Information Security and Governance in ERP Implementation (JD Edwards)

(1)

Information Security and Governance in

ERP Implementation

(JD Edwards)

Information Security

Information is one of the most important assets of any organisation. Hence it should be appropriately protected. Information needs to be available and accessible uninterruptedly for the smooth functioning of any organization. Information security describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Organizations assess threats, vulnerabilities and impact to sensibly manage these risks.

Benchmarked industry standards are available to assist organizations, implement the appropriate programmes and controls to mitigate these risks. Example - BS standards, ISO standards, Information Technology Infrastructure Library and COBIT.

Critical Factors for implementing the ISMS (Information Security Management system) are

 Confidentiality: Protecting information from unauthorized parties.

 Integrity: Protecting information from modification by unauthorized users.

 Availability: Making the information available to authorized users.

ISMS Implementation

Confidentiality Integrity

(3)

The information security is achieved through system based internal and

operational controls. A generic information security framework consists of three components:

These 3 components are independent of each other but affect each other.

Information Security in ERP Environment

Enterprise resource planning (ERP) system security must be governed by the same principles as conventional information security. During an ERP implementation, however these three components: People, Policy and Technology need to be augmented to fit any co-existing system.

ERP is generally implemented in a mature IT environment. A generic information security framework serves as a starting point to develop a specific ERP security framework since most security managers are familiar with the basic IT framework.

The ERP security framework is applied to an ERP model to illustrate how People, Policy and Technology can be incorporated into it. The framework is product and vendor independent and is characterised by rigidity of character but flexibility of use. The framework is useful while designing, implementing or operating an ERP and helps in ensuring the system adherence to the information security norms. The ERP security framework guides management in integrating information security into the ERP system.

(4)

2) The shortcomings of this security framework are identified in the context of an ERP system.

3) An ERP security framework is developed that conforms to corporate and IT governance requirements.

An ERP system controls all the business related information of an organisation as well as information relating to customers and suppliers. It is necessary to make the data available to authorised users, protect this data from unauthorised users and also confirm to the auditing standards like Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPA), the Food and Drug Administration 21 CFR Part 11, the European Data Privacy Directive, and the European Commission’s Model Requirements for the Management of Electronic Records. Organizations should understand, document, and comply with strong corporate governance practices and a business code of ethics.

A majority of auditing firms are advising companies to adopt the broader definition of internal controls outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The committee expanded the definition of internal controls to include financial, operational, and regulatory controls.

When an organisation implements an internationally acceptable recognised ERP system, then the compliance requirements are already covered by the ERP vendor and other lapses can be avoided.

JD Edwards addresses the issues of Governance, Risk and Compliance in their software as the required features are built into the software in every stage of design.

An effective system must meet 4 requirements:  Systems-based internal controls.

 Automated processes.  Consistent documentation.  Ongoing control and monitoring

These requirements are met through effective meshing of modules which are based on five components, all through an integrated JD Edward system.

 Risk assessment

 Controlled environment  Controlled activities

 Information and communications  Monitoring

(5)

J D Edwards Security and Governance Features

Systems-based internal controls

The system based controls ensure that various modules in the system are integrated. E.g. Sales order processing is integrated with other modules like inventory, finance, accounting, manufacturing, procurement, planning. Actions within one module can trigger related actions within the module, outside the module or outside the system. Controls can be setup to ensure that the step does not complete unless all related actions are completed totally and successfully.

The JD Edwards Security system is highly flexible and can allow various approaches for security definition.

Open Door Security Closed Door Security

In this type of Design, all the access to all the users is kept Open. The remaining access which needs to be secured is restricted (blocked).

In this type of Design, all the access to all the users is blocked. Only the one’s which are required are granted access.

This leads to increased number of records of access that has to be blocked.

In this case, there is no such issue, since everything is blocked. Only the one’s which are required are to be added

Following system based controls are available in JD Edwards–

System Level Controls Application Level Controls Application Security Integrated Postings to G/L

Action Code Security Automatic Accounting Instructions Row and Column Security Valid Account Edit

Business Unit Security Data Relationships Application Security Batch Approvals

Processing Option Security Hierarchical Approval Routing Version Control Built-in Balancing Controls One View Reporting Security Batch Controls

Data Privacy Payee Control

Data Change Tracker Order Activity Rules

Security Reporting Budget Expenditure Approval

Workflow Expense Policies

(6)

Processes dictate how work is performed in an organization and how data flows through it. To ensure adherence to these processes, companies can use workflow to automate business processes by establishing how tasks are passed from one employee to another for action. For example, companies can automate a high volume, formerly paper-based process—such as Purchase Order approval—into an email-based process.

The new feature of E1 pages also allows depiction of the process flow.

System Level Automation Application Level Automation

Processing Options Integrated Postings to G/L

Workflow Automatic Accounting Instructions

Workflow Delegation Data Relationships

Order Activity Rules

Documentation

The JD Edwards website provides details about the product, the product integrations, configurations, dependencies, standard business flows, objects, object characteristics etc. through e –guides, presentations, reports, and training manuals.

This documentation is not static. It is upgraded on regular basis to account for application, version and tools upgrade.

The product bugs are also reported and the scheduled delivery for the bug remedy is published for the knowledge of the user community. The SARs are delivered and are made available for download on the JD Edwards support site. Tools such as User Productivity Kit (UPK) can be used for documenting standard and customized processes used in the organization.

With JD Edwards EnterpriseOne’s Composite Application Framework, documentation such as UPK and Implementation Guide content can be presented to the user while they are performing their task.

Continuous Monitoring

The regulatory frameworks suggests that companies should engage in continuous, regular monitoring of their operations. Good monitoring programs should include protocols and processes for capturing, reporting, and following up on deficiencies.

JD Edwards has an efficient mechanism for reporting the bugs, following up with JD Edwards on the probable cause, advising on software enhancements, and user association in solution development.

(7)

With the contribution from the end users the product deficiencies are revealed in an effective way and JD Edwards can deliver best fitting resolution as per the industry requirements.

At the User level, Oneview reporting and Watchlists provide an excellent proactive solution for monitoring and reporting incidents and statistics. Data Change Tracker and H&S Incident Management are some other good tools for monitoring.

Available Monitoring Features One View Reporting and Watchlists Integrity Reports

Data Change Tracker

Health & Safety Incident Management

Word of Caution

In spite of all the precautions and implementations of standards, major lapses in implementation occur and they are attributed to –

 The complexity of ERP systems leads to security vulnerabilities  Shortage of staff members trained in ERP security

 Implementers pay inadequate attention to ERP security during deployment

 ERP tools for security audit are inadequate

 The customization of ERP systems by user organizations inhibits the development of standardized security solutions

Summary

Ultimately, in any business organization, all the governance and regulatory requirements need to be justified on the counts of risk mitigation, cost benefit. JD Edwards fares well on all these accounts allowing us to manage business and compliance failure risks, achieve better performance while ensuring accountability and integrity and stay on top in current dynamic business environment.