1. ERP Security Checklist ENT 2007 Joy R. Hughes VPIT and CIO George Mason University Co-chair STF

2. ERP Checklist 2007 Copyright Joy Hughes, 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

3. AGENDA STF Concerns Sungard Focus Groups 2006 Security Professionals Conference - BOF Checklist at VA SCAN Survey: Admin Systems Managers Survey: 2007 Security Professionals Revised Checklist with Deal-Killers

4. STF Concerns - Too difficult for campuses to know how to securely configure the new ERP & its 3 rd party products, like reporting, imaging, etc. - Overhead of managing access roles so great that campuses not able to control “need to know” access. - More states are passing laws requiring CISOs to certify software is secure before purchase

5. SUNGUARD FOCUS GROUPS

6. Sungard Focus Groups STF approached Sungard 3 rd party market research firm at BUG Virginia IT Auditors & STF Input MR firm- structured & open ended questions CIOs and directors of admin systems

7. 2006 SECURITY PROFESSIONALS CONFERENCE

8. Security Professionals BOF at 2006 conference Mostly security officers, some CIOs Reviewed BUG outcomes Added SP perspective

9. #1 Difference btwn Grps. Security Professionals insisted that institutions and vendors must invest more in pre-implementation security consulting and best practices.

10. CREATED SECURITY CHECKLIST

11. Security Checklist Purpose: - enable better procurement decisions - provide SPs with a tool to use to meet state requirements - influence vendors to make security improvements

12. ERP Security Checklist Topics Managing Roles and Responsibilities Passwords, IDs and PINs Data Standards and Integrity Process Documentation Exporting Sensitive Data

13. VA SCAN CONFERENCE

14. Checklist at VA SCAN October 2006 Mostly Security Professionals People Soft and Sungard Banner

15. CREATED SECURITY SURVEY

16. ERP Security Survey 38 item survey created from the checklist Survey closed March 15, 2007

17. Survey of Admin Listserv Respondents: Subscribers to EDUCAUSE listserv for admin system management (mostly Directors of Admin Systems) 18 institutions: PeopleSoft, Sungard, Datatel, Jenzabar. All had security flaws. Consistency within vendor

18. ERP Security Survey at Conference. 2007 Security Professionals in April 2007 Mostly security professionals PeopleSoft, Sungard, Datatel, Jenzabar Fill out survey and circle “deal killers” 19 deal killers (50%)

19. Overall Findings All systems had security flaws People from different institutions using same ERP tended to respond the same. Security Professionals and Admin System Professionals had different gaps in knowledge 29 institutions in total

20. DEAL KILLERS!!!

21. Overall System Proposed Must Have: Role Based Access - “need to know” access: granular & easy to manage - Role-based access to underlying database -Default roles can be defined -Roles can be tied to position categories

22. Overall System Proposed Must Have: Documentation on the implications of providing a role with access to a particular field, table or form (e.g. “giving permission to access this form will allow the user to navigate to another form and change grades even though the grade field is not visible on this form”).

23. Overall System Proposed Must Have: Secure Integrated Reporting Tools - If a user is allowed to process sensitive data in the ERP, can still be restricted from using the reporting tool to import the data. - Reports are provided that show who has been importing what sensitive data - Tool encrypts the data during transfer

24. Overall System Proposed Must Have: A tool that - allows you to see the access that has been provided to a user with respect to the fields/tables/forms in the ERP, its underlying database, and integrated third party products and reporting tools. - makes it easy to activate/deactivate user from ERP and associated products

25. Overall System Proposed Must Have: Great Working Relationship with E-IdM - HR and Student feed the E-IdM - E-IdM’s database manages ERP roles - E-IdM controls passwords and password change policies for all systems

26. Overall System Proposed Must Have: Sufficient work flow and process documentation. “Legal” data fields are encrypted and have audit trails Strong & encrypted passwords & secure password delivery

27. BAD NEWS! All the ERPs had deal killers, some more than others! What is higher ed. to do?

28. Possible Strategies Ask Higher Ed. Community to: - resource faster development of community Source ERPs? - insist that ERPs work well with E-IdM middleware? - require that vendor proposals for a new ERP include a security remediation plan with timelines for each security flaw? Other?

29. Internet2 E-IdM Initiative Following slides came from Jack Suess, CIO of UMBC and former co-chair of EDUCAUSE Internet2 Network and Computer Security Task Force

30. Getting Vendor Support Vendors recognize access and privilege management is a serious issue. Unless we define what we want from vendors and speak with a single message each vendor will try and build its own system to integrate access and privilege management. We are hoping to build off the Internet2 Middleware work to define what we want from vendors. Here is the conceptual framework.

31. Conceptual Identity Management Architecture

33. Support for Auditing and Compliance By utilizing the IdM for privilege management auditors have one place to go to validate who has access to which applications and databases, a critical part of security. By automating the provisioning of access and privilege management from today’s manual tasks we eliminate the possibility of human error and oversight. By using the IdM for access management we have one place to go to validate when an application was accessed and by whom.

34. www.educause.edu/sec urity Joy Hughes CIO and VPIT George Mason University jhughes@gmu.edu