Top 5 Recommended Security Projects for Maximum Protection
With so many demands on their precious resources, it’s not surprising that many IT Managers end up with ongoing security and compliance at the bottom of their list of priorities, once they’ve managed to get a good security model in place within their ERP system.
But that’s not enough! The chances of falling victim to internal fraud are higher than ever, so you can’t afford to rest on your laurels. ERP security and compliance are not a one-time project during an implementation or upgrade. You need ongoing investment to achieve the right balance between efficiency, adherence to best practice and safeguarding your system from fraud.
So, yes, the top priority should always be to implement a security model that follows the principle of least privilege. But once you’ve achieved that, there’s more to do.
Here are the top 5 security projects that we recommend you consider next:
Project No 1: Privileged Access Management Review
Your least privilege security model should restrict access appropriately for most business users, but it’s common for organizations to grant privileged access to IT users who need extensive access to carry out their work. This can leave you exposed to risk of abuse.
Reviewing how your organization manages privileged access users will help you discover and apply appropriate controls to mitigate the risks. This exercise will also help you satisfy your auditors, who often ask about users with privileged access and the compensating controls that you have in place.
Here is a list of tasks to get you started:
- Perform a discovery / identification of all possible privileged accounts, remembering to include ‘out of box’ and integration accounts as well as system administrators and other IT staff
- Require a form be completed for each account, documenting key facts such as who requested it, what it is used for, how long it will be needed and who has access to the password.
- Carry out reviews of privileged access accounts more frequently than you review business users, and make sure that these accounts are re-authorized regularly.
For more information about privileged access risks and how to manage them, see our blog on Mitigating Controls for Privileged Users.
Project No 2: Data Privacy Review
Across the globe, Data Privacy regulations are becoming increasingly stringent. Understanding what personal information your ERP system holds and how it is protected is an important first step in preparing your organization to comply with privacy laws.
This project should also consider who has access to the data. Recommended tasks include:
- Conduct a data discovery exercise to identify the personal information held within your ERP system
- Categorize the data according to module of the software, data owner, format, what it is used for, what safeguards are in place
- Report on who has access to the data
- Consider remediation efforts to better segregate roles and / or users with excessive access
- Create a data privacy asset register which helps those within your organization understand what private data is held within your system, how it’s categorized and how it’s secured.
Project No 3: Exploit New Features
When we install a new version of a software product, how often do we get time to look at the new features and consider how we can make use of them to improve our processes?
Occasionally its important to take time out to review the new capabilities offered by your ERP system and think about how these features can help you solve everyday operational issues.
JD Edwards EnterpriseOne Orchestrator is a prime example of this. It can help ERP security administrators and auditors automate processes that would previously have needed extensive custom development work or hours of manual effort.
In her blog post, Carrie Curry gives some examples of how you can use JD Edwards EnterpriseOne Orchestrator to enhance security and boost compliance.
Project No 4: Implement Proactive Fraud Monitoring
To combat fraud, it’s becoming increasingly important to implement detection and response mechanisms within your ERP system. Specialized security software makes it easy to monitor for changes to sensitive data and notify relevant staff, so that irregularities and exceptions can be reviewed in real time.
When considering monitoring software, look for capabilities such as:
- The ability to assign Alert Owners: if an alert is triggered when a suspicious change occurs, it’s imperative that someone takes ownership for reviewing the alert information and investigating the irregularity in a timely manner
- Configurable alerts: if your alert owners receive too many alerts for changes which turn out to be insignificant, they’ll start to ignore them, so you need alerts that can be configured with comparison operators such as greater than, less than, not equal to, etc. which allow you to specify which change conditions are significant.
- Notifications must be immediate and sent directly to the alert owner.
To find out more about why fraud monitoring is important and what you should consider when implementing it, read this article on proactive fraud monitoring in your ERP.
Project No 5: Consider using agile Cloud-based solutions to solve persistent problems
Some processes, such as Segregation of Duties (SoD) and audit reporting, can become repetitive nightmares that absorb inordinate amounts of expensive resources.
Over recent years, Cloud-based solutions have sprung up in many areas that can be used to cost-effectively eradicate persistent problems, such as security audit reporting, either in place of or as a complement to existing software.
For example, our QCloud Audit-as-a-Service can save you many hours of effort, increase the accuracy of your SoD analysis and uncover risks that you never knew existed, simply by logging in and requesting an audit. This article explores the advantages of adopting Cloud-based ERP auditing and how it can help you.
I appreciate that there will always be conflicting demands for your attention and resources, but if you’re responsible for your company’s ERP security, it’s important to do everything you can to eliminate risks. To achieve that you need to harness the power of cost effective and efficient tools.