The days of ten-character password limits are over, multi-factor authentication is all the rage, and whatever you do, never, ever use post-Its to store your login data. In this era of rampant hacking and trickier-than-ever phishing attempts, businesses can’t afford to be caught lacking in the security department. So even if you’re up to date on the latest protective apps and password lockers, there are bound to be gaps somewhere. That’s where an ongoing security assessment comes in.
What Is an Ongoing Security Assessment?
Most security assessments focus on cyber or infrastructure security. A lot of the same elements apply to your JD Edwards environment, too. A security assessment is simply a process to identify, assess, and manage the risks that you may or may not have within your system.
So how does it work? Read on to learn how to perform an ongoing security assessment.
Understand your current security posture
It’s essential to know what security your organization already has in place. It’s not just looking at your application and action security, although that is part of it. Oracle is continually introducing new features on the security front for the EnterpriseOne product set. You want to be sure you’re taking advantage of some of these new security features already available to you before any other adjustments.
Long usernames
These allow you to integrate with Active Directory single sign on. There are many different products that allow you to have better control over how users login – which makes it harder for people to guess.
Password length
Passwords can now be up to 40 characters in length. The strongest passwords are complex, utilizing a combination of upper and lowercase letters, numbers, and symbols. Just be sure not to use any repeating letters or numbers.
There are always new features and functionality within the product set. Staying on top of those new options and understanding what your organization could be benefitting from outside of the standard application action code, is something the security assessment can highlight for you and your team. (Don’t forget to attend your user group and Quest conferences, too. Lots of discussions at these events center around fellow users’ experiences with and adoption of these new security features.)
Determine whether existing security is effective
Once you have your baseline established, it’s time to get under the hood and see how everything works together.
Access controls
Changing business requirements often necessitate a change in access controls. Roles sometimes grow to include unexpected programs, or UBEs are added as a one-off to get past a particular issue but not later removed. It’s important to know which team members have access to what to determine how to proceed. Are the existing channels effective, or do you possibly have conflicting settings you constantly need to Band Aid security over to get things working the way you want them to? If so, you might be vulnerable to even more risks.
Response time
Maybe you've gone from a distributed financials model to a shared services model. Lots of companies are consolidating, pulling financials from varied branches and outposts into a single location. These shifts can result in a need to change the access levels for your team. If there has been a change in business requirements, there could also be a change in responsiveness to business needs. You can see whether you’re able to fulfill a request in a timely manner. If not, you can adjust the access your team needs to continue doing business.
Manage risks moving forward
It’s important to validate that any changes you’ve instituted are having the intended effect. You also want to be sure you’re not unintentionally taking away things you want to leave in place for your team.
Change control
Having a robust change management and tracking system in place is essential. Having customized processes in place – like the kind ServiceNow offers – helps you keep everything in order. You’ll be kept aware of exactly what is allowed to go into production, when, and you’ll have evidence of thorough testing having been performed.
Testing changes
Can you trace the changes to a change request? Or are there things happening in your system – like one-off adjustments – that no one really knows about? Being aware of gaps between what is expected and what is in place is essential.
Unnecessary layers
While fleshing out security aspects or upgrading functionalities are important, taking them away can be just necessary to ensure your company is running at optimum efficiency. Unnecessary security layers can be harmful in three ways: a) They don’t really manage the real risks to your organization, b) Are therefore costing you time and effort, and c) They are ultimately unsustainable because of their impracticality.
It’s also possible these extraneous layers have been superseded with new functionality. In this case, better, more efficient solutions are available to achieve the same previous results.
JD Edwards Security Adoption
ERP Suites utilizes a mature security approach by way of a proven methodology. We don’t work in a vacuum: Security is a business issue, with a technical solution. You can’t achieve it by excluding either side.
An effective security project needs to involve the whole team, and our team is ready to help yours succeed. Reach out to us for the tools you’ll need to automate the testing and change controls to manage your risks.
Watch the full webinar here: https://learn.erpsuites.com/jde-security-assessment-video-allout
Topics: