Why Review Your ERP System Access Strategy
Author: Rob Bradsell, Principle Consultant
Published: 27th January 2022
Data Security has always been a hot topic, with many companies adopting the latest strategies and technology to keep their data safe from 3rd parties. However, many fail to notice that while they may be doing a great job at protecting their data from external threats, they often slip up when protecting their data internally.
“Data security is the practice of protecting digital information from unauthorized access, corruption, or theft throughout its entire lifecycle.” – What Is Data Security, IBM
Protecting your data internally also includes controlling your ERP, ensuring that users have the correct access to the data they need at the time they need it. Whilst it may sound simple enough, many companies have limited, or sometimes no controls in place to ensure the appropriate security levels are adhered to.
We have seen many companies fail to get their user access strategy right, with previous customer reviews showing many users having a much greater level of freedom in the system and to the data than needed. We have even seen companies that allow everyone into payroll and payroll data including employees’ salaries and benefits. You can imagine the issues that may arise from that situation.
Some of the Root Causes
So, how does this situation occur? It can be for a number of reasons but most commonly we find that it’s due to companies copying user roles from one to another, without realising or properly understanding the level of access the original user had. Sometimes we find that the security levels within the ERP system are misunderstood by those with administrator rights, or we find problems resulting as a combination of these scenarios.
To prevent staff from accessing data they shouldn’t, companies need to have a strategy in place that enables tighter and stricter controls around the access that their users have.
ERP Access Strategies
What strategies should your Company consider implementing in order to get your ERP Access Strategy right?
Decide what data is confidential.
What is deemed to be confidential data and who within the company is to have access to this data? This could include payroll sensitive data, company bank accounts, Gross and Net Profit %, financial information such as Profit & Loss and Balance Sheet Reporting.
Define roles and responsibilities.
Clearly outline each role within the company and what security levels that role is required to have. This includes looking at whether that role is to have access to Enquiry, Maintenance and Reporting capabilities in the various modules.
Set up company roles and access levels within the ERP system.
Once the roles within the company have clearly been defined, set up the access levels in the ERP system to mirror these responsibilities. These levels should then be tested and reviewed before rolling them out to the user.
Perform regular system audits.
Conducting regular checks of user access levels to identify who is accessing what information is critical to ensure the integrity of the system. These regularly performed audits should be done to ensure users are pointing at the correct role. This is most important when an employee has had a role change and/or new roles are added to the user.
Alert notifications can also be utilised in certain circumstances. For example they could be set to send emails to appropriate people to show who may have accessed certain data or to identify that data has been changed e.g. banking details for suppliers, employees etc. There should be some sort of written policy in place advising that company data is to be treated with the greatest degree of confidentiality.
Ensure that employees who have left the company are made inactive so that they can no longer log into the system and access data. This should be part of the employee off boarding process and should be signed off by the Department Manager and IT team.
Carefully define new user privileges.
Similar to the off boarding process, the on boarding process should include access rights and privileges for the new user to be agreed upon and signed off by the Department Manager and IT team.
How is your Company Handling ERP Access?
Having an ERP Access Strategy is vital for your Company to keep on top of who is in your ERP system, and what security level they have. While conducting an internal review of your ERP systems’ user access can be a lengthy process, the establishment of appropriate procedures and regular system audits is important in keeping confidential data safe.
If you need guidance in keeping your data safe we are here to help. Get in touch with Scope Systems and we can work together to develop and implement an effective ERP User Access Strategy.