Few professionals would dispute the difficulties putting in new corporate systems. They are all large, complex, challenging projects. Within the past month, several Chief Information Security Officers (CISOs) have discussed the pressure that project managers, most of them from consulting companies, have exerted to try to gain full access to the production environment so they can make “changes, updates, and modification” to the production systems.
Case Example: An organization decided to replace their ERP systems with a hybrid mainframe, server, and Web model. The project was late and over budget. Toward the end of the project change controls and security processes were all but completely dropped. About three months after cut-over, the system began having problems. An investigation began and the “new” consultants found that in forty days, there were over 10 thousand system abends (abnormal ending to executing applications) and over 20 million pieces of bad data was found in the production database. While this is perhaps the worst I have ever experienced, it really illustrates the need to keep control of the production environment and follow accepted standards for change control.
NOTE: The term abend is derived from a mainframe error message on the IBM (News - Alert) 360, and used jokingly by hackers.
Organizations have governance and compliance standards processes in place. Once these are established, deviation from the norm becomes a problem and a red flag for any auditor (internal or external). Once all coding and configuration efforts are completed, final end-to-end testing must be done prior to moving the software into the production environment. During this time, security controls, permissions are exercised within business processes being executed.
This is the first time the entire system is tested and evaluated end-to-end so it is critical for operation integrity sake that this phase not be circumvented or short-changed. Once this is complete, most ERP system projects have a formal Sign-Off phase. Imagine what would happen if the company executives and key stakeholders are not willing to sign-off on the system. How concerned would they be if they found out established process and procedures were circumvented or disregarded? They are attesting to the viability of the system of record and as such need to have confidence and hard evidence that the work has been done properly with appropriate controls in place.
Operational integrity is the culmination of four basic ingredients. Fully integrating security, governance, compliance and resilience into the core of an organization’s culture drive integrity throughout the enterprise. Customers, employees, shareholders and all stakeholders are demanding operation integrity within organizations that they deal with. Honesty, dependability and soundness are all attributes of operational Integrity. Organizations, regulators and auditors require consistency of actions based on values, methods, measures and principles. Today, operational Integrity is a mandate given the public backlash against poor corporate conduct, perceived greed and the numerous scandals that grace the headlines of news papers and magazines across the nation.
Conclusion
Implementing an enterprise resource planning (ERP) system is often one of the biggest nightmares any organizations can face. On one project the executive sponsor said, “It’s in, it’s up and operating — this has been a unique experience, one I liken to serving in Vietnam and like it, one I hope never to go through again.” Whether it's day-to-day system administration, internal audit, assisting external auditing or writing code, everyone contributes to security. When schedules do not allow developers to do their part, the security efforts are disrupted and business risks increase. As deadlines approach, security goes out the window. Don’t let this happen to you! Security is built in, not bolted on!
Kevin G. Coleman, a consultant and advisor with Technolytics Institute, writes the Data Security column for TMCnet. To read more articles by Kevin, please visit his columnist page.
Edited by Greg Galitzine