Reviewing Cyber Security Risks in ERP environment
ERP (Enterprise Resource Planning) system is backbone systems to many organizations. Integration of various business processes, modular approach, ability to operate on diverse platforms and architectures, incorporating global best practices are the primary reasons why organizations adapt ERP systems. These systems over a decade have also created large value to the organization. Organizations prepare their budget, plans, run their operations, post transactions, and generate trial balance and generated statements for various compliances. Various business process controls are enforced by setting appropriate configurations. ERP so far was seen to be closed system with limited power of the organization to circumvent controls. For long time, technicians and business users assumed that ERP systems are secure and management of the same was left to ERP administrators. A significant part of Audit was related to transaction Audits and attestation of financial statements. There have been significant changes to the risk profile of ERP systems in the recent years. Auditors also need to familiarize themselves so as formulate the right strategy and scope. ERP’s now operate in more open environments. Until recent years, ERP systems of all organizations operated in closed environments. The business processes configurations and accesses to ERP were primarily part of internal management of the organization. However, as time progresses, the ERP s have external interfaces as well. ERP systems are now integrated with business partners for Electronic Data Interchange ( EDI ), Supply change management, Payment Gate ways, Financial system Interfaces. Biometric based authentication, e-KYC requirements, M-commerce and E-commerce transactions. The participation of web-based components is continuously on rise. Organizations have also outsourced some or significant parts of their critical business operations to third parties. Now ERP systems are more open to external world and the risks management now includes external factors as well. Organizations now work on hybrid technology Apart from application functionality, the infrastructure that hosts ERP environment works on heterogeneous platforms. Organizations operating on ERP also need to have disaster recovery management systems and often organizations take help of cloud service provider or equivalent technologies instead of investing in the replication of production environment. Organizations have also adapted service on demand, platform on demand models specific to their service needs. There is virtually no perimeter for ERP environment. The permutations and combinations to secure access paths from any source to destinations needs detailed understanding, careful design of network architecture and effective monitoring systems Custom codes are being introduced. It is generally accepted principle, that the customization to ERP should be kept low. However, for various business and operational reasons, organizations develop custom code. The quality of development varies from organization to organization depending on various parameters and focus on quality. In deploying such code to production environment, there is a sometimes tendency to check if functionality is satisfied but not necessarily if security requirements are met. The practice of applying patches remains poor. ERP vendors release patches for various reasons including plugging loopholes and vulnerabilities. However, deploying these patches require meticulous planning and testing as well as downtime management needs to be minimized. Organizations sometimes do not update these patches, which again results in more risk. Enforcing SOD in several cases is not feasible – Organizations are well aware of the importance related to segregation of duties. There are many factors why enforcing the same becomes difficult. Organizations structures undergo frequent changes. Due to technical, geographical and structural constraints users need to perform multiple tasks Administrators are still considered to be trusted resources and need to segregate, control, log, monitor administrator activity remains under-estimated Organizations may not have adequate technical competency in this area Changes to socio-economic environment Proliferation of technology has also resulted into: Rise in ‘freak’ user community – the users who are interesting in finding unusual methods to enter into the system as a part of their experiment or curiosity. Ease of availability of software with destructive capability. Disgruntled employees use their insider knowledge and accessibility of data to their advantage. Cyber criminals, Industrial and governmental espionage groups use advanced techniques and sophisticated tools to extract sensitive information. Organizations may not have adequate technical competency in this area With Indian Government launching various schemes for the benefit of citizens, the personal sensitive information across various systems and ERP s would need immediate attention. Risks are not uniform across organizations: Cyber security risks related to ERP differ from organization to organizations as ERP deployment and integration architecture of all clients could be different The number of on-line service channels, digital products, external and internal connection points could be different The threat profile may differ from organization to organization depending on what is at stake Further, cyber security risks differ from other business risks in following aspects: Cyber security risks do not necessarily depend on internal business and operational dynamics Cyber security risks are far more dynamic than internal business risks The potential impact of any cyber security risks could be cascading and may go beyond boundaries of a single organization and may directly impact customer / regulatory confidence. The risk appetite of internal management has limited significance in the world of cyber security and is more determined by external factors. Further, timely response to any emerging cyber security risk is very critical. Governance as Key to Cyber Security Management Cyber security risks related to ERP differ from organization to organizations as There is an increasing realization that cyber security challenges can be met only by coordinated efforts. The Audit response also needs to be changed proportionately to meet these challenges. ERP vendors themselves make enhancements to their products, introduce security features, release new patches and also generate exception reports. Apart from technicians, Auditors need to evaluate the risks in this area from operational, business as well financial perspectives as well. Audits typically take place post design or post deployment of any new products. As more and more products go digital, there shall be need to shift the Audit cycle to pre-deployment stage. Building preventive controls at the design stage is an imperative expectation to reduce threats related to cyber security. Authentication and authorization controls, data protection controls, audit log management become important considerations at this stage. In case of technical architecture reviews, vulnerability management, software coding practices, it is desired to take help from specialists in respective areas. As organizations become hyper-connected, third party contract reviews, roles and responsibility management, business continuity management are important. All over the globe, the compliance regimes shall become tougher with respect to cyber security. It is recommended that compliance to regulatory bodies alone is not sufficient in the world of cyber security. Knowledge institutions, product vendors, non-profit organizations that care about information security have published various guidelines to ensure effective deployment of technologies. Here, it is important to note that is Auditors will need to familiarize themselves with these expectations in letter and spirit and formulate their plans accordingly. Effective governance with a 360 degree view is the only way to counter the threats posed by cyber-security.
Bol Madhavache 