ERP Security Checklist ENT 2007 Joy R. Hughes VPIT and CIO George Mason University Co-chair STF.

Slides:

Advertisements

Similar presentations

How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.

Advertisements

Data, Policy, Stakeholders, and Governance Amy Brooks, University of Michigan – Ann Arbor Bret Ingerman, Vassar College Copyright Bret Ingerman This.

Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,

A Web-based Bibliography Management Initiative: Collaborating for Classroom and Library Technology Integration Brian Nielsen, Academic Technologies Denise.

Copyright John F (Barry) Walsh This work is the intellectual property of the author. Permission is granted for this material to be shared for non-

The Changing Role of the Technologist as Higher Ed Embraces the Cloud Michele Decker, University of Notre Dame Jacob Farmer, Indiana University Derek D.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.

Creating A More Educated Georgia Plagiarism Detection: Is Technology the Answer? USG Surveys Liz Johnson Project Manager Advanced Learning Technologies.

Copyright Donald E. Harris This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Dickinson College This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

Selecting a Business Intelligence Standard for Higher Education Mid Atlantic Educause Conference Baltimore, Maryland Baltimore, Maryland January 10, 2006.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Copyright Steve Brandt This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Procurement From the 20 th to the 21 st Century Copyright Byron Honoré This work is the intellectual property of the author. Permission is granted.

Copyright C. Grier Yartz This work is the intellectual property of the author. Permission is granted for this material to be shared.

Steve Neiheisel Industry Consultant Creating a Technology Forum for the Whole Campus Presented by Executive Services of Jenzabar (c) Copyright 2006 Jenzabar,

1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, This work is the intellectual property.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

Enterprise Architecture at Saint Louis University Copyright 2008 Saint Louis University. This work is the intellectual property of the author. Permission.

Unraveling Web Development PRESENTERS: Bob Nakles and Paras Kaul, George Mason University.

Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.

Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.

Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.

Security Awareness: Taking the Medicine and Liking It Shirley C. Payne Director for Security Coordination University of Virginia EDUCAUSE Conference October.

Cheryl Ast Project Team Leader, Administrative Computing Services (949) EDUCAUSE Southwest Regional Conference University of.

Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, This work is the intellectual.

1 Institutions as Allies in the Security Challenge Wayne Donald, Virginia Tech Cathy Hubbs, George Mason University Darlene Quackenbush, James Madison.

Center for Instructional Technology James Madison University Strategies for Transitioning to the Age of Digital Media Sarah E. Cheverton James Madison.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

1 Fighting Back With An Alliance For Secure Computing And Networking Wayne Donald, Virginia Tech Cathy Hubbs, George Mason University Darlene Quackenbush,

Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Classroom Technologies Re-organization Copyright Kathy Bohnstedt, This work is the intellectual property of the author. Permission is granted for.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

ERP Risks, Security Checklist, and Priorities for Change Joy R. Hughes VPIT and CIO George Mason University Co-chair STF.

A Balanced Scorecard is a Process Not Numbers MID ATLANTIC EDUCAUSE 2005 Saint Michael’s College Bill Anderson – Chief Information Officer Billie Miles.

Sharing MU's SharePoint Experience 2005 Midwest Regional Conference Innovative Use of Technology: Getting IT Done Wednesday, March 23, 2005.

Creating A More Educated Georgia Plagiarism Detection: Is Technology the Answer? USG Surveys Liz Johnson Project Manager Advanced Learning Technologies.

Page 1 Copyright Jill M. Forrester This work is the intellectual property of the author. Permission is granted for this material to be shared for.

Sharing Information and Controlling Content: Continuing Challenges for Higher Education Susanna Frederick Fischer Assistant Professor Columbus School of.

Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.

NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.

EDUCAUSE Security Conference Denver, Colorado April 10 to 12, 2006 Bob Beer Biggs Engineering 117 (419)

A NASSCOM ® Initiative DSCI-KPMG Survey 2010 State Of Data Security and Privacy in the Indian Banking Industry Vinayak Godse Director- Data Protection,

Issues Associated with ePortfolios in Small Colleges EDUCAUSE Mid-Atlantic Regional Conference 2006 Ed Barboni, Senior Advisor, Council of Independent.

Higher Education and the New International Imperative David Ward President American Council on Education Global Challenges and Higher Education Duke University.

Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.

Value & Excitement University Technology Services Oakland University Information Technology Strategic Planning Theresa Rowe October 2004 Copyright Theresa.

Center for Planning and Information Technology T HE C ATHOLIC U NIVERSITY of A MERICA ERP Systems: Ongoing Support Challenges and Opportunities Copyright.

Discussion Panelists: Justin C. Klein Keane Sr. Information Security Specialist University of Pennsylvania Jonathan Hanny Application Security Specialist.

Information Privacy: Public Policy and Institutional Policies Wendy Wigen Policy Analyst, EDUCAUSE Copyright Wendy Wigen, This work is the intellectual.

EDUCAUSE LIVE EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess January 21, 2004.

Considerations and Concerns When Moving from Commercial to Sakai Jeshua Pacifici, GEDI Assistant Director and Learning Systems Consultant.

Integration is Critical for Success Curriculum Course Delivery Ongoing Support Instructor & Learner.

A Strategy for Moving from Commercial to an Open Source Environment Jeshua Pacifici, GEDI Assistant Director and Learning Systems Consultant.

What’s Happening at Internet2 Renee Woodten Frost Associate Director Middleware and Security 8 March 2005.

Advice for IT Leaders By Don Harris Vice Provost and CIO Emory University.

Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.

NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.

