Internal Policies and Procedures - Report Example

Running head: Report - Internal Policies and Procedures Report - Internal Policies and Procedures xxxxxxxxxxxxxxx xxxxxxxxxxxxxxxx This Enterprise resource planning (ERP) system at the Ceramics manufacturing company was implemented 3 years back. The purpose of implementing ERP in the organization was to bring all the departments of the organization to the same Information systems platform, enhance the efficiency of the operations, get a proactive view of any upcoming material shortage and Management Information Systems (MIS) report for any process in the organization. The following report reviews the policies and procedures implemented as part of the ERP system to protect the software, hardware, and data of the organization's information systems. The report also suggests enhancements, wherever required. The scope of the report is to review the policies and procedures within the domain of ERP implementation only. Review of Policy and procedures on Networking The ERP platform is designed and implemented to control majority of the business process in the company. The users in the geographically separated locations like 2 factories and 4 sales offices are connected using remote connectivity. This also enables the users to interact with the system in a secure environment to manage workflows. The company is using connectivity through leased lines with direct point-to-point (P2P) connectivity for the factory locations. However, as the sales offices are dispersed across 4 diverse locations, the company is using Internet based connectivity using Virtual Private Networks (VPN) to establish connectivity from these remote locations to the main server housed in the corporate office. The procedures related to networking are reviewed as given below and the feedback along with the suggestions for improvement is provided. Network connectivity must be secured As mentioned above, the network connectivity plays an important role in the successful usage of ERP package. In order to have an uninterrupted connectivity, it is important to build a secured network as well as ensuring that it is maintained well. (Kadam Avinash, 2001) Review of current networking setup. The current networking setup was build when the ERP package was implemented. The networking firewall configured at the same time. The Anti virus software was installed at the same time as well. Since, then (3 years back), no effort was spent to update the firewall configuration or anti virus software. On the customer privacy perspective, no encryption of customer data is being done which endangering it to be compromised easily. As the sales locations are using VPN, non encrypted data transfer becomes a sitting duck by the hackers who would want to steal the customer data for corrupt intentions. In certain areas, it was observed that some users are using the vendor provided default passwords and there is no password policy to access the network. The Information Technology (IT) is a dynamic field. Numerous new virus, spywares, malwares or web crawlers are being written by hackers all over the world with intentions to bring down the Information systems in any organization. Hence, a constant up-gradation of the IT systems is necessary so that any attack on the IT system with a potential to bring the business to a halt or compromise of Customer data can be pro-actively prevented. During unplanned/planned system shutdowns or network outage, the data is transferred by emailing the data packets to update inventory and complete workflows exposing the organization's data to be stolen and misused. (Kutzke Todd, 2009) A policy needs to be developed to ensure the constant up-gradation and testing of networking on regular basis so that the system is not susceptible to any possible attacks as well as an access control mechanism needs to be developed for accessing Customer Data by internal company employees. Suggestions for enhancing the current networking setup. Subsequent discussion with the professionals in the IT department has resulted in following suggestions to continuously improve the current networking setup (Calder, Alan and Jan Van Bon, 2006) - Continuous upgrade of the networking firewall by tying up with a networking vendor who would ensure that the firewall is always updated with the latest patch Encrypt all the transmission of data across locations. Customer data must take the priority in encrypting as it is sensitive and if compromised, can result in loss of business A network access password policy needs to be drafted which would consist of guideline on password literal and the frequency of change A user would be required to change the network password every month and in case user does not change it, the system would prompt the user to change the password and would not allow the login if the password is not changed Vulnerability of ERP system to external or internal threats through networking must be managed well by using and regularly updating the anti-virus software and ensuring that the secure systems and applications are developed The access control to the Customer data should be put in place by assigning a Unique Id mapped to an employee having Personal computer (PC) access. Any kind of physical access to customer data (server room etc) must be either restricted or completely avoided. All the accessed to the network resources and customer data must be logged and the log should be monitored regularly with any breach of security getting reported immediately The security systems and the networking process must be tested on a regular basis by simulating external attacks and identify the weak links The unplanned system shutdowns and the networking outages must be minimized and the process to send the data through email packets must be eliminated. Instead, the system must be manually updated after receiving a written confirmation from the upstream system. Review of Policy and procedures on Data Storage The ERP data is stored in Database2 Universal Data base (DB2 UDB) which is a relational database system. The database stores all the transactions in ERP as well as the security and control tables. The data is archived from the DB2 tables to an oracle system. DB2 is used as an interfacing live data for any daily transaction while oracle is designed to store the weekly, monthly and annual data. (Improved ISO/IEC 17799 makes information assets even more secure, 2005) Review of current data storage setup The current setup