Posted: May 25th, 2022
ERP and Information Security
Introduction to ERP
Even though the plans of information security include the prevention of outsiders to gain access of internal network still the risk from the outsiders still exists. The outsiders can also represent themselves as authorized users in order to cause damage to the transactions of the business systems. Therefore, strict prevention measures should be taken to avoid such situations.
The threats of both the hackers have been increased with the software of the enterprise resource planning (ERP) (Holsbeck and Johnson, 2004). By performing acts of deception, the system privileges are neglected by them and take old of the assets which are mainly the cash. Its continuous integration has not succeeded in eliminating the threat of hackers who are either the insiders or enter through the perimeter security.
Considering the financial losses caused from the system-based frauds, errors and abuse by business transactions, new ways to maintain security needs to be generated in the world of integrated ERP (enterprise resource planning) and e-business (Holsbeck and Johnson, 2004).
Present Market Development for ERP systems
The market of ERP went to such an extent of maturation whereby the greatest level of competition in the market actually led to a fall in the level of sales. This led to the ERP sellers shifting their focus towards bringing in new functions such as the CRM as well as the web architectures which specialize in certain services, in order to attract more customers to their products and bring the sales back up. The sad part however is that there is still some security issues that remain intact (Holsbeck and Johnson, 2004).
With the rising threats from the external sources, it should not be forgotten that there are chances of cheating and fraud within the system itself. These insider abuses are rising with increasing speed due to the installation of the automatic systems that are devoted to the management of all the accounts that are to be paid, the benefits received by the employees and the other information that may be very integral for the company (Holsbeck and Johnson, 2004).
Taking a historical perspective and assessing the effectiveness of the ERP security systems, we can see that the systems were quite focused towards the inside threats and they were devoted to giving just a limited control to the workers so that the system keeps working effectively based on the network defenses provided such as the firewalls, detection of any intruder in the system, VPNs and so on. These systems are devoted to keeping out any intruders from logging into the ERP network. However, there is a rising need for an integrated system which possesses various systems and the users that need newer and more effective systems of dealing with such security related issues (Holsbeck and Johnson, 2004).
Gartner goes on to state that, the enterprises need to consider their entire security in the functionality as well as control the overall environment so as to ensure the effective running of the transactions. The analysts have suggested that any vulnerable point in the security system can be taken advantage of, essentially by the insiders so as to threaten the business in various ways (Holsbeck and Johnson, 2004).
While the ERP system is set out on permitting the enterprise to merge in all the information systems along with the countable partners who take care of all the supplies, the users who are authorized rapidly start increasing. This gives rise to the newly formed entries to the systems of the business from external perimeters of the conventional IT systems. The firms need to trust not only the employees of the organization but also the partners involved with the employees in the security system (Holsbeck and Johnson, 2004).
In many enterprises today, the ERP security is initiated on the basis of the user who has full control and can exercise that when the authorized people login to the system with the use of a personalized username and a password. The enterprise has full control to block or allow any individual depending on the level of permission they have and the accessibility extended towards them. For instance, the clerk who has to pay his accounts would not have any accessibility to the inventory or the department of human resources or any such area that is located inside the system of ERP (Holsbeck and Johnson, 2004).
Encrypted data is generally the part of many ERP systems. It basically limits the user from exporting the database. On the other hand, it has no such privacy system that protects unauthorized modules of the system to be accessed by the authorized insiders (Holsbeck and Johnson, 2004).
An important feature of ERP systems is an Audit log. It keeps record of every transaction being made or system alterations. However, the reason behind those transactions is kept confidential. Every transaction is documented independently, during which the working behind each transaction, like the events occurring before or after that transaction is made, is not traced by the audit log. After that, for the transactions coming in irregular order, audit logs are sampled by the internal auditors (Holsbeck and Johnson, 2004).
Nearly half of the organizations do not maintain their audit logs through configuration of ERP systems. There are two reasons behind it (Holsbeck and Johnson, 2004):
1. They think that this would affect the performance of their work and it would decline.
2. They do not consider it important.
It is a silent feature of such organizations that act conservative when talk about IT security. In their point-of-view, IT security only manages the layers of conventional perimeter security. Hence, a mid-way between security and performance is adopted which focuses on following two tasks (Holsbeck and Johnson, 2004):
Enterprises refrain themselves from detailing every minute detail of the activities performed by the system.
Only that information is collected which is relevant to the transaction.
Configuration of customized audit reports by system administrators is another feature of those organizations that use audit logs. Those reports employ easy logics to configure “outliers.” Outliers are those system transactions that are beyond the following general parameters:
Date and time
Trace and location of the user that is logging into the system
Checks larger than a predefined setting
Customization of these reports is time consuming. However, it manually processes the large number of data points. They are often puzzled with false positives. Manual analysis of every event is required. This is so because audit reports fail in analyzing the event, so it cannot find out the reason for that concern (Holsbeck and Johnson, 2004).
ERP Security Failures
It is a known fact that when ERP security features, as described above, are not fulfilled, them fraud occurs due to which the average business suffer 3% to 6% losses of annual income. A worse scenario is that in which additional losses arises due to errors of duplicate payments. It is noticed that average enterprises make duplicate payments for 2% of the whole payments made. Out of these duplicate payments, almost 10% are lost and never recovered. This results in 0.2% loss of total payable accounts (Holsbeck and Johnson, 2004).
A most threatening fact always stays around which is the exposure of applications to external security threats. Some of them are listed below:
Simple dictionary attacks that breaks the easily detectable passwords (Whitman and Mattord, 2008).
