Information Security and Governance in ERP Implementation (JD Edwards)

Transcription

1 Information Security and Governance in ERP Implementation (JD Edwards) Table of Contents Information Security... 2 Information Security in ERP Environment... 3 J D Edwards Security and Governance Features... 5 Systems-based internal controls... 5 Automated Process... 5 Documentation... 6 Continuous Monitoring... 6 Word of Caution... 7 Summary... 7 Author: Shirish Bapat Oracle Certified, PMP, CISA Co-Author: Praseed Menon Masters in Computer Applications, CISA (Note: Both the authors are Practicing Security and Project Management Professionals) Shirish Bapat & Praseed Menon Page 1

2 Information Security Information is one of the most important assets of any organisation. Hence it should be appropriately protected. Information needs to be available and accessible uninterruptedly for the smooth functioning of any organization. Information security describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Organizations assess threats, vulnerabilities and impact to sensibly manage these risks. Benchmarked industry standards are available to assist organizations, implement the appropriate programmes and controls to mitigate these risks. Example - BS standards, ISO standards, Information Technology Infrastructure Library and COBIT. Integrity Availability Confidentiality ISMS Implementation Critical Factors for implementing the ISMS (Information Security Management system) are Confidentiality: Protecting information from unauthorized parties. Integrity: Protecting information from modification by unauthorized users. Availability: Making the information available to authorized users. Shirish Bapat & Praseed Menon Page 2

3 The information security is achieved through system based internal and operational controls. A generic information security framework consists of three components: These 3 components are independent of each other but affect each other. Information Security in ERP Environment Enterprise resource planning (ERP) system security must be governed by the same principles as conventional information security. During an ERP implementation, however these three components: People, Policy and Technology need to be augmented to fit any co-existing system. ERP is generally implemented in a mature IT environment. A generic information security framework serves as a starting point to develop a specific ERP security framework since most security managers are familiar with the basic IT framework. The ERP security framework is applied to an ERP model to illustrate how People, Policy and Technology can be incorporated into it. The framework is product and vendor independent and is characterised by rigidity of character but flexibility of use. The framework is useful while designing, implementing or operating an ERP and helps in ensuring the system adherence to the information security norms. The ERP security framework guides management in integrating information security into the ERP system. While implementing the ERP, existing Information security framework may not suit ERP security framework The process used to provide a solution to the above problem is as follows: 1) A generic security framework is analysed to determine the aspects that are applicable to ERP systems. Shirish Bapat & Praseed Menon Page 3

4 2) The shortcomings of this security framework are identified in the context of an ERP system. 3) An ERP security framework is developed that conforms to corporate and IT governance requirements. An ERP system controls all the business related information of an organisation as well as information relating to customers and suppliers. It is necessary to make the data available to authorised users, protect this data from unauthorised users and also confirm to the auditing standards like Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPA), the Food and Drug Administration 21 CFR Part 11, the European Data Privacy Directive, and the European Commission s Model Requirements for the Management of Electronic Records. Organizations should understand, document, and comply with strong corporate governance practices and a business code of ethics. A majority of auditing firms are advising companies to adopt the broader definition of internal controls outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The committee expanded the definition of internal controls to include financial, operational, and regulatory controls. When an organisation implements an internationally acceptable recognised ERP system, then the compliance requirements are already covered by the ERP vendor and other lapses can be avoided. JD Edwards addresses the issues of Governance, Risk and Compliance in their software as the required features are built into the software in every stage of design. An effective system must meet 4 requirements: Systems-based internal controls. Automated processes. Consistent documentation. Ongoing control and monitoring These requirements are met through effective meshing of modules which are based on five components, all through an integrated JD Edward system. Risk assessment Controlled environment Controlled activities Information and communications Monitoring Shirish Bapat & Praseed Menon Page 4