suffices for the data storage and has good operational handling. On a strategic basis, the system seems to be designed as per the need of the business 3 years back and the expected volume predicted at that time. Now, the business has grown beyond what was predicted 3 years back and the projected growth for the next 5 years looks still stronger. In the current setup would not be able to take the amount of transactions generated due to predicted increased business. There have been no upgrades in the storage systems and with the current rate the amount of data in next 3 years would make the storage unstable. Another feature which was reviewed was the way the data was stored in the database. The raw data is stored as such without consideration of encryption. Hence, the employee having access to customer table or user security table has the complete access to the information as the information is stored in the character format. The stored data is not masked as well and the credit or debit account details of the customers are available in the customer table. During system shutdowns and outages, there is an existing practice of sending the data packets using email, which may also include the credit card numbers of the customers exposing it to a possible theft as the information sent over the emails is not safe. (ISO 270002 Central, 2007). Suggestions for enhancing the current data storage setup The data storage setup can be enhanced by making use of following suggestions - Sensitive Customer data must be removed from the system when it is no longer required While receiving payment from the customer through debit or credit card, the content of the card in magnetic strip as well as the card validation code (CVV number) must not be stored anywhere On the ERP front end i.e. Graphical User Interface (GUI), the account number of the customer must be masked except for the last four digits The Customer account numbers must be stored securely by encrypting or truncating them The users security table must be enhanced further to provide case to case basis access to customer's sensitive information rather than a blanket access of read only or edit The audit trail of all sensitive information access must be logged after the account number of the customer is sanitized The existing practice of transferring data through emails during the system shutdown or network failure must be stopped as the sales personnel have transmitted credit card information of customer through email and hence subjecting the customer's data to risk All changes to the system storage must be planned, regulated and approved by the relevant authorities before implementing (ISO/IEC 17799:2005 Information technology - Security techniques - Code of practice for information security management, 2005) Review of Policy and procedures on hardware The hardware security is as critical as the security of the software or network connection. Any mistake in keeping the hardware security up-to-date can result in physical damage to the drive, virus attacks or the reader devices getting corrupted. The policy and procedures review was done with an objective of identifying the current hardware security practice and improvements, if any. Review of current hardware setup In the current setup, the majority of hardware consists of windows based server, MS .net based client-server ERP system server, Personal Computers for the users of the ERP system, fax machines, printers etc. Though the machines are installed with the anti-virus software but the software is not updated on the virus definitions on a regular basis. The software development process on the newer Microsoft .net framework with a user friendly Graphic User Interface (GUI) as opposed to the text based interface for the legacy system, is definitely easier but the process not as per the industry security practices. The access to the factory is controlled through an access control mechanism but the access to the sales locations is not controlled strictly. It is observed that the Sales personnel leave their PCs unattended while they go away from them for a while leaving the machine open to any compromise by the external visitor sitting around that. Suggestions for enhancing the current hardware setup The hardware setup can be enhanced by implementing following suggestions - The anti-virus software installed in the servers and personal computers used by employees must be updated regularly for the new virus definitions The security patches must be installed within a month of their release The development process on the Microsoft .net framework must be based on what is being followed in the industry with stress on the Information Security More than three attempts for wrong password must lock the account of the user to prevent the brute force attack The sales location must install access control similar to the factory for controlling the unauthorized access in the facility. A Sales person must accompany the customers entering the facility The PCs used by the employees must have password protected screensaver to ensure that the data on the monitor is not visible to any third party. The Employees must be trained to lock their PCs even if they are going away for a while. (Improved ISO/IEC 17799 makes information assets even more secure, 2005) References Calder, Alan and Jan Van Bon, Implementing Information Security Based on ISO 27001/ISO 17799(2006), Van Haren Publishing Fundamental of third- party security Management (2009), [Internet], Available from: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspxculture=en-US&EventID=1032416152&CountryCode=US>, accessed on 10 Jun 2009 Improved ISO/IEC 17799 makes information assets even more secure (2005), [Internet], Available from: Accessed on 10 Jun 2009. ISO/IEC 17799:2005 Information technology - Security techniques - Code of practice for information security management (2005), [Internet], Available from: Accessed on 10 Jun 2009 ISO 270002 Central (2007), [Internet], Available from: < http://www.17799central.com/iso17799.htm> , accessed on 10 Jun 2009 Kadam, Avinash, Why Information Security is important for your organization (2001), [Internet], Available from: < http://www.networkmagazineindia.com/200209/security2.shtml>, accessed on 10 Jun 2009 Kutzke, Todd, Rethinking Information Security - Align vs. Govern (2009), [Internet], Available from: < http://blogs.msdn.com/infosec/archive/2009/06/03/rethinking-information-security-align-vs-govern.aspx>, accessed on 10 Jun 2009 Read More