INFORMATION SECURITY MUST UNDERLIE ERP

Posted: October 23, 2012 by Afyanet Africa in Medical News, Product Development (IT)
Tags: ,

ImageWikipedia, the free encyclopedia defines Information Security as a means of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

For any Enterprise that has implemented an ERP solution, this seemingly simple definition arouses fear and paranoia. Security in the e-business, Enterprise Resource Planning (ERP) world requires a new way of thinking about security; not just about the bits and bytes of network traffic, firewalls, etc but about company transactions that inflict financial losses from systems-based fraud, neglect and errors.

While external threats from attacks and intrusions persist, the opportunity for inside fraud and systems abuse has increased exponentially with the advent of a single automated system that manages accounts payable, employee payroll, benefits and other sensitive information.

While most information security initiatives focus on perimeter security such as firewalls to keep outsiders from gaining access to the internal network, the potential for real financial loss comes from the risk of outsiders acting as authorized users to initiate damaging transactions within business systems. The other is enterprise’s internal staff intentionally or unintentionally leaking out confidential information. According to some of the latest IT security survey reports, internal staff carelessness is by far the biggest threat to corporate data leaks.

Strong fortress is often compromised in-house” It is regrettable; very few companies are able to realize that the threat from within the enterprise could be bigger than risk posed by the new productivity features such as mobile access for workers in the field and the ability to more easily share information with industry partners and vendors that expose your system to increased risk of unauthorized intrusion.

As a result, business could bear big losses in profit and image.

All is not lost; there are many controls that CIO’s can be able to put in place that will give Chief Executives’ peace of mind. They include some basic fundamentals like: requiring approvals on transactions, Data encryption, Uniquely identifying every transaction initiated, Restricting accessibility of the manipulation tools for changing system parameters, configurations, and/or master data, Separating developers from testers and deployers, Management review of reports using defined and documented criteria, for example, to assure that users are not circumventing procurement limits by submitting and approving multiple smaller purchases.

The following basic universal principals will also assist in making sure your ERP implementation results in a Secure deployment that will mitigate most of the risks discussed above:-

  • Evaluate & build up ERP access control policies and measures for on-going sustainability
  • Make use of field-tested methodologies and tools, facilitate the process of designing/re-designing appropriate data security
  • Analyze access to sensitive application objects, transactions and windows as applicable
  • Carry out segregation of duties analysis in all modules of a given ERP system
  • Be involved with the construction, deployment & testing of proper security user roles & access authorizations
  • Assist with the deployment of appropriate security configuration settings and procedures.

The benefits of implementing world class respected ERP’s such as A1 ERP, SAP and Oracle, are negated unless they have robust application level security built in to the design from the word go. Subtle balance between data availability and a well-secured ERP implementation is not easy to achieve. It’s advisable to have Penetration test done by a reputable firm on your ERP implementation as they help to realize the potential system breaches which may allow hackers gain access to business’ critical data, for reasons related to espionage, fraud and sabotage.

Never trust your staff too much! It is risky having one person access rights to alter your ERP system however they want. This is especially true when you have your IT staff given Administrator rights to the Database. As a basic rule; the ERP system should be configured in a way one needs an activation code to manipulate some key processes within the system. Audit logs and alerts should be able to capture & report any change effected on the system and by whom.  The access rights ought to be distributed across several persons in such a way that even if one decides to sabotage the firm, the access rights held by another will restrict the act. Security credentials for system accessibility should be guarded with vigor.

Today I end with a story: A worker once left her ID Unattended, where all could see. It disappeared that day. And we’re sorry to say So did the company’s IP.  (IP = intellectual property) Note: Act before It’s Too Late To Act.

Author:

KAMAU TIRUS:  Is the Head of Product Development & Innovation at Alliance Technologies and is responsible for driving and providing Leadership for Research & Development (R&D) activities at the leading Open Source Software Engineering firm in the region. EMAIL: wtirus@gmail.com

Advertisements
Comments
  1. […]                                         ~ image source credit ~                 [The Baum Group/Dr. Rae Baum and Associates […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s