How do you make sure your ERP solution can stand up to the data security, hacking, spying, and breaches in our current times? While there is no one-size-fits-all plan, executives and IT professionals should embrace and ensure a strong data security posture – along with your cloud and other solution provider offerings - whether the data is hosted or not. These eight keys can help you protect your organization from a data breach.
Classification of Critical Assets
Remember the Target breach and the headlines that followed? In this case, credit card data was housed on the same servers that were accessible by an HVAC contractor with a stolen login. The first step of any data security plan should include a review of data, systems and cyber assets to classify these according to their risk, sensitivity, and compliance requirements. Once systems and data are classified, an organization can create a plan to protect these assets, along with how and where it is most appropriate to access and store them. Public cloud solutions, like Microsoft Azure, are ideal for low or medium business impact data or systems, but as Concerto VP Greg Pierce points out in his article, the performance and security is stronger for ERP in a single-tenant private cloud that doesn’t share servers with other organizations or applications of a different classification. Connecting these environments in a hybrid cloud approach helps save costs while ensuring the appropriate security protocols.
If someone has physical access to your data, it is no longer your data. Physical security systems can range from fencing and gates to exterior lighting, close circuit TV systems, and electronic access controls. In many cases, environments with extremely sensitive data or regulated data include on-site security guards or law enforcement support. Organizations should consider leveraging a badging system that identifies employees, contractors, and visitors. When evaluating cloud provider security, the same guidelines should apply to their service professionals and their data centers.
Incident Classification, Reporting and Response
System alert logs can represent pages and pages of varied information. Security depends on accurate identification, classification, and reporting of a security incident as well as the response time to an incident. In addition to industry regulations that may require disclosure of an incident, customers should receive prompt notification when identifiable information has been compromised. When working with a cloud provider, ask them how they classify security incidents and the protocols they have in place to protect your organization.
Ensuring security should include testing to ensure that new systems or changes to existing systems don’t adversely affect the security posture. When deploying systems, only the necessary ports for the specific applications and services that will be put into effect should be exposed or enabled. Organizations should also ensure that these systems are updated with security patches following standard change management procedures.
In an emergency situation it may be necessary to temporarily suspend you cyber security policy. The priorities in an emergency are the safety and protection of persons first, and the protection and security of the organizations physical and cyber assets second. A good plan includes processes for what happens after an emergency and system documentation. One advantage of having your ERP or other business critical apps in the cloud is disaster recovery and disaster prevention. A disaster prevention model goes beyond industry standards with fully redundant systems, routine testing, data snapshots and automatic failover when challenges do arise – so that system disasters are avoided altogether.
Documentation is the least favorite task for most individuals. Its completion, however, is a critical component to an organizational security plan. Documentation should be maintained following the organizations existing practices or in accordance with any industry regulations. In addition, your cloud solution provider should also be able to produce documentation that supplements your entire plan.
Maintenance and Regular System Testing
Has your organization tested your entire emergency plan? Regular testing of your systems, including backups, will ensure that they will be ready should something occur. Maintenance requirements should be tracked and logged to ensure maintenance isn’t deferred unintentionally. It’s also important to test your systems against attacks - vulnerability assessments and penetration tests will provide an objective view of your attackable surface.
Sabotage Recognition and Reporting
There are several factors that should be monitored that may give you warning a saboteur is attempting to exploit your organization. These include:
A large volume of unauthorized access attempts to a critical facility
Intelligence gathering - unauthorized people requesting information about operations, software, telecommunications, etc.
Unauthorized physical surveillance
Internal verbal or written threats to security, software, operations, or facilities by any person not directly associated with the organization
Repeated minor acts of vandalism
While these eight areas represent key components to a security policy, a true security policy should be a holistic approach, mindset, and set of routines that work together to protect an organization. Moreover, with data potentially spread among applications in various clouds and providers, it’s important to understand cloud types as part of the planning process. For more information on understanding cloud environments, check out the whitepaper “Some Clouds are Meant to be Private.”
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.