Applications are crowded with buffer overflows until a hacker traces and enters it (Whitman and Mattord, 2008).
Most dangerous form is of the social engineering in which hackers place a trap for the users. They are made fool to divulge their personal information, identifications and qualifications etc. freely (Whitman and Mattord, 2008).
The extreme case of danger is the one in which hackers pretend to be authorized user, enter the system and divert the payments according to their needs and benefits (Whitman and Mattord, 2008).
ERP security failure is encountered in companies which ignores the implementation of control design in their plans until the last stage of performance. On the other hand, ERP projects are generally more than the required available budget and one step back the schedule. For this reason, cost and time consumption is maintained by employing strict internal controls (Holsbeck and Johnson, 2004; Whitman and Mattord, 2008).
Such internal controls are often hard to be followed. This is so because they add to the available tasks resulting in extra overhead which makes problems for the employees to carry out their daily work. This overall affects the efficiency quite badly. That is why most of the organizations make decisions contrary to such severe internal controls (Whitman and Mattord, 2008).
Internal controls for maintaining ERP security have various flaws. One of the biggest flaws is its high cost and large time consumption for those controls. A necessary update must be made continuously in the employees’ authorization level in the business structures, for every employee being granted promotion, reassigned or fired. Modification is necessary in various other cases like (Holsbeck and Johnson, 2004; Whitman and Mattord, 2008):
Adding a new business partner.
Creating a new business department.
Entering new market or industry.
In other words, this ever going maintenance of the ERP systems results into resource drain.
One of the latest audit program conducted on various SAP systems identified that the SAP systems are instrumental in providing software management resources for financial management functions like (purchasing, accounts payable and receivable, general ledger) and human resource management processes which include project management and employee management – team management. However, it is claimed in a recent audit of Gartner that security risks in SAP systems are high mainly because of intervention causing vulnerability to these highly important and confidential assets of data. Following were the significant results of the audit:
Purchasing resource utility does not have proper filtering or checking mechanisms for accessibility; hence it becomes highly insecure because with that any employee can access the control data – purchasing cycle – and hence make alterations, which could result possibly in fraud and errors (Holsbeck and Johnson, 2004).
It is also a cause of great concern that many staff members are authenticated entry without following proper access restrictions to use Finance management and accounting utilities in the system. The solution to which is only continuous monitoring to ensure safety (Holsbeck and Johnson, 2004).
Internal security risk of the system have gained importance as the new subject in the field of information technology as clearly identified by Matthew Kovar of Yankee Group (Hong et al., 2003) explaining how corruption, fraud and security breach in governments and corporations are largely due to internal mischief of authority and rights (Whitman and Mattord, 2008).
It is hence established by the governments and the corporations that default access authority and design principles of the management applications are not appropriate and require constant surveillance. Instead of restricting the authorities at each section of departments which is quite hectic, the corporations have decided to monitor the complete systems to track fraud, error or misuse (Whitman and Mattord, 2008).
The mechanism of constant surveillance and monitoring works in such a way that it keeps track of sequence and patterns of transaction either intelligently or be feeding the data, to recognize and point out any fluctuation – using advanced algorithms and mechanisms – that occurs in the regular set up (Whitman and Mattord, 2008).
It becomes clear how these mechanisms for surveillance and monitoring are effective measures for transaction tracking, identifying and allocating employees with set of authorities to avoid business frauds, hacks and breaches. It is also probable that with the continuing use of resources the internal miscreants may find the key to access the confidential system however, with the use of these monetary resources, IT managers can track all the errors and incidents of high priority in the real time using these solutions with assurance. Similarly it protects the system from security breach from external users from business hacks and access violations (Whitman and Mattord, 2008).
Justification for an ERP Security system for Harley Davidson Company
Information handling is a vital element to any organization’s sustainability. During the process of business transactions, dealings, accounting, purchasing and selling a constant stream of information keeps integrating in the system which is significantly confidential and important for the business organization. It hence becomes considerable that all this information and data be tightly secured or electronically encapsulated by the monitoring software, veiling all the operational and functional variables of the organizations. However, the encapsulation of enveloping should be such that this information should be available to the operators who use this information, at all times, enabling smooth operation, on the other side increasing the vulnerability of the system, running on the element of compromise (Scott and Krischer, 2002).
ERP (Enterprise resource planning) security systems are basically a system of utilities for customer management and finance management in the customer dealing. It is required that ERP systems should have the same accessibility profiles as adopted by the traditional information security, which established security walls for the external interventions while keeping the access and operational standards of auditing organizations such as Sarbanes-Oxyley (Blosch and Hunter, 2004). It is hence established that a security-based ERP system is mandatory for secure running of the system, constant store of information and its accessibility to authentic users. This study will develop an understanding of an ERP system hence provide such a secure ERP system for its integration into the general operation utilities of the organization.
As per Dhillon (Dhillon, 2004) there is always a reactive approach to security systems pertaining to information. It has been an orthodox ideology in the past to over look the significance of monitoring software resource in the general operational utilities of the organization; however with increasing amount of information streaming it became important to develop a means of control and security of that information which helps in identifying and formulating essential business management variables proactively. During the designing process of a system utility, it is critically analyzed that how this utility will be appropriate (or inappropriate) as a business security application. This application should be able to efficiently communicate and comply with general business tools while providing constant surveillance and complying with business essentials. However, it is stated that a number of ERM resources do not obey IT security regulations.