5 J D Edwards Security and Governance Features Systems-based internal controls The system based controls ensure that various modules in the system are integrated. E.g. Sales order processing is integrated with other modules like inventory, finance, accounting, manufacturing, procurement, planning. Actions within one module can trigger related actions within the module, outside the module or outside the system. Controls can be setup to ensure that the step does not complete unless all related actions are completed totally and successfully. The JD Edwards Security system is highly flexible and can allow various approaches for security definition. Open Door Security In this type of Design, all the access to all the users is kept Open. The remaining access which needs to be secured is restricted (blocked). This leads to increased number of records of access that has to be blocked. Closed Door Security In this type of Design, all the access to all the users is blocked. Only the one s which are required are granted access. In this case, there is no such issue, since everything is blocked. Only the one s which are required are to be added Following system based controls are available in JD Edwards System Level Controls Application Security Action Code Security Row and Column Security Business Unit Security Application Security Processing Option Security Version Control One View Reporting Security Data Privacy Data Change Tracker Security Reporting Workflow Workflow Delegation Automated Process Application Level Controls Integrated Postings to G/L Automatic Accounting Instructions Valid Account Edit Data Relationships Batch Approvals Hierarchical Approval Routing Built-in Balancing Controls Batch Controls Payee Control Order Activity Rules Budget Expenditure Approval Expense Policies Positive Pay Credit Limits Integrity Reports On-Demand Audit Trails System Constants Shirish Bapat & Praseed Menon Page 5

6 Processes dictate how work is performed in an organization and how data flows through it. To ensure adherence to these processes, companies can use workflow to automate business processes by establishing how tasks are passed from one employee to another for action. For example, companies can automate a high volume, formerly paper-based process such as Purchase Order approval into an -based process. The new feature of E1 pages also allows depiction of the process flow. System Level Automation Processing Options Workflow Workflow Delegation Application Level Automation Integrated Postings to G/L Automatic Accounting Instructions Data Relationships Order Activity Rules Documentation The JD Edwards website provides details about the product, the product integrations, configurations, dependencies, standard business flows, objects, object characteristics etc. through e guides, presentations, reports, and training manuals. This documentation is not static. It is upgraded on regular basis to account for application, version and tools upgrade. The product bugs are also reported and the scheduled delivery for the bug remedy is published for the knowledge of the user community. The SARs are delivered and are made available for download on the JD Edwards support site. Tools such as User Productivity Kit (UPK) can be used for documenting standard and customized processes used in the organization. With JD Edwards EnterpriseOne s Composite Application Framework, documentation such as UPK and Implementation Guide content can be presented to the user while they are performing their task. Continuous Monitoring The regulatory frameworks suggests that companies should engage in continuous, regular monitoring of their operations. Good monitoring programs should include protocols and processes for capturing, reporting, and following up on deficiencies. JD Edwards has an efficient mechanism for reporting the bugs, following up with JD Edwards on the probable cause, advising on software enhancements, and user association in solution development. Shirish Bapat & Praseed Menon Page 6

7 With the contribution from the end users the product deficiencies are revealed in an effective way and JD Edwards can deliver best fitting resolution as per the industry requirements. At the User level, Oneview reporting and Watchlists provide an excellent proactive solution for monitoring and reporting incidents and statistics. Data Change Tracker and H&S Incident Management are some other good tools for monitoring. Available Monitoring Features One View Reporting and Watchlists Integrity Reports Data Change Tracker Health & Safety Incident Management Word of Caution In spite of all the precautions and implementations of standards, major lapses in implementation occur and they are attributed to The complexity of ERP systems leads to security vulnerabilities Shortage of staff members trained in ERP security Implementers pay inadequate attention to ERP security during deployment ERP tools for security audit are inadequate The customization of ERP systems by user organizations inhibits the development of standardized security solutions Summary Ultimately, in any business organization, all the governance and regulatory requirements need to be justified on the counts of risk mitigation, cost benefit. JD Edwards fares well on all these accounts allowing us to manage business and compliance failure risks, achieve better performance while ensuring accountability and integrity and stay on top in current dynamic business environment. Credits: This paper is based on inputs from various sources and experience of the authors Shirish Bapat & Praseed Menon Page 7