUSE listserv for admin system management (mostly Directors of Admin Systems)
Survey closed March 15, 2007
Complete the Survey
Ten minutes (okay to select “don’t know” option)
Use the red pencil to circle the “deal killers”
After you’re done, we’ll look at how the listserv respondents answered the questions.
Security Flaws – Survey
No information is provided on the implications of providing a role with access to a particular field, table or form
(e.g. “giving permission to access this form will allow the user to navigate to another form and change grades even though the grade field is not visible on this form”).
Security Flaws – Survey
Can not define context-sensitive roles (e.g. this user can perform function for specified records only at a specified point in the processing cycle).
Security Flaws - Survey
If a user is allowed to process sensitive data in the ERP, one can’t restrict that user from downloading the data.
Products that are supposed to be integrated with the vendor’s ERP do not have a consistent role based architecture.
Security Flaws - Survey
There is no tool provided that allows you to see the access that has been provided to a user with respect to the fields/tables/forms in the ERP, its underlying database, and integrated third party products and reporting tools.
Security Flaws - Survey
The ERP roles can not be managed by the institution’s identity management system.
Strong passwords are not required.
Encryption and auditing of special fields degrades performance.
Security Flaws - Survey
There is insufficient work flow and process documentation.
Critical processes, such as payroll, can not be run first in audit mode.
DEAL KILLERS: System Must Haves
Strong passwords; SSNs can’t be the IDs
Role based access – granular and context sensitive
Link to the institution’s enterprise Identity Management System so that the IdM controls access and authorization to the ERP.
Encrypt all fields that the state or feds require you to protect, and not degrade performance; encrypt data at rest
DEAL KILLERS: System Must Haves
Link to a utility that shows all access for each user (fields, tables, forms, etc.)
Link to a utility that shows who has access to certain key fields, forms, etc.
Provide reports that show who has been downloading sensitive data
Process and workflow documentation