A proposed mechanism to tackle the above mentioned issues is as follows:
1. A security software tool, generally available, is studied to extract its useful sections for ERP systems;
2. If the security tool lacks required level to of ERP system security, the deficiencies should be identified;
3. After identifying the deficiencies, an ERP security system should be designed with additional security resources of the studied system, aligned with IT security standards (Dhillon, 2004).
Section 4: ERP system Implementation Plan for Harley Davidson (Securing hardware, software and networking systems)
Implementation plan for Harley Davidson’s ERP system consists of three correlated elements namely the people, policy and technology – status of one element has projections on the others (Von Solms and Von Solms, 2004).
People element of the security system is divided into two different groups: one is the group (IT managers and network security administrators) which defines the security variables of the system, monitors and manages it and provides support to the system users, who are classified as the second group under consideration (Von Solms and Von Solms, 2004).
The user group should be essentially acknowledged about the security measures in place and should know the consequences of misuse or violation. As suggested by Martin (Martins, 2003) there can be nine elements that the people element can be considered in context of:
Policy and regulations – the administration defines rules and regulations for the employees to follow under the implemented security system to become a responsible part of security system (Martins, 2003).
Benchmarking – IT security measures implemented in other similar organizations under the IT governance regulations, should be studied in comparison to the currently implemented system to analyze the efficiency of the system and identify room for improvement (Martins, 2003).
Risk Analysis – during the design of the security mechanism it is significant to identify external threats and possible routes to important information databases to strengthen security through additional measures (Martins, 2003).
Budget – To design a security culture, a financial plan is required involving employee technical training and control and risk management training for the system assessment and general know-how (Martins, 2003).
Management – management develops a physical firewall to secure access to important information. This is done through proper strategic management to protect assets of information (Martins, 2003).
Trust – management is also responsible to form an environment of trust in the workplace so that this responsibility is shifted in each of the administrator and the user equally (Martins, 2003).
Awareness – since the constant surveillance is vital to the security system, for employees to adhere to security monitoring principles, they need to behave according to the expectations. Learning of expected behavior is a part of employee training and employees should stay aware while they are in monitored security environments (Martins, 2003).
Ethical conduct – morality and ethical behavior in a security environment should also be according to the expectations of monitoring system learnt in the training sessions (Martins, 2003).
Change – acceptability of changes in the security system, change in rules and regulations, expected behavior, awareness and ethical conduct should be a trait of people element, since advancements in information security system are vital to its effectiveness.
These nine contexts of consideration encompass all the issues related to people element (Martins, 2003).
IT structure of an organization has its core responsibility to protect information assets of the organization (CobiT Security Baseline, 2010). Numerous definitions of information security have been provided by international security standards for example ITIL, ISO 17799 and CobiT.
Following are some of the organizational security standards:
King II – report on Corporate Governance for South Africa 2002 (King Committee on Corporate Governance, 2002) was documented by King Committee as an organizational governance recommendation report. It focuses on organizational accountability and highlights organizational responsibilities regarding shareholders. The report provides a recommendation framework that includes administrative managers, auditors, accountability and monitoring personnel, accounts managers along with security administration (King Committee on Corporate Governance, 2002).
CobiT – it is information security governance context that provides security to information assets of the organization for smooth running of physical activities. However, as a control framework it does not provides outline of how and when practices are required to be followed on alternative issues – It is not a process framework it is a control framework (Mingay and Bittinger, 2002).
ITIL – The Information Technology Infrastructure Library (ITIL) is a set of good practices used by Information Technology Service Management (ITSM) that aims to coordinate the IT services with business requirements. It is a set of procedures, tasks and thresholds that are employed to gauge an organization’s competency. It is used to find and measure likelihood of improvement (Mingay and Bittinger, 2002).
ISO 17799- It is in fact an international security standard declared by International Organization for Standardisation (ISO) which establishes guidelines and general principles for information security management (Hoekstra and Conradie, 2002). It is broken into 10 modules that are put into use to exercise security management.
While King II defines the role of an organisation, CobiT tells the role of IT. Furthermore, ITIL asserts how that role can be performed and ISO 17799 emphasises the need for a comprehensive information security management and execution plan. All administrative issues that an ERP system faces can be solved by using these four structures together (Hoekstra and Conradie, 2002).
From the technological viewpoint, information security can be divided into five subdivisions (Von Solms and Eloff, 1997):
Validation and verification – Information security of an ERP system is chiefly in charge of ensuring that only authorised users are able to access the ERP system (Yang et al., 2004). This is done through identification and validation.
Authentication – Through the authentication feature of the ERP system, only users with a valid user ID can access the system and thus, authorisation lies with the user ID that is allocated to the user (McLean, 2000). Users without the ID are denied access.
Confidentiality – Due to the sensitive nature of the data, this element assets the importance of allowing only authorised users to view particular data (McMillen, 2004), hence protecting its privacy (Von Solms and Eloff, 1997).
Integrity – This element implies that changes and alteration in data within the ERP system can only be done by authorised users. Here alteration means creating new data, upgrading old and deleting unwanted pieces of data in the ERP system (Von Solms and Eloff, 1997).
Confirmation – The purpose of this element is to ensure that any transaction that takes place within an ERP system can be validated if a conflict ever arises. Steps like the use of public key encryption and digital signatures can reduce the chances of unauthorised entry or a breach in security (Bell, 2003).
Nevertheless, the five elements identified by Von Solms and Eloff above do not cater to the following two major problems that an organisation can face within an ERP system:
Availability – In order to ensure 24/7 business operations and connectivity, an ERP system needs to be in place. Care should be taken to reduce time taken for system repair and maintenance, downtime, operations and data restoration. Problems arise in supervising ERP performance, database, operating systems and applications, networks and distributing and maintaining workloads and balancing other human resource background jobs.
