ERP Risks, Security Checklist, and Priorities for Change

Joy R. HughesVPIT and CIO

George Mason UniversityCo-chair STF

AGENDA

Genesis of the ERP Security ProjectSunguard Focus Groups2006 Security Professionals Conference - BOF Comparison of OpinionsChecklistSurveyDeal-Killers

Genesis

STF hearing how difficult it is to know how to configure the new ERP & its 3rd party products, like reporting

STF hearing about the overhead of managing access roles

States passing laws requiring CISOs to certify new software is secure

Sunguard Focus Groups

STF approached Sunguard

3rd party market research firm at BUG

Virginia IT Auditors & STF Input

MR firm- structured & open ended questions

CIOs and directors of admin systems

Security Professionals

BOF at last year’s conference

Mostly security officers, some CIOs

Reviewed BUG outcomes

Added SP perspective

Compare Opinions

How do the opinions on ERP security differ or match with respect to the Security Professionals at the 2006 BOF and the CIOS and Directors of Admin Systems at the 2006 BUG?

Enterprise IdM

CIOs in Focus Groups E-IdM should control ERP

Security Professionals …and all other enterprise apps

But…what about schools that don’t have an E-IdM?

Lack of Process Documentation

CIOs in Focus Group Real Problem

Security Professionals “Thumbs down” on procurement

Masking/Encryption of Sensitive Data

CIOs in Focus Group Say they have it, but not always where you need it and it severely impacts performance

Security Professionals “Thumbs down” on procurement

Weak Passwords/PINS

CIOs in Focus Group We’re managing despite this

Security Professionals “Thumbs down” on procurement because violates state & institutional policy

Pre-Implementation Security Consulting

CIOs in Focus Group Lack time and mind share

Security Professionals Institution and vendor need to invest in this

More Secure Reporting Systems

CIOs in Focus Group It’s a problem, but we’re managing

Security Professionals Violates institutional and state policy, but can’t be blamed on the vendor

Security Checklist

Purpose:

- enable better procurement decisions

- provide SPs with a tool to use to meet state requirements

- influence vendors to make security improvements

ERP Security Checklist Topics

Managing Roles and Responsibilities

Passwords, IDs and PINs

Data Standards and Integrity

Process Documentation

Exporting Sensitive Data

Sample from Roles/Responsibilities

Is there a web-based tool that allows you to see the access that has been provided to a user with respect to the fields/tables/forms in the product, its underlying database, and integrated third party products and reporting tools?

Sample from Roles/Responsibilities

Can the vendor provide you with the names of institutions similar to yours that have implemented role based security on a wide variety of roles so that you can assess the person hours that will be needed to implement and maintain role based security?

Sample from PINs/IDs/Passwords

Does the system require strong passwords?

Are the IDs randomly or sequentially generated? Are they at least 8 characters long?

Sample from Data Standards/Integrity

Are data fields encrypted at the database level?

Is each standardized data field adequately documented in a data dictionary?

As the institution articulates the standards/rules that define a data field, do these standards/rules then become part of a data dictionary?

Sample from Data Standards/Integrity

Can the vendor provide you with the names of institutions similar to yours that have implemented features such as:

- encrypted data fields

- audit trails on data fields

so that you can determine the effect on performance of implementing these features on all the fields that need to be protected?

Sample from Process Documentation

Are there visual representations of processes, role approvals, security checkpoints, data flow, and tables touched/accessed during each process?

Are there clear and complete work flow diagrams?

ERP Security Survey

Created from the items on the checklist

Respondents: Subscribers to EDUCAUSE listserv for admin system management (mostly Directors of Admin Systems)

Survey closed March 15, 2007

Complete the Survey

Ten minutes (okay to select “don’t know” option)

Use the red pencil to circle the “deal killers”

After you’re done, we’ll look at how the listserv respondents answered the questions.

Security Flaws – Survey

No information is provided on the implications of providing a role with access to a particular field, table or form

(e.g. “giving permission to access this form will allow the user to navigate to another form and change grades even though the grade field is not visible on this form”).

Security Flaws – Survey

Can not define context-sensitive roles (e.g. this user can perform function for specified records only at a specified point in the processing cycle).

Security Flaws - Survey

If a user is allowed to process sensitive data in the ERP, one can’t restrict that user from downloading the data.

Products that are supposed to be integrated with the vendor’s ERP do not have a consistent role based architecture.

Security Flaws - Survey

There is no tool provided that allows you to see the access that has been provided to a user with respect to the fields/tables/forms in the ERP, its underlying database, and integrated third party products and reporting tools.

Security Flaws - Survey

The ERP roles can not be managed by the institution’s identity management system.

Strong passwords are not required.

Encryption and auditing of special fields degrades performance.

Security Flaws - Survey

There is insufficient work flow and process documentation.

Critical processes, such as payroll, can not be run first in audit mode.

DEAL KILLERS: System Must Haves

Strong passwords; SSNs can’t be the IDs

Role based access – granular and context sensitive

Link to the institution’s enterprise Identity Management System so that the IdM controls access and authorization to the ERP.

Encrypt all fields that the state or feds require you to protect, and not degrade performance; encrypt data at rest

DEAL KILLERS: System Must Haves

Link to a utility that shows all access for each user (fields, tables, forms, etc.)

Link to a utility that shows who has access to certain key fields, forms, etc.

Provide reports that show who has been downloading sensitive data

Process and workflow documentation

www.educause.edu/security

Joy HughesCIO and VPITGeorge Mason University

jhughes@gmu.edu