Information Security and Governance in ERP Implementation (JD Edwards)



Similar documents
JD Edwards EnterpriseOne: Governance, Risk, and Compliance

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Newcastle University Information Security Procedures Version 3

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Security Controls What Works. Southside Virginia Community College: Security Awareness

Information Security Policy. Chapter 13. Information Systems Acquisition Development and Maintenance Policy

University of Sunderland Business Assurance Information Security Policy

Network Configuration Management

ISO Information Security Management Systems Foundation

HIPAA: Compliance Essentials

Business Process Management & Workflow Solutions

PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

Third Party Risk Management 12 April 2012

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

G-Cloud 7 Service Description Document. Third Party Services. Zendesk Licences 1. Zendesk Services (Consulting) 2. Nexus Pro Licences & Services 3

AUSTRALIAN ENGINEERING COMPETENCY STANDARDS STAGE 2 -

Domain 5 Information Security Governance and Risk Management

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Attestation of Identity Information. An Oracle White Paper May 2006

ITIL A guide to service asset and configuration management

INFORMATION TECHNOLOGY SECURITY STANDARDS

White Paper. Ensuring Network Compliance with NetMRI. An Opportunity to Optimize the Network. Netcordia

Self-Service SOX Auditing With S3 Control

Enterprise Risk Management in Compliance 360

Information Security Policy

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Smart Operations Management Suite

Our Commitment to Information Security

MINISTRY OF FINANCE, PLANNING AND ECONOMIC DEVELOPMENT THE THIRD FINANCIAL MANAGEMENT AND ACCOUNTABILITY PROGRAMME (FINMAPIII) TERMS OF REFERENCE

TELEFÓNICA UK LTD. Introduction to Security Policy

Procuring Penetration Testing Services

Governance, Risk & Compliance for Public Sector

How To Protect Decd Information From Harm

One source. One amazing service. Procurement Process and the Sarbanes-Oxley Act

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Risks in ERP implementation

Applying ITIL v3 Best Practices

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Information security policy

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

LogRhythm and HIPAA Compliance

BENCHMARK EVALUATION. Highways and Public Works Information and Communications Technology

Certified Information Systems Auditor (CISA)

IBM Tivoli Asset Management for IT

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

Functional and technical specifications. Background

Job Description. Radiography Services Manager

WHITE PAPER. Sarbanes - Oxley Section 404: How BMC Software Solutions Address General IT Control Requirements

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

for Information Security

Information Security Management System Policy

Information Security Management System Information Security Policy

28400 POLICY IT SECURITY MANAGEMENT

Microsoft s Compliance Framework for Online Services

Corporate Information Security Policy

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

ORACLE PROCESS MANUFACTURING QUALITY MANAGEMENT

Information Security Management System (ISMS) Policy

Process Control Optimisation with SAP

Lifecycle Services for Syncade Logistics

Security Overview. A guide to data security at AIMES Data Centres. TEL: enquiries@aimes.

An Approach to Records Management Audit

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Draft Information Technology Policy

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, :00 AM

Information Governance Policy (incorporating IM&T Security)

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Development, Acquisition, Implementation, and Maintenance of Application Systems

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two

Mohsin Saeed Jeff Geiger

How To Ensure Financial Compliance

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Change & configuration management

December 21, The services being procured through the proposed amendment are Hosting Services, and Application Development and Support for CITSS.

INTEGRATING RECORDS MANAGEMENT

SECURITY. Risk & Compliance Services

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

CHIS, Inc. Privacy General Guidelines

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Practical Overview on responsibilities of Data Protection Officers. Security measures

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

Firewall Administration and Management

Feature. Log Management: A Pragmatic Approach to PCI DSS

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

Patch and Vulnerability Management Program

AssurX Makes Quality & Compliance a Given Not Just a Goal

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

DATA AND PAYMENT SECURITY PART 1

Cloud Computing and Records Management

Oracle Fusion Applications Global Price List Software Investment Guide June 1, 2015