System Analysis and scrutiny – An organization should audit the system design of an ERP system in the initial implementation phase because once it is past that phase, it becomes harder to invest resources in system auditing. This results in an insecure system with a poor design. Regular monitoring and control as well as security checks and periodical reviews will not only make it a foolproof system but will also help in overhauling and redesigning the system if more stringent security measures are needed.
Thus the five elements initially described can be broadened to absorb the issues of availability and system analysis and scrutiny (Marnewick and Labuschagne, 2005).
Section 5: Security plan for Natural Disaster
Elements of security plan
A business that holds its assets, data, privacy and security important formulates a security plan for natural disasters that involves the following components. In order to meet the organization’s requirements without any sort of interference and break, and to ensure the organization’s continuous survival, the Business Impact Analysis (BIA) of Harley Davidson comes into play.
The themes discussed below will form the argument for the contingency plan and hence, will lead to a comprehensive evaluation of the condition that Harley Davidson is in, according to the deliberation by Whiteman and Mattered (2008).
Business Impact Analysis
Organisations carry out a Business Impact Analysis (BIA) to take measures to inspect the probable threats and opportunities that an organisation might be exposed to. This inspection will examine the probable outcomes and effects that these threats and opportunities are likely to have on the company. The BIA is only said to be treated comprehensive and hence work if it is assumed that all the risk management measures have proven to be ineffective and have been unsuccessful (Whiteman and Mattered, 2008).
Harley Davidson’s evaluation is usually undertaken by its top management and aids in determining and scheduling the overall workings along with day-to-day operations of the business. The aim of this classification is twofold: It recognises and brings to the company’s attention, natural and manmade disasters, that are most likely to cast negative impacts on the business, and the extent to which they would be harmful for its operations (Whiteman and Mattered, 2008).
The BIA is responsible for identifying what can impact the business which is then followed by the IR devising strategies to address and possibly, alleviate the risks. Any incident or event that has the potential to influence the company’s values and integrity, privacy and/or survival should be addressed by the incident response plan which should clearly identify the measures to take in case of a situation (Whiteman and Mattered, 2008).
While the BIA involves the top management, the IR plan requires the knowledge central department of I.T. from Harley Davidson. This will enable the business to employ the expertise of the IT department when it comes to identifying situations that might require careful attention of the organisation, along with analysing the responses for any critical situation (Whiteman and Mattered, 2008).
The IR plan involves evaluating and dealing with quick responses to events, while on the other hand the DR plan focuses on the consequences of a disaster and involves devising strategies for the company to recuperate. A major point of consideration is to differentiate between the both because of their similar features. The DR plan involves important company representatives that possess crucial information that can be used in the recuperation and the rehabilitation process of the business (Whiteman and Mattered, 2008).
The important thing for the company is to continue its operations even after it has been met with a disaster. This is where the BC plan is employed. The BIA becomes extended to form the BC plan and deals with the aftermath of disastrous situations and realizes that the business might take long to recover fully. Business survival is of utmost importance and thus, BC is a vital part of the BIA (Whiteman and Mattered, 2008).
Both the top management as well as the Harley Davidson’ IT department is involved in devising the BC plan. Relocation is a disastrous situation that is likely to occur when the BC does not have the full support of the management because this is a situation where business continuity would be at risk and organizational support as well as the business finances would be incurring losses (Whiteman and Mattered, 2008).
Business Impact Analysis
Now we shall consider how an effective contingency plan can be developed for each situation. This BIA will discuss in event of a situation how Harley Davidson would be affected and how it should deal with the situation. It can be termed as the BIA of Harley Davidson in case a situation occurs (Whiteman and Mattered, 2008).
Threat Identification and Prioritisation
First and foremost it is important to devise a list of potential threats that could impact Harley Davidson. These threats are to be classified under categories according to their origins which can be associated with the Harley’s business completely. Devising a list of threats could be helpful in developing descriptions for each threat as well as classifying them, because these threats might also be classified into other categories (Whiteman and Mattered, 2008).
Prioritisation of attacks
The next step would be to develop a table that lists potential threats and their probability of occurrence along with the possible harm that they could inflict on the business and the recovery and recuperation costs associated with them. This is a critical part of the BIA because it would enable Harley Davidson to schedule and prioritise each threat, its probability of occurrence and the potential damage it can cause. This can be illustrated through the illustration of a situation. A threat may have a low probability of occurrence but at the same time its damage could be strikingly high and the restoration cost associated with it could be huge (Whiteman and Mattered, 2008).
Business Unit Analysis
BUA identifies the core and the most important functions of the business. This enables BIA to analyse which threat affects which part of a company and in the event of its occurrence, how it will impact the organisation’s operations (Whiteman and Mattered, 2008).
Attack success and scenario development
The attack scenario is another way for regulating the BIA, apart from evaluating threats and basic business functions. This process reflects the consequence of each threat on each particular function with the help of tables. It enables to find out the upcoming business attacks and puts forward ways and means to cope up with them. This technique needs to be implemented in a systematic way, as a single attack can diversely impact multiple business functions (Whiteman and Mattered, 2008).
Potential damage assessment
Potential damage assessment implies describing the cost of each incident, which Harley Davidson has to bear, along with a recovery strategy for the assistance of the business unit. The best and the worst case circumstances must be highlighted for each possible attack. Not only this, the assessment needs to figure out the frequency and probability for the occurrence of each scenario. Time, assets, public image and business functions are the various aspects to be considered for this assessment (Whiteman and Mattered, 2008).
