ERP Security

Comsec provides a wide variety of Information Security services in order to improve the internal controls and security level of ERP systems. Our goal is to decrease the risks associated with an organization’s ERP system and to manage these risks efficiently whilst achieving the company’s business objectives.

ERP Security

The Challenge
Segregation of Duties alone is no longer sufficient. For many years Segregation of Duties (SOD) was considered the one and only ERP security vulnerability. While SOD security is a must have for every organization, there are many other threats and vulnerabilities that need to be considered such as: Denial of Service, unsecure ABAP coding, broad access rights, weak access credentials etc. The top 5 ERP Security challenges are:
• ERP systems are implemented in companies that are required to comply with regulations such as SOX and Basel II,    a fact that requires compliance with various Information Security Standards.
• Implementation of a large number of cross-organizational processes into one system causes the ERP system to be    a critical - “single point of failure” in terms of information protection, data managementvand business continuity.
• ERP systems  are most likely to exist for a certain period of time. At the time of implementation it is most likely that Cyber      protection was not a consideration. This new reality requires companies to re-design protection mechanisms and protect      ERP systems from the Cyber threats.
• The ERP environment usually provides remote access to employees, suppliers and customers. Moreover, ERP systems    include interfaces with external systems and various web applications. This may cause critical damage or data integrity,    credibility and availability or even system collapse.
• The average number of users typically increase throughout the assimilation process, thus the complexity of    user management also increases. 

ERP Security  Framework

Our Approach
Comsec’s approach is based on a number of key elements which contribute to a high security level. These include policies and procedures, a detailed design of a secure ERP environment, control and audit mechanism, application level controls throughout the process, and more.

ERP  Security Services
Comsec provides a wide variety of Information Security services in order to improve the internal controls and security level of ERP systems. Our goal is to decrease the risks associated with an organization’s ERP system and to manage these risks efficiently whilst achieving the company’s business objectives.

ERP Information Security Strategy
The formulation of an Information Security framework that determines the principles according to which security activities will be assimilated. This framework will take into account the organization’s Information Security Policy, regulations and standards.
• Security strategy Planning
• ERP Architecture Design and Analysis
• ERP Security Design/Re-Design – user & system authentication, profiles/roles design including  SOD aspects, user & access management
• ERP Information Security Policy and Procedures
• ERP Data Leakage Protection
• Compliance with various standards and regulations

Information Security Implementation in an ERP Environment
The implementation of Information Security controls will decrease the organization’s exposure tosecurity risks. The security framework includes controls that are accomplished by effective managementof user authorizations and the implementation of configured controls, in addition to work procedures thatserve as complementary controls.
• ERP Security Development Lifecycle (SDLC)
• ERP Authorization implementation – position mapping, roles design, implementation and maintenance.
• GRC tool implementation (SAP-GRC, Oracle, Approva, Aveksa, Whitebox, SecurityWeaver, ProfileTailor etc.)

ERP Security Monitoring and Maintenance
The daily monitoring and maintenance of controls in order to guarantee a minimal level of exposure to security risks. This includes report implementation, audit trails, GRC systems design and implementation, etc.
• ERP Threats and Vulnerabilities review including penetration testing
• Security Design Review
• Segregation of Duties and Sensitive Access Review and mitigation
• Application Security Review and mitigation
• Security Audit

ERP Security