• Безопасность

  • Тесты и Аудит

  • ПО


  • ISO27001

  • Планирование безопасности

    Наш подход к планированию и разработке стратегии безопасности ERP основан на оценке рисков, которым подвергается бизнес и принимает во внимание: Корпоративные требования...
    Читать дальше...
  • Корпоративная Безопасность


    Технология CODEFEND позволяет проводить автоматизированную проверку исходного кода приложений с привязкой к используемой технологии и с возможностью написания кастомизируемых...
    Читать дальше...
  • Тест на проникновение

  • Анализ кода

  • Ping Identity

    Решение для идентификации и SSO c низкой стоимостью владения. Это инновационное решение может поставляться как облачный сервис (on-Demand) и как решение для интеграции в...
    Читать дальше...
  • Сервис Panaya для SAP ERP

  • Retalix

  • Требования PCI DSS

  • ISO 27001

    Информация зачастую является ключевым активом компании, а ее защита - приоритетной задачей. Получение сертификации по стандарту ISO 27001 позволит сохранить и защитить...
    Читать дальше...
Developed by JoomVision.com

ERP - понижение рисков


Written by Medi Karkashon-Mizrahi, ERP Security Division Manager

The gradual implementation of ERP systems has united all of the business processes into one comprehensive system on the one hand, and on the other has opened the opportunity to carry out various fraud and embezzlement actions through the system. The existence of a number of factors, such as general authorizations, non-segregation of duties, incorrect policies and procedures, and inadequate design and maintenance of sensitive databases – all these are breaches through which one can conduct fraud and embezzlement. The identification and auditing of these issues will significantly decrease the risk for a potential attack.

The words “fraud” and “embezzlement” are a concern for diverse organizations and managers. This issue is raised repeatedly due to the variety of fraud and embezzlement cases that were recently exposed across the globe.

Fraud and embezzlement is carried out when three elements occur:

  1. Pressure (to carry out the act)
  2. Attitude (of the malicious party)
  3. Opportunity

The first two elements are not and cannot be controlled by the organization. However, opportunities to carry out fraud are abundant due to the failure to manage information systems and the non-implementation of suitable control mechanisms.

The implementation of control mechanisms and the correct system management are critical issues in the implementation of an ERP system. This, due to the fact that these systems store sensitive information on suppliers, clients, employees, sales, budgets, revenue, and additional confidential business information. Furthermore, this working environment presents various opportunities for fraud as described below.

When a product goes into production, a great deal of effort is invested in improving the functionality of the system and in successful implementation amongst the users. As a direct result, many users (including regular employees, consultants and implementers) receive wide system authorization. These wide authorizations are a common phenomenon in many organizations due to the fact that the latter believe it will shorten the time to production.

ERP systems are extremely complex, and there are a number of possibilities to receive wide authorizations in the entire system. In SAP systems, for example, user management is based on user definition, profiles, rules and objects. The user can receive wide authorizations from a problematic profile, can be ascribed incorrect rules or receive objects that are breached.

The removal of wide system authorizations is not a simple task, an organization must recognize the various possibilities, repair them, and manage each separately. The misidentification of wide authorizations increases the organization’s exposure to fraud and embezzlement.

ERP systems register business transactions in real-time. This fact decreases the chance both to prevent fraud and to identify the fraud as soon as possible. For example, if a person stole inventory from a certain company, and at the same time rearranged the inventory application in the ERP system, it would be extremely difficult to discover the embezzlement. The existence of system audits can prevent such an occurrence.

Companies should identify the problematic focal-points in the system and implement real-time audits that decrease the exposure.

ERP systems work via one database, a fact that improves the flow of information and process integration on the one hand, and on the other causes a situation where the majority of the company’s processes are managed under one system. If in the past, procurement was carried out by a buyer on system X, and the payment was carried out via system Y, now these two actions are carried out in a single ERP system. Thus, if the company did not implement a user management scheme that preserves the role distribution principle, most likely there are violations of role distributions. Various embezzlements across the globe could have been avoided if the company had implemented a role distribution principle, which states that each process – from start to finish – will not be conducted by a single individual, rather at least one other person will be involved for auditing and authorization.

Companies should identify the violations of the role distribution principle, repair them and manage them regularly.

The implementation of an ERP system usually includes the assimilation of sensitive procedures such as Signatory Authorization, Procurement Authorization, Supplier Payment Authorization, etc. In the past, these procedures were assimilated through physical measures, however today many organizations have adopted automatic mechanisms instead. The incorrect assimilation of these procedures may cause employees to carry out faulty actions that cannot be prevented.

Companies should implement a suitable audit framework that decreases the occurrence of these situations.

The transfer to an ERP environment is usually conducted from a variety of Legacy systems which manage sensitive data such as employees’ bank account numbers and customers’ price terms. Today, all this data is managed in one system with one database. The conversion process is complex and usually requires exporting data from system X, improving the data and importing it to an ERP system. If the sensitive data is exposed to hostile factors during one of these three stages, it is possible that data will be leaked to unauthorized factors or damaged intentionally. The infrastructure for the correct and efficient management of processes in the system is based on a trustworthy database of master data (for example, payment to a supplier which is carried out in accordance with the payment date, the way of payment and bank account – all master data; collecting payment from a customer is carried out in accordance with the way of payment and customer discounts – both master data). Thus, the management of master data is a potential basis for conducting fraudulent activities.

Companies should identify the sensitive data and carry out periodic examinations on the data’s verity and maintenance by system users.

The problematic focal points should be dealt with in two phases. The first, identification of these focal points, and the second – establishment of a continuous auditing framework that will prevent and decrease the chance of exposure.

ERP systems such as SAP and Oracle are large and complex in regard to the number of implemented processes they store, the huge amounts of data they store and their way of operation. Thus, the identification and proper treatment of the problematic focal points requires skill and deep knowledge of the system.

Comsec Information Security has developed proprietary methodology to conduct Fraud and Embezzlement Assessments in ERP systems in general and SAP systems in particular. The uniqueness of this methodology is derived from work plans that refer to the specific, problematic focal points in each ERP system, whilst emphasizing a continuous auditing framework.

Joomla! Template design and develop by JoomVision

Случайная новость

В 63% организаций отсутствует архитектура системы безопасности

По данным отчета «Глобальное исследование информационной безопасности, 2012 год», опубликованного компанией «Эрнст энд Янг», для защиты от угроз, исходящих от существующих и новых технологий, организациям необходимо коренным образом изменить подход к обеспечению информационной безопасности. Всего в исследовании приняли участие более чем 1850 руководителей информационно-технологических подразделений и подразделений по обеспечению информационной безопасности, а также других руководящих работников … полный текст

Источник: CNews