Subordinate plan classification
After having an idea about the after-effects of an attack, the evaluation of each scenario by the BIA is essential for the development of a strategy for handling of the after-effects amicably (Whiteman and Mattered, 2008).
Section 6: Implementing strategy (long-term strategy)
To understand the structure and design of an ERP system may be integral for an organization, specially Harley Davidson. This understanding will facilitate an effective and consistent integration of information security within an ERP system. An ERP model comprises of the following four elements that are executed through the use of a specific procedure tailor-made for Harley Davidson (Marnewick and Labuschagne, 2005).
The software element – It is recognized as the ERP product and is most visible part of the ERP system for its functional users. It involves elements like Supply Chain Management, Customer Relationship Management and General Ledger.
Process flow – It relates to the flow of data or information among the various modules of an ERP system. Process flow is the second and a very important element of an ERP system and thus understanding it is crucial.
User resistance – An ERP project is sometimes called a breakthrough innovation in technology and requires an open and accepting mindset on the part of the customer. If the customer perceives it as a threat rather than an improvement, even the most efficient ERP system could fail (Maurer, 2002).
Change management – The effective integration and implementation of an ERP system requires changes made at every level of the organization, including changes made in its structure and culture. This forms an extremely vital element in a successful ERP implementation.
ERP methodology – An ERP methodology refers to a set of techniques and procedures that will facilitate the process of ERP implementation and integrate all four of the above mentioned elements (Marnewick and Labuschagne, 2005).
In order to create an ERP system that complies with the international security standards, an organisation needs to attune its ERP model with an appropriate security structure. This also sheds light on the need for security which is not a one-time function and restricted only to the initial implementation phase of an ERP system but is a recurring organisational process (Marnewick and Labuschagne, 2005).
Now we shall be focusing on incorporating the ERP security structure into the four elements of the ERP model (Marnewick and Labuschagne, 2005).
Software aspect of the ERP system
Policy element of the ERP Security system
The purpose of policy element is to enforce and manage the security by maintain all the procedures and policies. Guidance for implementing software element can be attained from ITIL and CobiT as only the modules of the software are dealt by software element within the system of ERP. The purpose of CobiT is to determine security to SRM (Supplier Relationship Management) that is to be carried out with the customers. Software module is affected by ISO 17799 in the following ways (Marnewick and Labuschagne, 2005):
Policy of security- there is a need to determine a policy where all important information will be included and through which the functioning of ERP system would take place.
Control and classification of the assets- all the assets of ERP system are required to be controlled. These assets will include hardware and the networking infrastructure of ERP system which is just software. Customization of ERP system would also be included as a part of intellectual capital (Marnewick and Labuschagne, 2005).
Environmental and physical security- there should be a control on the premises and system accessibility and a safe environment is required to host the servers of physical ERP.
Operations and communications- it should be ensured that the operational procedures are not out of place. It will also include the prevention of ERP system from being accessible unlawfully and the backup’s frequency (Marnewick and Labuschagne, 2005).
Control on the accessibility of information- there must be proper control over the some of the modules along with the accessibility of ERP system.
Maintenance and development of the system- the security of all the software elements will be determined along with the ways of data encryption (Marnewick and Labuschagne, 2005).
Continuity of the business- to make sure that ERP system has the ability to work in disaster events. The plans of business continuity should be determined and tested. Transaction should at all times be available with ERP system.
Compliance- the legislations and standards must be met by ERP system which will consider every aspect of the ISO 17799. However, personnel security will be excluded from this. Employees of the organization are not dictated by this software element (Marnewick and Labuschagne, 2005).
People Element of the ERP’s Security system
People element will not have a significant effect on software element but people using system of ERP will be significantly affected by its security (Sharma, 2004).
Both hard issues and soft issues are included here. The soft issues are mainly the ethical conduct and trust which have an influence on people element. Some hard issues which are also included are discussed below (Sharma, 2004):
Budget- the effects of ERP security on work and the issues the surround it must be clear to ERP system users and they should also be provided with the required training.
Management- if the manager encourages the users to enforce security, then only it will be enforced.
Change- changes should be dealt effectively by the organization. The life of the users will be changed as ERP system would be implemented (Sharma, 2004).
There are seven pillars that can be applied to software element. Authorization pillar identifies the modules and the kind of access in software element which will grant access. Accessibility to software element will be identified by authentication and identification pillar. Information provided to users through software modules should remain confidential and integrated. The special deals by the supplier are not disclosed to the public (Sharma, 2004).
In other words there will no intervention of the user when there will be flow of information from ERP system’s one side (like SRM nodule) to printing of invoice (Sharma, 2004).
Auditing standards must be met by this software. There should be availability of all software modules at all times particularly for information flow and interaction for the convenience of suppliers and customers and between different modules. A significant part is played by non-repudiation particularly in SCM (Supply Chain Modules) and SRM.
Customer mindset is the second element of ERP model. It job is to deal with ways in which ERP system is recognized by users, whether they consider it as their assistant or a threat for their work (Sharma, 2004).
Customer psychology element of the ERP Security system
Policy element of the ERP Security system
Standards and policies affect the way users perceive ERP system. Some of the users may consider security as a burden for them but they should understand that it is necessary for them. Security will help to make sure that the information remains reliable and confidential. Element of customer mindset also includes a part of some modules of the ISO 17799. One module determines those who are employed. This module is known as personnel security. The other module determines the responsibilities and the roles in the organization. This module is known as security organization (Sharma, 2004).
