GLOBAL, ETHICS

AND
SECURITY
MANAGEMENT
 Group Five
• ADRIKO DEBO JOEL 2015/U/ISM/001/G
• ENZEBO EMMANUEL 2015/U/ISM/048/G
• ECONIA RACHEAL 2015/U/ISM/005/G
• KICONCO RACHEAL 2015/U/ISM/011/G
• KYANIKA JAMES 2015/U/ISM/017/G
• OREE DENISH 2015/U/ISM/045/G
• EREMU THOMAS 2015/U/ISM/049/P
 Learning objectives
• Global
o Outsourcing
o Offshoring
o Saas
• Ethics
o Framework
o Legal issues
o Software licensing
• Security management
o Frameworks
o Measures
o Disaster recovery and BCP
 Outsourcing

Definition
Is when a company decides to subcontract its business
processes or functions to another company.
 Components of ERP outsourcing
Application hosting
Application management
Helpdesk outsourcing
Outsourcing relationship
 Benefits of outsourcing
 Cost effective
 Market Agility
 Breadth of Skills
 Technical Expertise
 Multiple Feedback Points
 Best Practices
 Scalability
 Process- Oriented
 Solution centric
 Limitations of outsourcing
 Lack of Expertise
 Misaligned Expectations
 Culture Clash
 Hidden Costs
 Loss of Vision
 Security and Control
 Offshoring
Definition
 Is when a company selects an outsourcing partner from another
country.

 Offshore partners are often selected from developing countries

to lower the labor costs..
 Argument for
 improve quality,
 reduce costs, and
 speed delivery
Therefore the, key advantages are
 access to some of the world's most dynamic growth markets
and
 immense pools of low-cost resources, be they production
workers, engineers, land, petroleum, or iron ore.
 Potential Risks of global Offshoring
 differences in language and culture.
 importance of adhering to the highest of ethical standards
 Software as a service
 In this model, the cloud provides the user with access to already
developer applications that are running in the cloud.

 cloud clients and the cloud users do not manage the

infrastructure where the application resides
 Advantages of SaaS
 It is cheap
 Less hardware required with SaaS
 Increased availability and data security
 Little Maintenance Required with SaaS
 Disadvantages of SaaS
 Security Issue
 Latency Issue
 Switching between SaaS vendors is difficult
 Fixed function
 Total Dependency on Internet
 ETHICS
Introduction
Ethics is the philosophical reflection upon the morality and ways
of living together, the customs and habits of individuals, groups
or mankind as such.(UNESCO,2005)

Two forces endanger privacy in the information age.

 Growth of information technology.
 Increased value of information in decision making.
 Ethical principles/Framework
Information technology can impact ethics in four ways, which
can be summarized by means of an acronym, PAPA, that stands
for:-
 Privacy,
 Accuracy,
 Property, and
 Accessibility.
 Privacy
 Privacy is concerned with how personal information is
safeguarded in the system.
 Any organization that collects personal information must
follow a process on how this information is collected, used, and
shared.
 This process is influenced by laws of the land and ethics.
Information systems in general provide easy mechanisms to
collect, use, and share this data without any knowledge of the
information owner.
 Temptations exist in a competitive market for organizations to
use such information systems as ERP to violate individual
privacy rights for marketing or. accidentally releasing this
information to third parties that do not have the right to it.

 Other problems are hacking, snooping, and virus attacks on the

system, which also violate the privacy rights of individuals.
 The biggest threat to privacy from ERP systems is from data-
mining activities.
 ERP systems simplify the process of collecting, sorting, filing,
and sharing information on customers with external
organizations.
 Accuracy
 The accuracy principle of ethics requires organizations that collect
and store data on consumers to have a responsibility in ensuring
the accuracy of this data.
 Its major concern is to protect an individual or consumer from
negligent errors and to prevent intentional manipulation of data by
organizations for their advantage.
 With the amount of datathat is being collected today and
integration of data from multiple sources there is a great possibility
of this data being corrupted.
 There need to be policy and mechanismsto prevent and correct
these errors
Property
 The property principle of ethics makes organizations realize that
they are not the ultimate owners of the information collected on
individuals.
 Consumers give organizations their information on a condition
that they will be guardians of this property and will
use it according to the permission granted to them.
 Organizations do not have a right to share information collected
without getting explicit permission from the user.
ERP systems can be a double-edged sword when it comes to
information property rights.
 On the bad side, ERP systems facilitate the process of sharing
information easily by integrating information within the
organization and across organizations. If implemented without
proper controls, ERP can make it hard to safeguard
information.
 On the good side, ERP systems can enforce corporate policy
on data sharing consistently and embed best practices that can
highlight the property rights issue in an organization.
 Accessibility
 The accessibility principle of ethics forces organization to have
proper controls for authorization and authentication. ERP
implementation teams must ensure that information stored in
the databases about employees, customers, and other partners
is accessible only to those who have the right to see and use
this information.
 Adequate security and controls must be in place within the
ERP system to prevent unauthorized access.
Three normative theories of ethical behavior that can be used
by organizations to influence the ERP implementation.

Stockholder Theory
 Protects the interest of the investors or owners of the company
at all costs. This is the ultimate implementation of the free
market concept, where the responsibility of management is to
maximize profits with legal and nonfraudulent methods.
Stakeholder Theory.
 Protects the interests of everyone having a stake in the
company success; namely, owners amd stockholders, employees,
customers, vendors, and other partners.
 Management using this theory has to balance the interest of
these various groups while making organizational decisions.

