ERP Risks, Security Checklist, and Priorities for Change

1
ERP Risks, Security Checklist, and Priorities for
Change

• Joy R. Hughes
• VPIT and CIO
• George Mason University
• Co-chair STF

2
AGENDA

• Genesis of the ERP Security Project
• Sunguard Focus Groups
• 2006 Security Professionals Conference - BOF
• Comparison of Opinions
• Checklist
• Survey
• Deal-Killers

3
Genesis

• STF hearing how difficult it is to know how to
  configure the new ERP its 3rd party products,
  like reporting
• STF hearing about the overhead of managing access
  roles
• States passing laws requiring CISOs to certify
  new software is secure

4
Sunguard Focus Groups

• STF approached Sunguard
• 3rd party market research firm at BUG
• Virginia IT Auditors STF Input
• MR firm- structured open ended questions
• CIOs and directors of admin systems

5
Security Professionals

• BOF at last years conference
• Mostly security officers, some CIOs
• Reviewed BUG outcomes
• Added SP perspective

6
Compare Opinions

• How do the opinions on ERP security differ or
  match with respect to the Security Professionals
  at the 2006 BOF and the CIOS and Directors of
  Admin Systems at the 2006 BUG?

7
Enterprise IdM

• CIOs in Focus Groups
• E-IdM should control ERP
• Security Professionals
• and all other enterprise apps
• Butwhat about schools that dont have an E-IdM?

8
Lack of Process Documentation

• CIOs in Focus Group
• Real Problem
• Security Professionals
• Thumbs down on procurement

9
Masking/Encryption of Sensitive Data

• CIOs in Focus Group
• Say they have it, but not always where you
  need it and it severely impacts performance
• Security Professionals
• Thumbs down on procurement

10
Weak Passwords/PINS

• CIOs in Focus Group
• Were managing despite this
• Security Professionals
• Thumbs down on procurement because
  violates state institutional policy

11
Pre-Implementation Security Consulting

• CIOs in Focus Group
• Lack time and mind share
• Security Professionals
• Institution and vendor need to invest in this

12
More Secure Reporting Systems

• CIOs in Focus Group
• Its a problem, but were managing
• Security Professionals
• Violates institutional and state policy, but
  cant be blamed on the vendor

13
Security Checklist

• Purpose
• - enable better procurement decisions
• - provide SPs with a tool to use to meet state
  requirements
• - influence vendors to make security improvements

14
ERP Security Checklist Topics

• Managing Roles and Responsibilities
• Passwords, IDs and PINs
• Data Standards and Integrity
• Process Documentation
• Exporting Sensitive Data

15
Sample from Roles/Responsibilities

• Is there a web-based tool that allows you to see
  the access that has been provided to a user with
  respect to the fields/tables/forms in the
  product, its underlying database, and integrated
  third party products and reporting tools?

16
Sample from Roles/Responsibilities

• Can the vendor provide you with the names of
  institutions similar to yours that have
  implemented role based security on a wide variety
  of roles so that you can assess the person hours
  that will be needed to implement and maintain
  role based security?

17
Sample from PINs/IDs/Passwords

• Does the system require strong passwords?
• Are the IDs randomly or sequentially generated?
  Are they at least 8 characters long?

18
Sample from Data Standards/Integrity

• Are data fields encrypted at the database
  level?
• Is each standardized data field adequately
  documented in a data dictionary?
• As the institution articulates the
  standards/rules that define a data field, do
  these standards/rules then become part of a data
  dictionary?

19
Sample from Data Standards/Integrity

• Can the vendor provide you with the names of
  institutions similar to yours that have
  implemented features such as- encrypted data
  fields- audit trails on data fields so that
  you can determine the effect on performance of
  implementing these features on all the fields
  that need to be protected?

20
Sample from Process Documentation

• Are there visual representations of processes,
  role approvals, security checkpoints, data flow,
  and tables touched/accessed during each process?
• Are there clear and complete work flow diagrams?

21
ERP Security Survey

• Created from the items on the checklist
• Respondents Subscribers to EDUCAUSE listserv for
  admin system management (mostly Directors of
  Admin Systems)
• Survey closed March 15, 2007

22
Complete the Survey

• Ten minutes (okay to select dont know option)
• Use the red pencil to circle the deal killers
• After youre done, well look at how the listserv
  respondents answered the questions.

23
Security Flaws Survey

• No information is provided on the implications of
  providing a role with access to a particular
  field, table or form (e.g. giving permission
  to access this form will allow the user to
  navigate to another form and change grades even
  though the grade field is not visible on this
  form).

24
Security Flaws Survey

• Can not define context-sensitive roles (e.g. this
  user can perform function for specified records
  only at a specified point in the processing
  cycle).

25
Security Flaws - Survey

• If a user is allowed to process sensitive data
  in the ERP, one cant restrict that user from
  downloading the data.
• Products that are supposed to be integrated with
  the vendors ERP do not have a consistent role
  based architecture.

26
Security Flaws - Survey

• There is no tool provided that allows you to see
  the access that has been provided to a user with
  respect to the fields/tables/forms in the ERP,
  its underlying database, and integrated third
  party products and reporting tools.

27
Security Flaws - Survey

• The ERP roles can not be managed by the
  institutions identity management system.
• Strong passwords are not required.
• Encryption and auditing of special fields
  degrades performance.

28
Security Flaws - Survey

• There is insufficient work flow and process
  documentation.
• Critical processes, such as payroll, can not be
  run first in audit mode.

29
DEAL KILLERS System Must Haves

• Strong passwords SSNs cant be the IDs
• Role based access granular and context
  sensitive
• Link to the institutions enterprise Identity
  Management System so that the IdM controls access
  and authorization to the ERP.
• Encrypt all fields that the state or feds require
  you to protect, and not degrade performance
  encrypt data at rest

30
DEAL KILLERS System Must Haves

• Link to a utility that shows all access for each
  user (fields, tables, forms, etc.)
• Link to a utility that shows who has access to
  certain key fields, forms, etc.
• Provide reports that show who has been
  downloading sensitive data
• Process and workflow documentation

31
www.educause.edu/security

• Joy HughesCIO and VPITGeorge Mason
  University
• jhughes_at_gmu.edu