Page 332 -
P. 332
290 Chapter 10 • Global, Ethics, and Security Management
maintaining a secure environment. It is still the case that systems that are inappropriately accessed
come from the stealing of user IDs and passwords because they are written down and posted on an
employees’ monitor or in an employee’s desk. Securing an ERP system is complex and requires
both good technical skills and communication and awareness. It is often said that a system’s
security is only as good as its weakest link. In the case of systems connected to the Internet, the
weakest link may not even be the company’s employee—it could be someone else that has been
given access to the system for e-commerce purposes.
System security cannot be underestimated or overlooked in an ERP implementation. Like
any system, a security plan must be developed to address all the issues related to access with an
implementation methodology employed to ensure proper installation and testing. Organizations
many times hire security consultants to attempt to access the ERP to see how secure the system
really is, and even to continue to try to break in once the system is in production. This will in-
clude not only breaking in through electronic means but also accessing computers, stealing user
IDs and passwords from employees, and even taking laptops or PDA devices that may contain
sensitive information. It certainly seems to be the case, as in the nonelectronic world, that it is
difficult if not impossible to keep up with the creative ways thieves or hackers can gain access to
systems. ERPs are prime targets because they have so much information that can be harvested
and used. A currently published statistic estimates that there are 100 million published data leaks.
Security needs to be in place, tested, and enforced from Day one. The Internet makes
access from anywhere anytime possible, but it also opens up a company ERP to many more
people than just the company employees.
A good security plan will consist of the software products needed to ensure proper and
secure access but will also consider physical access and user security awareness.
USER ID AND PASSWORDS There is a balance to user IDs and passwords. The current trend is
to provide access to systems through an ID Management system. This will afford the users a
single user ID and password. This is highly desirable for the end users. It helps them to manage
a single ID and will most likely stop the writing down or storing of user IDs and passwords. On
the other hand, users must be made to understand the importance of a good password that is not
crackable. (A number of systems now require a password with as least one number and one
special character.) A policy of changing passwords periodically is also needed. The current best
practice is somewhere between 30 and 60 days.
In addition, there need to be policies for how a password is reset if it is forgotten and for
the suspension or deletion of user IDs if an employee leaves the company or changes roles in the
organization. It is vital for HR to work with IT security to ensure that only active employees have
appropriate access to the system. A yearly audit of who has access should be conducted to ensure
nothing has been missed.
PHYSICAL HARDWARE SECURITY It used to be that physical access to the computer center
was a big exposure or risk to the system security. Even though the security to computer centers
has gotten better with the advent of networks and PCs connected to them, physical access
includes network closets or switch rooms and access to PCs. All must be secure. Thefts of laptop
computers with sensitive information on them have become a bigger issue for companies. One
may think that the data on a laptop hard drive are secure if the PC can only be accessed through
a user ID and password. This is not the case. Thieves often take out the hard drive and connect it
to another PC, and the data are readily available. The encryption of hard drives, especially from
laptops, is one solution that is becoming more and more available. PCs have been a weak link in
