Title: ERP Risks, Security Checklist, and Priorities for Change
1ERP Risks, Security Checklist, and Priorities for
Change
- Joy R. Hughes
- VPIT and CIO
- George Mason University
- Co-chair STF
2AGENDA
- Genesis of the ERP Security Project
- Sunguard Focus Groups
- 2006 Security Professionals Conference - BOF
- Comparison of Opinions
- Checklist
- Survey
- Deal-Killers
3Genesis
- STF hearing how difficult it is to know how to
configure the new ERP its 3rd party products,
like reporting - STF hearing about the overhead of managing access
roles - States passing laws requiring CISOs to certify
new software is secure
4Sunguard Focus Groups
- STF approached Sunguard
- 3rd party market research firm at BUG
- Virginia IT Auditors STF Input
- MR firm- structured open ended questions
- CIOs and directors of admin systems
5Security Professionals
- BOF at last years conference
- Mostly security officers, some CIOs
- Reviewed BUG outcomes
- Added SP perspective
6Compare Opinions
- How do the opinions on ERP security differ or
match with respect to the Security Professionals
at the 2006 BOF and the CIOS and Directors of
Admin Systems at the 2006 BUG?
7Enterprise IdM
- CIOs in Focus Groups
- E-IdM should control ERP
- Security Professionals
- and all other enterprise apps
- Butwhat about schools that dont have an E-IdM?
8Lack of Process Documentation
- CIOs in Focus Group
- Real Problem
- Security Professionals
- Thumbs down on procurement
9Masking/Encryption of Sensitive Data
- CIOs in Focus Group
- Say they have it, but not always where you
need it and it severely impacts performance -
- Security Professionals
- Thumbs down on procurement
10Weak Passwords/PINS
- CIOs in Focus Group
- Were managing despite this
- Security Professionals
- Thumbs down on procurement because
violates state institutional policy
11Pre-Implementation Security Consulting
- CIOs in Focus Group
- Lack time and mind share
- Security Professionals
- Institution and vendor need to invest in this
12More Secure Reporting Systems
- CIOs in Focus Group
- Its a problem, but were managing
- Security Professionals
- Violates institutional and state policy, but
cant be blamed on the vendor
13Security Checklist
- Purpose
- - enable better procurement decisions
- - provide SPs with a tool to use to meet state
requirements - - influence vendors to make security improvements
14ERP Security Checklist Topics
- Managing Roles and Responsibilities
- Passwords, IDs and PINs
- Data Standards and Integrity
- Process Documentation
- Exporting Sensitive Data
15Sample from Roles/Responsibilities
- Is there a web-based tool that allows you to see
the access that has been provided to a user with
respect to the fields/tables/forms in the
product, its underlying database, and integrated
third party products and reporting tools?
16Sample from Roles/Responsibilities
- Can the vendor provide you with the names of
institutions similar to yours that have
implemented role based security on a wide variety
of roles so that you can assess the person hours
that will be needed to implement and maintain
role based security?
17Sample from PINs/IDs/Passwords
- Does the system require strong passwords?
- Are the IDs randomly or sequentially generated?
Are they at least 8 characters long?
18Sample from Data Standards/Integrity
- Are data fields encrypted at the database
level? - Is each standardized data field adequately
documented in a data dictionary? - As the institution articulates the
standards/rules that define a data field, do
these standards/rules then become part of a data
dictionary?
19Sample from Data Standards/Integrity
- Can the vendor provide you with the names of
institutions similar to yours that have
implemented features such as- encrypted data
fields- audit trails on data fields so that
you can determine the effect on performance of
implementing these features on all the fields
that need to be protected?
20Sample from Process Documentation
- Are there visual representations of processes,
role approvals, security checkpoints, data flow,
and tables touched/accessed during each process? - Are there clear and complete work flow diagrams?
21ERP Security Survey
- Created from the items on the checklist
- Respondents Subscribers to EDUCAUSE listserv for
admin system management (mostly Directors of
Admin Systems) - Survey closed March 15, 2007
22Complete the Survey
- Ten minutes (okay to select dont know option)
- Use the red pencil to circle the deal killers
- After youre done, well look at how the listserv
respondents answered the questions.
23Security Flaws Survey
- No information is provided on the implications of
providing a role with access to a particular
field, table or form (e.g. giving permission
to access this form will allow the user to
navigate to another form and change grades even
though the grade field is not visible on this
form).
24Security Flaws Survey
- Can not define context-sensitive roles (e.g. this
user can perform function for specified records
only at a specified point in the processing
cycle).
25Security Flaws - Survey
- If a user is allowed to process sensitive data
in the ERP, one cant restrict that user from
downloading the data. - Products that are supposed to be integrated with
the vendors ERP do not have a consistent role
based architecture.
26Security Flaws - Survey
- There is no tool provided that allows you to see
the access that has been provided to a user with
respect to the fields/tables/forms in the ERP,
its underlying database, and integrated third
party products and reporting tools.
27Security Flaws - Survey
- The ERP roles can not be managed by the
institutions identity management system. - Strong passwords are not required.
- Encryption and auditing of special fields
degrades performance.
28Security Flaws - Survey
- There is insufficient work flow and process
documentation. - Critical processes, such as payroll, can not be
run first in audit mode.
29DEAL KILLERS System Must Haves
- Strong passwords SSNs cant be the IDs
- Role based access granular and context
sensitive - Link to the institutions enterprise Identity
Management System so that the IdM controls access
and authorization to the ERP. - Encrypt all fields that the state or feds require
you to protect, and not degrade performance
encrypt data at rest
30DEAL KILLERS System Must Haves
- Link to a utility that shows all access for each
user (fields, tables, forms, etc.) - Link to a utility that shows who has access to
certain key fields, forms, etc. - Provide reports that show who has been
downloading sensitive data - Process and workflow documentation
31www.educause.edu/security
- Joy HughesCIO and VPITGeorge Mason
University - jhughes_at_gmu.edu