Trusted Electronic Communications for Federal Student Aid Mark Luker Vice President EDUCAUSE Copyright Mark Luker, This work is the intellectual.

Chief Information Officer Effectiveness in Higher Education Wayne Brown, Ph.D. Copyright Wayne Brown This work is the intellectual property of the.

© Scottsdale Community College Leveraging the Power of E-Learning Taking your course to a higher level Presented by Sidne Tate Director, Instructional.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Copyright Christine E. Haile & Justin D. Sipher This work is the intellectual property of the authors. Permission is granted for this material.

Julian Hooker Assistant Managing Director Educause Southwest

CIO Constituent Group Meeting

myIS.neu.edu – presentation screen shots accompany:

EDUCAUSE Networking 2002 Washington, D.C. April 17, 2002

Presentation transcript:

ERP Security Checklist ENT 2007 Joy R. Hughes VPIT and CIO George Mason University Co-chair STF

ERP Checklist 2007 Copyright Joy Hughes, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

AGENDA STF Concerns Sungard Focus Groups 2006 Security Professionals Conference - BOF Checklist at VA SCAN Survey: Admin Systems Managers Survey: 2007 Security Professionals Revised Checklist with Deal-Killers

STF Concerns - Too difficult for campuses to know how to securely configure the new ERP & its 3 rd party products, like reporting, imaging, etc. - Overhead of managing access roles so great that campuses not able to control “need to know” access. - More states are passing laws requiring CISOs to certify software is secure before purchase

SUNGUARD FOCUS GROUPS

Sungard Focus Groups STF approached Sungard 3 rd party market research firm at BUG Virginia IT Auditors & STF Input MR firm- structured & open ended questions CIOs and directors of admin systems

2006 SECURITY PROFESSIONALS CONFERENCE

Security Professionals BOF at 2006 conference Mostly security officers, some CIOs Reviewed BUG outcomes Added SP perspective

#1 Difference btwn Grps. Security Professionals insisted that institutions and vendors must invest more in pre-implementation security consulting and best practices.

CREATED SECURITY CHECKLIST

Security Checklist Purpose: - enable better procurement decisions - provide SPs with a tool to use to meet state requirements - influence vendors to make security improvements

ERP Security Checklist Topics Managing Roles and Responsibilities Passwords, IDs and PINs Data Standards and Integrity Process Documentation Exporting Sensitive Data

VA SCAN CONFERENCE

Checklist at VA SCAN October 2006 Mostly Security Professionals People Soft and Sungard Banner

CREATED SECURITY SURVEY

ERP Security Survey 38 item survey created from the checklist Survey closed March 15, 2007

Survey of Admin Listserv Respondents: Subscribers to EDUCAUSE listserv for admin system management (mostly Directors of Admin Systems) 18 institutions: PeopleSoft, Sungard, Datatel, Jenzabar. All had security flaws. Consistency within vendor

ERP Security Survey at Conference Security Professionals in April 2007 Mostly security professionals PeopleSoft, Sungard, Datatel, Jenzabar Fill out survey and circle “deal killers” 19 deal killers (50%)

Overall Findings All systems had security flaws People from different institutions using same ERP tended to respond the same. Security Professionals and Admin System Professionals had different gaps in knowledge 29 institutions in total

DEAL KILLERS!!!

Overall System Proposed Must Have: Role Based Access - “need to know” access: granular & easy to manage - Role-based access to underlying database -Default roles can be defined -Roles can be tied to position categories

Overall System Proposed Must Have: Documentation on the implications of providing a role with access to a particular field, table or form (e.g. “giving permission to access this form will allow the user to navigate to another form and change grades even though the grade field is not visible on this form”).

Overall System Proposed Must Have: Secure Integrated Reporting Tools - If a user is allowed to process sensitive data in the ERP, can still be restricted from using the reporting tool to import the data. - Reports are provided that show who has been importing what sensitive data - Tool encrypts the data during transfer

Overall System Proposed Must Have: A tool that - allows you to see the access that has been provided to a user with respect to the fields/tables/forms in the ERP, its underlying database, and integrated third party products and reporting tools. - makes it easy to activate/deactivate user from ERP and associated products

Overall System Proposed Must Have: Great Working Relationship with E-IdM - HR and Student feed the E-IdM - E-IdM’s database manages ERP roles - E-IdM controls passwords and password change policies for all systems

Overall System Proposed Must Have: Sufficient work flow and process documentation. “Legal” data fields are encrypted and have audit trails Strong & encrypted passwords & secure password delivery

BAD NEWS! All the ERPs had deal killers, some more than others! What is higher ed. to do?

Possible Strategies Ask Higher Ed. Community to: - resource faster development of community Source ERPs? - insist that ERPs work well with E-IdM middleware? - require that vendor proposals for a new ERP include a security remediation plan with timelines for each security flaw? Other?

Internet2 E-IdM Initiative Following slides came from Jack Suess, CIO of UMBC and former co-chair of EDUCAUSE Internet2 Network and Computer Security Task Force

Getting Vendor Support Vendors recognize access and privilege management is a serious issue. Unless we define what we want from vendors and speak with a single message each vendor will try and build its own system to integrate access and privilege management. We are hoping to build off the Internet2 Middleware work to define what we want from vendors. Here is the conceptual framework.

Conceptual Identity Management Architecture

Support for Auditing and Compliance By utilizing the IdM for privilege management auditors have one place to go to validate who has access to which applications and databases, a critical part of security. By automating the provisioning of access and privilege management from today’s manual tasks we eliminate the possibility of human error and oversight. By using the IdM for access management we have one place to go to validate when an application was accessed and by whom.

urity Joy Hughes CIO and VPIT George Mason University