erp security checklist ent 2007 joy r. hughes vpit and cio george mason university co-chair stf
TRANSCRIPT
ERP Security ChecklistENT 2007
Joy R. Hughes
VPIT and CIO
George Mason University
Co-chair STF
ERP Checklist 2007
Copyright Joy Hughes, 2007.
This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
AGENDA
STF ConcernsSungard Focus Groups2006 Security Professionals Conference - BOF Checklist at VA SCANSurvey: Admin Systems ManagersSurvey: 2007 Security ProfessionalsRevised Checklist with Deal-Killers
STF Concerns
- Too difficult for campuses to know how to securely configure the new ERP & its 3rd party products, like reporting, imaging, etc.
- Overhead of managing access roles so great that campuses not able to control “need to know” access.
- More states are passing laws requiring CISOs to certify software is secure before purchase
SUNGUARD FOCUS GROUPS
Sungard Focus Groups
STF approached Sungard
3rd party market research firm at BUG
Virginia IT Auditors & STF Input
MR firm- structured & open ended questions
CIOs and directors of admin systems
2006 SECURITY PROFESSIONALS CONFERENCE
Security Professionals
BOF at 2006 conference
Mostly security officers, some CIOs
Reviewed BUG outcomes
Added SP perspective
#1 Difference btwn Grps.
Security Professionals insisted that institutions and vendors must invest more in pre-implementation security consulting and best practices.
CREATED SECURITY CHECKLIST
Security Checklist
Purpose:
- enable better procurement decisions
- provide SPs with a tool to use to meet state requirements
- influence vendors to make security improvements
ERP Security Checklist Topics
Managing Roles and Responsibilities
Passwords, IDs and PINs
Data Standards and Integrity
Process Documentation
Exporting Sensitive Data
VA SCAN CONFERENCE
Checklist at VA SCAN
October 2006
Mostly Security Professionals
People Soft and Sungard Banner
CREATED SECURITY SURVEY
ERP Security Survey
38 item survey created from the checklist
Survey closed March 15, 2007
Survey of Admin Listserv
Respondents: Subscribers to EDUCAUSE listserv for admin system management (mostly Directors of Admin Systems)
18 institutions: PeopleSoft, Sungard, Datatel, Jenzabar. All had security flaws.
Consistency within vendor
ERP Security Survey at Conference.
2007 Security Professionals in April 2007
Mostly security professionals
PeopleSoft, Sungard, Datatel, Jenzabar
Fill out survey and circle “deal killers”
19 deal killers (50%)
Overall Findings
All systems had security flaws
People from different institutions using same ERP tended to respond the same.
Security Professionals and Admin System Professionals had different gaps in knowledge
29 institutions in total
DEAL KILLERS!!!
Overall System Proposed Must Have:
Role Based Access
- “need to know” access: granular & easy to manage
- Role-based access to underlying database
- Default roles can be defined
- Roles can be tied to position categories
Overall System Proposed Must Have:
Documentation on the implications of providing a role with access to a particular field, table or form
(e.g. “giving permission to access this form will allow the user to navigate to another form and change grades even though the grade field is not visible on this form”).
Overall System Proposed Must Have:
Secure Integrated Reporting Tools
- If a user is allowed to process sensitive data in the ERP, can still be restricted from using the reporting tool to import the data.
- Reports are provided that show who has been importing what sensitive data
- Tool encrypts the data during transfer
Overall System Proposed Must Have:
A tool that
- allows you to see the access that has been provided to a user with respect to the fields/tables/forms in the ERP, its underlying database, and integrated third party products and reporting tools.
- makes it easy to activate/deactivate user from ERP and associated products
Overall System Proposed Must Have:
Great Working Relationship with E-IdM
- HR and Student feed the E-IdM- E-IdM’s database manages ERP roles- E-IdM controls passwords and password change policies for all systems
Overall System Proposed Must Have:
Sufficient work flow and process documentation.
“Legal” data fields are encrypted and have audit trails
Strong & encrypted passwords & secure password delivery
BAD NEWS!
All the ERPs had deal killers, some more than others!
What is higher ed. to do?
Possible Strategies
Ask Higher Ed. Community to:
- resource faster development of community Source ERPs?
- insist that ERPs work well with E-IdM middleware?
- require that vendor proposals for a new ERP include a security remediation plan with timelines for each security flaw?
Other?
Internet2 E-IdM Initiative
Following slides came from Jack Suess,
CIO of UMBC and former co-chair of EDUCAUSE Internet2 Network and Computer Security Task Force
Getting Vendor Support
Vendors recognize access and privilege management is a serious issue.
Unless we define what we want from vendors and speak with a single message each vendor will try and build its own system to integrate access and privilege management.
We are hoping to build off the Internet2 Middleware work to define what we want from vendors. Here is the conceptual framework.
Conceptual Identity Management Architecture
Support for Auditing and Compliance
By utilizing the IdM for privilege management auditors have one place to go to validate who has access to which applications and databases, a critical part of security.By automating the provisioning of access and privilege management from today’s manual tasks we eliminate the possibility of human error and oversight.By using the IdM for access management we have one place to go to validate when an application was accessed and by whom.
