Page 335 -
P. 335
Chapter 10 • Global, Ethics, and Security Management 293
SECURITY MONITORING AND ASSESSMENT A good security plan will also detail how to
provide for constant assessments of security. A periodic review of who has access, what they have
access to, and how often they are accessing the system should be part of the review. Setting up and
reviewing audit logs must be addressed with an ERP implementation. Logging transactions and
reviewing them on a daily or, at worst, a weekly basis is a must for any financial transaction. Audit
logs will reveal any unusual transactional activity and help to minimize revenue loss due to fraud
or hacking. Intrusion detection must be in real time, and any anomalies or unusual happenings on
the network or ERP servers uncovered through daily reporting should be investigated. Virus
scanning and general malware must be addressed, along with an evaluation of physical security.
Physical security includes those who have physical access to the servers and why. Some
companies have hired consultants to provide this type of security assessment on a periodic basis.
However it is accomplished, whether in-house or by outsourcing, this type of monitoring must be
available to the production ERP system.
ENCRYPTION The process of taking data and making it unreadable to those who should not
see the data has been around for a long time. The complexity has been to encode the data in
such a way that the data is reliable to those who should be able to read it. Encryption involves
using a key, usually a very long prime number that is difficult to guess or program, to scramble
at one end and unscramble at the other end. One way hackers gain access to systems is through
monitoring data passing through a network. If the key is unscrambled, the process with the right
tools and knowledge is relatively simple. In today’s Web-based Internet applications, data
encryption is highly desirable. Customers and users are sending and storing confidential data
(e.g., credit card numbers and social security numbers) over the network. Encrypting that sensi-
tive information will help to prevent theft of information. In today’s ERP implementations,
network data encryption and even storing encrypted data need to be addressed. Even the sensi-
tive data on laptop hard drives or PDA storage should be encrypted for security purposes. If the
laptop or PDA is then stolen, accessing the hard drive to retrieve data will be next to impossible
without the proper key.
Disaster Recovery and Business Continuity Planning
Mission-critical systems must have a plan in place that will provide for the recovery of a number
of disasters that can occur to a business. ERP systems play a key role in company business and
profits. When a system is unavailable, significant revenues are often lost. It must be said that
disaster recovery and business continuity planning are not just an IT responsibility. All depart-
ments that use an ERP system must play a part in providing business continuity while a system
is unavailable. In planning for a disaster a company must address the level of risk versus the
amount of money to ensure that systems are available as quickly as possible. Some of these costs
include alternate sites or mirrored sites to ensure ongoing business availability, software and data
backups stored off-site, alternative computer centers with the network connectivity, and worksta-
tions needed to run the business and the support to ensure that the sites remain in synchronization
as the software and hardware configurations are changed. In any planning process (e.g., disaster
recovery), evaluating risk or loss of revenues should compare the amount of funds necessary to
recover any possible risks in a timely fashion. This planning process is very complex and time
consuming and is well beyond the scope of this book. The key concept is to understand that
planning for a disaster is part of ongoing business and must include all departments involved in a
mission-critical system.
