310 likes | 434 Views
ERP Risks, Security Checklist, and Priorities for Change. Joy R. Hughes VPIT and CIO George Mason University Co-chair STF. AGENDA. Genesis of the ERP Security Project Sunguard Focus Groups 2006 Security Professionals Conference - BOF Comparison of Opinions Checklist Survey Deal-Killers.
E N D
ERP Risks, Security Checklist, and Priorities for Change Joy R. Hughes VPIT and CIO George Mason University Co-chair STF
AGENDA • Genesis of the ERP Security Project • Sunguard Focus Groups • 2006 Security Professionals Conference - BOF • Comparison of Opinions • Checklist • Survey • Deal-Killers
Genesis STF hearing how difficult it is to know how to configure the new ERP & its 3rd party products, like reporting STF hearing about the overhead of managing access roles States passing laws requiring CISOs to certify new software is secure
Sunguard Focus Groups • STF approached Sunguard • 3rd party market research firm at BUG • Virginia IT Auditors & STF Input • MR firm- structured & open ended questions • CIOs and directors of admin systems
Security Professionals • BOF at last year’s conference • Mostly security officers, some CIOs • Reviewed BUG outcomes • Added SP perspective
Compare Opinions • How do the opinions on ERP security differ or match with respect to the Security Professionals at the 2006 BOF and the CIOS and Directors of Admin Systems at the 2006 BUG?
Enterprise IdM CIOs in Focus Groups E-IdM should control ERP Security Professionals …and all other enterprise apps But…what about schools that don’t have an E-IdM?
Lack of Process Documentation CIOs in Focus Group Real Problem Security Professionals “Thumbs down” on procurement
Masking/Encryption of Sensitive Data CIOs in Focus Group Say they have it, but not always where you need it and it severely impacts performance Security Professionals “Thumbs down” on procurement
Weak Passwords/PINS CIOs in Focus Group We’re managing despite this Security Professionals “Thumbs down” on procurement because violates state & institutional policy
Pre-Implementation Security Consulting CIOs in Focus Group Lack time and mind share Security Professionals Institution and vendor need to invest in this
More Secure Reporting Systems CIOs in Focus Group It’s a problem, but we’re managing Security Professionals Violates institutional and state policy, but can’t be blamed on the vendor
Security Checklist Purpose: - enable better procurement decisions - provide SPs with a tool to use to meet state requirements - influence vendors to make security improvements
ERP Security Checklist Topics • Managing Roles and Responsibilities • Passwords, IDs and PINs • Data Standards and Integrity • Process Documentation • Exporting Sensitive Data
Sample from Roles/Responsibilities • Is there a web-based tool that allows you to see the access that has been provided to a user with respect to the fields/tables/forms in the product, its underlying database, and integrated third party products and reporting tools?
Sample from Roles/Responsibilities • Can the vendor provide you with the names of institutions similar to yours that have implemented role based security on a wide variety of roles so that you can assess the person hours that will be needed to implement and maintain role based security?
Sample from PINs/IDs/Passwords • Does the system require strong passwords? • Are the IDs randomly or sequentially generated? Are they at least 8 characters long?
Sample from Data Standards/Integrity • Are data fields encrypted at the database level? • Is each standardized data field adequately documented in a data dictionary? • As the institution articulates the standards/rules that define a data field, do these standards/rules then become part of a data dictionary?
Sample from Data Standards/Integrity • Can the vendor provide you with the names of institutions similar to yours that have implemented features such as:- encrypted data fields- audit trails on data fields so that you can determine the effect on performance of implementing these features on all the fields that need to be protected?
Sample from Process Documentation • Are there visual representations of processes, role approvals, security checkpoints, data flow, and tables touched/accessed during each process? • Are there clear and complete work flow diagrams?
ERP Security Survey • Created from the items on the checklist • Respondents: Subscribers to EDUCAUSE listserv for admin system management (mostly Directors of Admin Systems) • Survey closed March 15, 2007
Complete the Survey • Ten minutes (okay to select “don’t know” option) • Use the red pencil to circle the “deal killers” • After you’re done, we’ll look at how the listserv respondents answered the questions.
Security Flaws – Survey • No information is provided on the implications of providing a role with access to a particular field, table or form (e.g. “giving permission to access this form will allow the user to navigate to another form and change grades even though the grade field is not visible on this form”).
Security Flaws – Survey • Can not define context-sensitive roles (e.g. this user can perform function for specified records only at a specified point in the processing cycle).
Security Flaws - Survey • If a user is allowed to process sensitive data in the ERP, one can’t restrict that user from downloading the data. • Products that are supposed to be integrated with the vendor’s ERP do not have a consistent role based architecture.
Security Flaws - Survey • There is no tool provided that allows you to see the access that has been provided to a user with respect to the fields/tables/forms in the ERP, its underlying database, and integrated third party products and reporting tools.
Security Flaws - Survey • The ERP roles can not be managed by the institution’s identity management system. • Strong passwords are not required. • Encryption and auditing of special fields degrades performance.
Security Flaws - Survey • There is insufficient work flow and process documentation. • Critical processes, such as payroll, can not be run first in audit mode.
DEAL KILLERS: System Must Haves • Strong passwords; SSNs can’t be the IDs • Role based access – granular and context sensitive • Link to the institution’s enterprise Identity Management System so that the IdM controls access and authorization to the ERP. • Encrypt all fields that the state or feds require you to protect, and not degrade performance; encrypt data at rest
DEAL KILLERS: System Must Haves • Link to a utility that shows all access for each user (fields, tables, forms, etc.) • Link to a utility that shows who has access to certain key fields, forms, etc. • Provide reports that show who has been downloading sensitive data • Process and workflow documentation
www.educause.edu/security Joy HughesCIO and VPITGeorge Mason University jhughes@gmu.edu