Wie aktualisieren Sie Ihre ERP-Sicherheitsstrategie?

Knowing your current security status is not a one-time thing, but a continuous process. Regular audits and assessments can help you find out about new risks that may come up due to software updates, changes in regulations, or new cyber threats. To catch any security issues, use real-time monitoring and automated alerts. Also, involve key people like department heads, IT teams, and even end-users in these assessments. This will give you a better understanding of how the ERP system is used and where security weaknesses may exist. By working together, you can make sure the security strategy is aligned with the organisation's operational needs, striking a balance between security and functionality.

From an ERP-centric viewpoint, refining the security framework centres on understanding the inherent functionalities and interconnectedness of ERP modules. Primarily, it's about strengthening the inherent access controls and ensuring that the multitude of ERP modules function seamlessly without compromising data integrity. •Implement granular, role-based controls tailored to ERP modules, ensuring users can only access data relevant to their tasks. •Prioritize timely updates with a focus on ERP-specific vulnerabilities, ensuring each module is patched against known threats. •Separate sensitive data within ERP modules, ensuring that compromised access to one module doesn't jeopardize the entire dataset.

Security strategy with ERP application should be continuously reviewed, monitored and updated. Most ERP applications come with default security roles, however its essential for the Security roles or profiles to be redefined to the granular level. Enforcement of policies and controls which each module to enforce governance within and across module.

Organisations need to understand that the ERP security strategy involve all components that required to run the ERP system, and not only the ERP application, so ERP security team should integrate with other teams to cover the following security aspects. - Infrastructure security - Network security - Operating system security - Database security - ERP application security & updates - User accounts and roles security update - Backup and recovery - Disaster recovery The implementation of an ERP security strategy should be a continuous process, as new threats and vulnerabilities are constantly emerging. By regularly reviewing and updating the security strategy, organisations can help to protect their ERP systems from attack.

Consider security as part of your user stories when deploying a new system or rejuvenating an existing deployment. A position of zero trust, although can lead to frustrations for initial end users, helps ratify and tune access to what objects, data and transactions are truly required for the role. Consider reporting requirements as well, as there is a tendency to leave reporting as open ended for systems. Functional leads, be it Supply chain, finance, operations will have an appreciation for what daily, weekly and monthly activities are required for the roles. An experienced implementor can review and map these requirements into a profile. Security audits should occur naively and periodically, every 3 to 6 months.

Ensure periodic Audit review with Process Owners and HR relating to which employees have changed roles and still holding having access to previous assigned access. With the tight integration of Active Directory and other Security solutions with ERP application, its essential for the ERP security professional to check with IT security to validate employees who have left the organization with a signoff to validate the assessment. Some cases exist where ERP access was not disabled owing to the believe that AD access is disabled. Integrating an Identity Access Management tool could support this control requirement.

Collaborate ERP access logs with HR , network access records. User accounts which have not been used beyond say a 45 horizon should periodically be disabled, and as people join, leave or move roles within the organisation, access should be reviewed according to their profile. Limiting direct database access to queries such as SQL, SQVI can prevent workaround for access to private data that's not necessarily related to their traditional function. Exception based reporting for access outside of business or waking hours may attribute to risk based reporting, or access outside of geographical regions.

Major software vendors for ERP periodically release builds and patch systems for security flaws and feature updates. It is important that your application team is subscribed to vendor specific mailing lists and considers an iterative deployment schedule, say quarterly or every 6 months. Regression testing should occur for key business processes in a sandpit environment to test for customisations, and domain specific usage so that any impact can be assessed.

Although there is no single approach to monitoring security in ERP for system accessibility, Modules, master and transaction data, reporting and integrations. having a dedicated team to work with these tools help provide the required security measures. Another key silent and important security gap are integrations with other solutions, using admin roles or elevated access rights in the ERP system.

Get qualitative feedback from primary users of the system, and people that have joined the business in the last 6 months to ensure that their access roles is fit for purpose. Also keep ERP training logs as some business users have access to sensitive and far reaching data, and it's important that they are trained by an experienced person in case they make unintended changes with financial impact. Unusual activity including access to commercially sensitive information which is not inherent to their role can also be flagged. The functional leads within business areas can provide a fair assessment of this.

In addition to the ERP strategy, Security evaluation must be considered as criteria during ERP selection. Security and governance planning should be done prior to implementing the project. And finally, ensure you have an experienced ERP professional who know the solution well enough to guide during before, during and after the ERP project implementation.

Consider reporting systems, satellite systems and APIs which may connect to your core ERP or CRM system. There was a well publicised data breach in recent times with Optus having sensitive credential information and a lack of IP masking which led to the doxxing attack in Australia. Quite often, applications and reporting is developed rapidly, but there should be a review of security and access afterwards.