The two elements that are interdependent and have influence on each other are customer mindset and people element. They both can be differentiated in the following ways (Sharma, 2004):
Procedures and policies- the procedures and policies and affect the work of the employees that are working in the organization. They will have to work according to the policies that are determined by the organization (Sharma, 2004).
Benchmarking- This method is quite useful for organizations to assess their performance against that of the competitor firms in the market. It provides a cross comparison so as to assess what aspects the company is lagging in as well as how to improve up on these areas in regard to the other organizations running in the same industry.
Risk analysis- The workers of any company should be regularly involved in a daily analysis of the risks being taken by the company just to be sure of the effectiveness of the security systems whether they are updated and so that any lags can be fixed appropriately.
Budget- It is important for the organization to train all the workers as well as other stakeholders of the importance of the security systems and how it may have a heavy influence on their lives. Also they need to be taught how they essentially work and the impacts of these on the work processes and the interaction within the system of ERP so as to allow the educational budget for this.
Management- The implementation of the security and proper usage should be the responsibility of the management to ensure that everyone uses it in the correct way.
Trust- Those who use the ERP methods need to be entrusted by the people of the organization so that they implement the rules and important measures associated with the system (Sharma, 2004).
Awareness- The essence of confidence, availability as well as the maintenance of integrity is essential to be recognized by the people and how to abide and go along with the policies being implemented.
Ethical Conduct- the ERP system’s integral issues are highly sensitive to the implementations of the ethics and proper conduct carried out by the firm. For instance, the uses need to be made aware of the fact that the security systems cannot be accessed from home (Sharma, 2004).
All the above outlined elements for the people have heavy impacts on the usage and the interaction with the security system associated with ERP system. The element next in line is that of technology and the influences it has on the people and their working is worth considering.
Technology element of the ERP Security system
Two key factors playing a role in the mindset of any consumer is that of proper identification as well as that of authority. The entire purpose of the technological systems will be destroyed if the users of the system do not follow the established rules. For instance, the implications of sharing your personalized username as well as password with an outsider have serious implications that need to be understood by all the users. The consequences may be worse than one can comprehend which is why it is important to know beforehand. There needs to be a constant check on the system so that it is constantly audited and it ensures the processes and rules of the firm (Sharma, 2004).
The implementation of ERP system may become completely impossible if the changes are not implemented and put into place. The section that follows next will look over the management of the changes within the element and the impacts on the model of ERP (Sharma, 2004).
Change Management element of the ERP Security system
The basic idea of change management is not only to look over the changes made by the ERP system but also to carry them out within the organization and assess the changes that come about after it has been carried out and the processes within the business change alongside (Sharma, 2004).
Policy element of the ERP Security system
The policies as well as the standards being sued within the organization are essential to consider when making any changes within the system of ERP. There are newer versions of the software that may be installed within the organization and will be looked over by the ITIL to be sure of its proper working. Throughout the workings of the ERP system, there will be noticeable changes within the organization and its processes as well as its implications on the systems of security. Some of the parts of the security systems will be altered just to bring it under consideration. A vital role is played by ISO 17799 throughout the carrying out of ERP system which is responsible of taking care of the elements associated with security and the changes that it will bring about within the whole organization. The responsibility of making alterations to the policies of security is managed by the policy element and the roles are taken up by the organizational element (Sharma, 2004).
People element of the ERP Security system
There are some areas of the element of the people that has an overall implication on the model of ERP. With the newly developed policies and patterns, there are needs for changed patterns in the ERP system and to make people aware of the system itself so as to get used to the changed patterns of doing things (Sharma, 2004).
Following two sureties that must be made by the management of any organization:
Make users aware of any changes being made in the policies.
There must be necessary education for that to be provided to the users (Sharma, 2004).
Technology element of the ERP Security system
Following four elements are highly affected by any sort of changes being made in the changing process of any system and business:
1. Privacy: confidentiality must not be influenced by such changes made in the system and business, which means that only authorized users, can have access to the information only.
2. Integrity: there must be no alterations in the information during such changes. The integrity of the data should be maintained even after the ERP alterations.
3. Availability: it is sometimes hard to bring changes in the ERP system. This is so because ERP is employed during every transaction. Hence, there is proper strategy designed to reduce this downtime.
4. Auditing: it is a regular practice to audit the ERP system even during those alterations of the system and business (Sharma, 2004).
Process Flow element of the ERP Security system
The process flow element of the ERP system is based upon the technique of the transmission of the information between various software elements (Sharma, 2004).
Policy element of the ERP Security system
Interaction among various elements is affected by the ISO 17799. ISO also deals with determining the level of information and data being transferred among various software modules. Those elements are explained here under:
Control and classification of assets: this element will deal with maintaining protection among the elements, keeping in mind that none of them interact each other’s performance, creating problems.
Communication and operations: this element deals with maintaining the integrity of the information being transferred among various system modules. It provides guidance for preventing the information from being tampered.
There are two major aspects that should be considered while process flow, they are:
1. Access control
2. ERP system’s maintenance (Sharma, 2004).
People element of the ERP Security system
In a security system, people do not play a major role, since the transferring data is all dealt within an ERP system. On the contrary, people as users must follow the following two steps:
Users must be aware of the main working mechanism of the system.
Users must keep in their mind that their actions can result into various sorts of results afterwards (Sharma, 2004).