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

Transcription:

Information Security and Governance in ERP Implementation (JD Edwards) Table of Contents Information Security... 2 Information Security in ERP Environment... 3 J D Edwards Security and Governance Features... 5 Systems-based internal controls... 5 Automated Process... 5 Documentation... 6 Continuous Monitoring... 6 Word of Caution... 7 Summary... 7 Author: Shirish Bapat Oracle Certified, PMP, CISA Co-Author: Praseed Menon Masters in Computer Applications, CISA (Note: Both the authors are Practicing Security and Project Management Professionals) Shirish Bapat & Praseed Menon Page 1

Information Security Information is one of the most important assets of any organisation. Hence it should be appropriately protected. Information needs to be available and accessible uninterruptedly for the smooth functioning of any organization. Information security describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Organizations assess threats, vulnerabilities and impact to sensibly manage these risks. Benchmarked industry standards are available to assist organizations, implement the appropriate programmes and controls to mitigate these risks. Example - BS standards, ISO standards, Information Technology Infrastructure Library and COBIT. Integrity Availability Confidentiality ISMS Implementation Critical Factors for implementing the ISMS (Information Security Management system) are Confidentiality: Protecting information from unauthorized parties. Integrity: Protecting information from modification by unauthorized users. Availability: Making the information available to authorized users. Shirish Bapat & Praseed Menon Page 2

The information security is achieved through system based internal and operational controls. A generic information security framework consists of three components: These 3 components are independent of each other but affect each other. Information Security in ERP Environment Enterprise resource planning (ERP) system security must be governed by the same principles as conventional information security. During an ERP implementation, however these three components: People, Policy and Technology need to be augmented to fit any co-existing system. ERP is generally implemented in a mature IT environment. A generic information security framework serves as a starting point to develop a specific ERP security framework since most security managers are familiar with the basic IT framework. The ERP security framework is applied to an ERP model to illustrate how People, Policy and Technology can be incorporated into it. The framework is product and vendor independent and is characterised by rigidity of character but flexibility of use. The framework is useful while designing, implementing or operating an ERP and helps in ensuring the system adherence to the information security norms. The ERP security framework guides management in integrating information security into the ERP system. While implementing the ERP, existing Information security framework may not suit ERP security framework The process used to provide a solution to the above problem is as follows: 1) A generic security framework is analysed to determine the aspects that are applicable to ERP systems. Shirish Bapat & Praseed Menon Page 3

2) The shortcomings of this security framework are identified in the context of an ERP system. 3) An ERP security framework is developed that conforms to corporate and IT governance requirements. An ERP system controls all the business related information of an organisation as well as information relating to customers and suppliers. It is necessary to make the data available to authorised users, protect this data from unauthorised users and also confirm to the auditing standards like Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPA), the Food and Drug Administration 21 CFR Part 11, the European Data Privacy Directive, and the European Commission s Model Requirements for the Management of Electronic Records. Organizations should understand, document, and comply with strong corporate governance practices and a business code of ethics. A majority of auditing firms are advising companies to adopt the broader definition of internal controls outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The committee expanded the definition of internal controls to include financial, operational, and regulatory controls. When an organisation implements an internationally acceptable recognised ERP system, then the compliance requirements are already covered by the ERP vendor and other lapses can be avoided. JD Edwards addresses the issues of Governance, Risk and Compliance in their software as the required features are built into the software in every stage of design. An effective system must meet 4 requirements: Systems-based internal controls. Automated processes. Consistent documentation. Ongoing control and monitoring These requirements are met through effective meshing of modules which are based on five components, all through an integrated JD Edward system. Risk assessment Controlled environment Controlled activities Information and communications Monitoring Shirish Bapat & Praseed Menon Page 4

