Developing Enterprise Processes for Compliance
This Discussion is based on the following case study and references the optional article “Security Manager’s Journal: Security Measures Have to Be Reasonable.” In this case, the security manager works at a large organization that must comply with Sarbanes-Oxley regulations. The organization uses an enterprise resource planning (ERP) software package for critical business processes. The organization needs to grant access to ERP software personnel to support the application after working hours. The personnel are asking for generic accounts that have full administrative rights. However, the security manager does not want the ERP software to have an outage and, at the same time, does not want to grant access via a generic ID that cannot be audited for Sarbanes-Oxley. An immediate solution can be to provide limited access rights for the short term and then identify a tool that the ERP software recommends for auditing activity and keystrokes of users working after office hours.
In this case, the security manager reached an interim compromise by restricting the rights of the login account. Frequently, a business manager may request access that is clearly against the security policy. In such cases, the security manager must work with the stakeholders to identify a flexible solution that meets the business goals and the requirements of policies and regulations, if possible. This can be achieved by using security at different layers and by finding an automated or manual way that the business will act as a gatekeeper, allowing limited or managed control of the access rights. The details would typically be documented in an agreement between the security manager and the business owner, called a statement of control.
This week’s Discussion centers on granting access to external users such as vendors and suppliers. This is a timely discussion because many companies are reducing support costs by hiring external firms, local and offshore. It is important for the security manager to avoid a conflict with the business objectives and yet firmly support security policies to limit access to company’s resources by external users. This Discussion also addresses the benefits of standard enterprise security architecture, tools, and processes.
• Given that limited access rights will not satisfy the business owner, suggest a statement of control and describe how the business would manage the after-hours access by an external vendor providing ERP support.
• What would a productive course of action be if the business owner requests access to resources that the security manager will definitely not approve?
• There is a trend to outsource more support services to vendors. How would you suggest raising awareness within the business to encourage more business owners to look at security issues up front, rather than at the end of their contract negotiations when security is considered a roadblock?
• When a large corporation acquires a smaller company or splits into distinct divisions, the corporation can choose centralized infrastructure, services, and policies or allow each division to have its own policies, standards, and IT infrastructure”and perhaps its own Internet demilitarized zone (DMZ). State why it is better for a company to either maintain centralized IT governance, distribute IT governance, or federalize it.