Technology element of the ERP Security system
There are three controlling factors that affect the flow of information among various software elements. They are:
1. Confidentiality: users must not have any access to the information being transferred among software modules. This would help in maintaining the confidentiality of the transferred information.
2. Integrity: the integrity of the information should be maintained, whether it flows within a single module or among numerous software modules, towards the final receiver. In short, no alterations should be encountered in the arriving information.
3. Availability: there must be availability of ERP system, since it confirms the transferring of information among various system modules. Data can be corrupted or recaptured in case of absence of any module.
The next portion deals with the addition of another element in ERP strategy i.e. information security (Sharma, 2004).
Methodology element of the ERP Security system
Policy element of the ERP Security system
ERP systems require the working of Cobit and ITIL during and after its implementation. This is ensured by the programme manager. If the organization will follow this adherence of Cobit and ITIL which is in accordance to the guidelines and standards set by the international committee, then this would attract the customers toward dealing with such authorized organization. In this way, the policies set by the organization surpasses those set by the ERP system i.e. ERP system’s policies must be formulated in accordance to those of the organization. However, its converse must not be made a general practice (Posthumus and Von Solms, 2004).
People element of the ERP Security system
From different structures of organization, security administration for monitoring of security aspects will be determined by the people element of the security system. The responsibilities of the selected administration for security system will then be concurrently implemented on the ERP system. For example, if a person is responsible for password management of a security system, he will be assigned same task in the ERP system. The team leader of the program will monitor the capabilities of the selected personal in the ERP and security systems working under him. This will induce root level implementation of security in ERP system as an integral element rather than an element of choice (Posthumus and Von Solms, 2004).
Technology element of the ERP Security system
The ERP security system has seven bases which need to be integrated into the ERP system. These bases regulate governing rules of the ERP security system determining the access limitations of customers and employees. These bases provide regulations which secure integrity, confidentiality and limited (but prompt) accessibility of the assets of information. The security project leader is liable to address these bases during the design and implementation of the ERP security system since these seven bases must be a part of integral structure of software utilities and information sharing in security packages (Posthumus and Von Solms, 2004).
A comprehensive understanding of concurrent implementation of ERP system with ERP security system has been established in the previous section, which defines management of security issues in an ERP based IT system (Posthumus and Von Solms, 2004).
It is hence clarified that ERP model cannot be implemented without ERP security system in place. This security system does not only provide the control instructions to the system but also provide guidelines on risk management, regulations and standards to implement and supervise an ERP system (Posthumus and Von Solms, 2004).
One of the core elements that ERP security system ensures is that it provides a strong basis for the security measures to act as an integral element from the onset. On the other hand there are some limitations to this framework which requires the modification of specific standards for the systems that may be using other standards, as the framework does not adapt automatically to the different specification (Posthumus and Von Solms, 2004).
The main point regarding ERP’s security clearly defined above is the integrated role that the security system must provide in order to ensure sound ERP system. ERP system once being fully implemented leaves no room for any changes to occur specially with respect to security; hence governing the system in a high risk corporate environment would become difficult. Aligning the policies, procedures and the structure of the organization is also very vital as without due consideration the system may not prove to be an effective one (Marnewick and Labuschagne, 2006).
One of the most important features of an ERP System security is that it is a continuous process. The starting phase goes with pilot testing phase which is the point where security measures are taken into the system for the development of a fully fledged ERP system. The final stage is the implementation phase which ends the official process. Nevertheless, this does not put an end to the responsibilities of people. Securing information is an everyday task since new technologies keep emerging and systems are frequently updated (Marnewick and Labuschagne, 2006).
Bell, T., Thimbleby, H., Fellows, M., Witten, I., Koblitz, N. & Powell, M. 2003. Explaining cryptographic systems. Computers & Education. Volume 40. pp 199 — 215.
Blosch, M. & Hunter, R. 2004. Sarbanes-Oxley: an external look at internal controls. Gartner. August.
CobiT Security Baseline. IT Governance Institute. http://www.itgi.org
Dhillon, G. 2004. Guest Editorial: the challenge of managing information security. International Journal of Information Management. Volume 24. pp 3 — 4.
Hoekstra, A. & Conradie, N. 2002. PriceWaterhouseCoopers LLP. CobiT, ITIL and ISO 17799: How to use them in conjunction.
Holsbeck, M.V. And Johnson, J.Z.2004. Security in an ERP World: Available at: http://hosteddocs.ittoolbox.com/MH043004.pdf
Hong, K-S. et al. 2003. An integrated system theory of information security management. Information Management & Computer Security. Volume 11. Number 5. pp 243 — 248.
King Committee on Corporate Governance. 2002. King Report on Corporate Governance for South Africa. Institute of Directors. ISBN 0-620-28851-5.
Marnewick, C. & Labuschagne, L. 2005. A Conceptual Model for Enterprise Resource Planning (ERP). Information Management and Computer Security. Volume 13. Number 2.
Marnewick, C. & Labuschagne, L. 2006. A Security Framework for an ERP system. Academy for Information Technology, University of Johannesburg, South Africa.
Martins, A. 2003. Information security culture. Masters thesis. Johannesburg: Rand Afrikaans University.
Maurer, R. 2002. Plan for the human part of ERP. Workforce Online. September.
McLean, N. 2000. Matching people and information resources: authentication, authorisation and access management and experiences at Macquarie University, Sydney. Electronic Library & Information Systems. Volume 34. Number 3. pp 239 — 255.
McMillen, D. 2004. Privacy, confidentiality and data sharing: issues and distinctions. Government Information Quarterly. Volume 21. pp 359 — 382.