J D Edwards Security and Governance Features Systems-based internal controls The system based controls ensure that various modules in the system are integrated. E.g. Sales order processing is integrated with other modules like inventory, finance, accounting, manufacturing, procurement, planning. Actions within one module can trigger related actions within the module, outside the module or outside the system. Controls can be setup to ensure that the step does not complete unless all related actions are completed totally and successfully. The JD Edwards Security system is highly flexible and can allow various approaches for security definition. Open Door Security In this type of Design, all the access to all the users is kept Open. The remaining access which needs to be secured is restricted (blocked). This leads to increased number of records of access that has to be blocked. Closed Door Security In this type of Design, all the access to all the users is blocked. Only the one s which are required are granted access. In this case, there is no such issue, since everything is blocked. Only the one s which are required are to be added Following system based controls are available in JD Edwards System Level Controls Application Security Action Code Security Row and Column Security Business Unit Security Application Security Processing Option Security Version Control One View Reporting Security Data Privacy Data Change Tracker Security Reporting Workflow Workflow Delegation Automated Process Application Level Controls Integrated Postings to G/L Automatic Accounting Instructions Valid Account Edit Data Relationships Batch Approvals Hierarchical Approval Routing Built-in Balancing Controls Batch Controls Payee Control Order Activity Rules Budget Expenditure Approval Expense Policies Positive Pay Credit Limits Integrity Reports On-Demand Audit Trails System Constants Shirish Bapat & Praseed Menon Page 5

Processes dictate how work is performed in an organization and how data flows through it. To ensure adherence to these processes, companies can use workflow to automate business processes by establishing how tasks are passed from one employee to another for action. For example, companies can automate a high volume, formerly paper-based process such as Purchase Order approval into an email-based process. The new feature of E1 pages also allows depiction of the process flow. System Level Automation Processing Options Workflow Workflow Delegation Application Level Automation Integrated Postings to G/L Automatic Accounting Instructions Data Relationships Order Activity Rules Documentation The JD Edwards website provides details about the product, the product integrations, configurations, dependencies, standard business flows, objects, object characteristics etc. through e guides, presentations, reports, and training manuals. This documentation is not static. It is upgraded on regular basis to account for application, version and tools upgrade. The product bugs are also reported and the scheduled delivery for the bug remedy is published for the knowledge of the user community. The SARs are delivered and are made available for download on the JD Edwards support site. Tools such as User Productivity Kit (UPK) can be used for documenting standard and customized processes used in the organization. With JD Edwards EnterpriseOne s Composite Application Framework, documentation such as UPK and Implementation Guide content can be presented to the user while they are performing their task. Continuous Monitoring The regulatory frameworks suggests that companies should engage in continuous, regular monitoring of their operations. Good monitoring programs should include protocols and processes for capturing, reporting, and following up on deficiencies. JD Edwards has an efficient mechanism for reporting the bugs, following up with JD Edwards on the probable cause, advising on software enhancements, and user association in solution development. Shirish Bapat & Praseed Menon Page 6

With the contribution from the end users the product deficiencies are revealed in an effective way and JD Edwards can deliver best fitting resolution as per the industry requirements. At the User level, Oneview reporting and Watchlists provide an excellent proactive solution for monitoring and reporting incidents and statistics. Data Change Tracker and H&S Incident Management are some other good tools for monitoring. Available Monitoring Features One View Reporting and Watchlists Integrity Reports Data Change Tracker Health & Safety Incident Management Word of Caution In spite of all the precautions and implementations of standards, major lapses in implementation occur and they are attributed to The complexity of ERP systems leads to security vulnerabilities Shortage of staff members trained in ERP security Implementers pay inadequate attention to ERP security during deployment ERP tools for security audit are inadequate The customization of ERP systems by user organizations inhibits the development of standardized security solutions Summary Ultimately, in any business organization, all the governance and regulatory requirements need to be justified on the counts of risk mitigation, cost benefit. JD Edwards fares well on all these accounts allowing us to manage business and compliance failure risks, achieve better performance while ensuring accountability and integrity and stay on top in current dynamic business environment. Credits: This paper is based on inputs from various sources and experience of the authors Shirish Bapat & Praseed Menon Page 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information