Mingay, S. & Bittinger, S. 2002. Combine CobiT and ITIL for powerful IT governance. Gartner. 10 June.
Posthumus, S. & Von Solms, R. 2004. A framework for the governance of information security. Computers & Security. Volume 23. pp 638 — 646.
Scott, D. & Krischer, J. 2002. Real-time enterprise: business continuity and availability. Gartner. 24 September.
Sharma, P. 2004. Enterprise Resource Planning. Aph Publishing Corporation, New Delhi.
Von Solms, R. & Von Solms, B. 2004. From policies to culture. Computers & Security. Volume 23. pp 275 — 279.
Von Solms, S.H. & Eloff, J.H.P. 1997. Information security. Department of Computer Science, Rand Afrikaans University. Johannesburg.
Whitman, M. And Mattord, H. 2008. Management of Information Security, Second Edition, Thomson Course Technology.
Yang, Y., Wang, S., Bao, F., Wang, J. & Deng, R.H. 2004. New efficient user identification and key distribution scheme providing enhanced security. Computers & Security. Volume 23. pp 697 — 704.
Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?
Whichever your reason is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.
Students barely have time to read. We got you! Have your literature essay or book review written without having the hassle of reading the book. You can get your literature paper custom-written for you by our literature specialists.
Do you struggle with finance? No need to torture yourself if finance is not your cup of tea. You can order your finance paper from our academic writing service and get 100% original work from competent finance experts.
While psychology may be an interesting subject, you may lack sufficient time to handle your assignments. Don’t despair; by using our academic writing service, you can be assured of perfect grades. Moreover, your grades will be consistent.
Engineering is quite a demanding subject. Students face a lot of pressure and barely have enough time to do what they love to do. Our academic writing service got you covered! Our engineering specialists follow the paper instructions and ensure timely delivery of the paper.
In the nursing course, you may have difficulties with literature reviews, annotated bibliographies, critical essays, and other assignments. Our nursing assignment writers will offer you professional nursing paper help at low prices.
Truth be told, sociology papers can be quite exhausting. Our academic writing service relieves you of fatigue, pressure, and stress. You can relax and have peace of mind as our academic writers handle your sociology assignment.
We take pride in having some of the best business writers in the industry. Our business writers have a lot of experience in the field. They are reliable, and you can be assured of a high-grade paper. They are able to handle business papers of any subject, length, deadline, and difficulty!
We boast of having some of the most experienced statistics experts in the industry. Our statistics experts have diverse skills, expertise, and knowledge to handle any kind of assignment. They have access to all kinds of software to get your assignment done.
Writing a law essay may prove to be an insurmountable obstacle, especially when you need to know the peculiarities of the legislative framework. Take advantage of our top-notch law specialists and get superb grades and 100% satisfaction.
We have highlighted some of the most popular subjects we handle above. Those are just a tip of the iceberg. We deal in all academic disciplines since our writers are as diverse. They have been drawn from across all disciplines, and orders are assigned to those writers believed to be the best in the field. In a nutshell, there is no task we cannot handle; all you need to do is place your order with us. As long as your instructions are clear, just trust we shall deliver irrespective of the discipline.
Our essay writers are graduates with bachelor's, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college degree. All our academic writers have a minimum of two years of academic writing. We have a stringent recruitment process to ensure that we get only the most competent essay writers in the industry. We also ensure that the writers are handsomely compensated for their value. The majority of our writers are native English speakers. As such, the fluency of language and grammar is impeccable.
There is a very low likelihood that you won’t like the paper.
Not at all. All papers are written from scratch. There is no way your tutor or instructor will realize that you did not write the paper yourself. In fact, we recommend using our assignment help services for consistent results.
We check all papers for plagiarism before we submit them. We use powerful plagiarism checking software such as SafeAssign, LopesWrite, and Turnitin. We also upload the plagiarism report so that you can review it. We understand that plagiarism is academic suicide. We would not take the risk of submitting plagiarized work and jeopardize your academic journey. Furthermore, we do not sell or use prewritten papers, and each paper is written from scratch.
You determine when you get the paper by setting the deadline when placing the order. All papers are delivered within the deadline. We are well aware that we operate in a time-sensitive industry. As such, we have laid out strategies to ensure that the client receives the paper on time and they never miss the deadline. We understand that papers that are submitted late have some points deducted. We do not want you to miss any points due to late submission. We work on beating deadlines by huge margins in order to ensure that you have ample time to review the paper before you submit it.
We have a privacy and confidentiality policy that guides our work. We NEVER share any customer information with third parties. Noone will ever know that you used our assignment help services. It’s only between you and us. We are bound by our policies to protect the customer’s identity and information. All your information, such as your names, phone number, email, order information, and so on, are protected. We have robust security systems that ensure that your data is protected. Hacking our systems is close to impossible, and it has never happened.
You fill all the paper instructions in the order form. Make sure you include all the helpful materials so that our academic writers can deliver the perfect paper. It will also help to eliminate unnecessary revisions.
Proceed to pay for the paper so that it can be assigned to one of our expert academic writers. The paper subject is matched with the writer’s area of specialization.
You communicate with the writer and know about the progress of the paper. The client can ask the writer for drafts of the paper. The client can upload extra material and include additional instructions from the lecturer. Receive a paper.
The paper is sent to your email and uploaded to your personal account. You also get a plagiarism report attached to your paper.
PLACE THIS ORDER OR A SIMILAR ORDER WITH US TODAY AND GET A PERFECT SCORE!!!
Place an order in 3 easy steps. Takes less than 5 mins.