Social Contract Theory.

 Includes the right of society and social well-being before the
interest of the stakeholders or company owners.
 Management using this theory must think of the well-being of
society first (e.g., protecting the environment or helping the
socially challenged individuals before thinking about profits of
the organization.
 Code of Ethics for ERP
Example of code of ethics for ERP implementation policy
 Protect the interest of its customers.
 Privacy decisions are made free of owner's influence.
 We insist on fair, unbiased access of all information.
 No advertising that simulates editorial content will be published.
 Monitoring fellow employees is grounds for dismissal.
 Company makes prompt, complete corrections of errors.
 Implementation team members do not own or trade stocks of
ERP vendors.
 No secondary employment in the ERP industry is permitted
 Our commitment to fairness is our defense against consumer
rights.
 All comments inserted by the employees will be clearly
labeled as such. CIO will monitor legal and liabilities issues
with the ERP system.
 Company attorneys regularly review our ERP system policy to
make sure that there is nothing unethical or illegal in the
implementation process.
 Jay Cline's seven global privacy principles that can improve
the global privacy climate.
 Giving notice to consumers before collecting data,
 Collect only relevant consumer data and retain it only until
needed,
 Providing access for consumers to correct data for accuracy,
 Protecting data with firewalls to prevent unauthorized access,
 Giving consumers choice of sharing their data with third
parties.
 giving consumers a choice on whether marketers could
contact them, and finally,
 every organization should have an officer enforcing the
compliance of privacy principles.
 legal issues
 Even though legal issues may not seem very important in the
grand plan to implement an ERP system, there are a number
oflegal considerations that must be addressed to safeguard the
company from risk.

 Legal issues can arise at anytime before, during, and after an

ERP implementation.

 It is important for the project team, especially the PMO, to

address as many legal possibilities up front to ensurethat the
company is safeguarded down the road.
 software licensing
 The negotiation of the software contract and assurances of
performance in the software is needed.
 This will safeguard the company's investment in the event the
software company is purchased by another company or goes
out of business.
 Security Management
Introduction
Information is one of the most important assets of any organisation, so it
should be appropriately protected.

Information security combines systems, operations and internal controls to

ensure the integrity and confidentiality of data and operation procedures in an
organisationIntroduction.
(Marnewick. C & Labuschagne L., 2016)

Enterprise resource planning (ERP) system security must be governed by

the same principles as
conventional information security.
• An ERP system controls all the business related information of
an organisation as well as information relating to customers and
suppliers.

THE GENERIC SECURITY FRAMEWORK

The framework is divided into three components:
 people,
 technology and
 policy.
All are interdependent Any change to one of these components
will affect the other two.
 People Component
The people component is divided into two groups.
 The first group comprises people who put security in place and
support the process.
A few key roles include senior management, security
administrators, IT administrators and auditors.

 The second group is the actual users of the systems. They must be
aware of the reasons why security is in place as well as the
consequences if they breach the security.
 According to Martins the people component
can be divided into nine aspects:

Policy and procedures

Benchmarking
Risk analysis
Budget
Risk analysis
Management
Ethical conduct
Budget
Change
 Cont….

Policy and procedures

 The information security policy dictates employee behavior and
states what is expected of employees, which in time becomes
part of the information security culture.

Benchmarking
 Guidelines on information security processes can be promoted
in the organisation through benchmarking.
 This will enable the organisation to compare itself to other similar
organisations and to international standards

Risk analysis
 Through risk analysis, threats to organisational assets and security
measures can be identified to develop the information security
policy.

Budget
 A financial plan is necessary to implement the issues concerning
an information security culture.
 For instance, employees need training, technical controls need
to be implemented and teams need to be enabled to assess the
security of network.

Management
 Management is responsible for information security.
Management develops an organisation’s vision and strategy,
which are required to protect information assets and which are
implemented in the organisation.
Trust
 Information security is important in instilling trust in an IT
environment.
 It is easier to implement new procedures and guide employees
through changes of behaviour regarding information security if
management and employees trust one another.

Awareness
Since the effectiveness of information security controls depends
on the people who are implementing and using them, .
employees need to be enabled through awareness and training to
behave according to what is expected of them to ensure the
security of information assets.

Ethical conduct
 Good practices form part of the culture established throughout
the organisation.
 Employees need to incorporate ethical conduct or behaviour
relating to information security as part of their everyday life in
the organisation.
Change
 Technology changes involve challenges to ensure secure
communication and secure use.
 These changes need to be managed and accepted positively in the
organisation.
 Implementing an information security policy could also mean that
employees need to change their working practices to ensure the
effective implementation of information security
.
NB:These nine aspects form the basis of the people component and
are comprehensive enough to address all people related issues within
an ERP system
 Policy Component
Various methods are available to an organisation to make
information security part of corporate governance such as
international standards that include
 CobiT,
 ITIL and
 ISO 17799.
CobiT
 CobiT is an IT governance control framework and maturity
model that ensures that IT resources are aligned with the
organizational vision and strategies.
 CobiT does not, however, include control guidelines or
practices which are the next level of detail nor the process steps
and tasks because it is a control framework rather than a
process framework.
 CobiT focuses on what organisations need to do, not how to do
it.
ITIL
 ITIL describes and defines key processes such as problem,
change and configuration management. It also provides a
framework for managing the processes.
 By forcing a focus toward aligning and defining a specific
process, the IT department can identify opportunities for
improvements in efficiency which can result in the improved
ability to better manage service delivery and support
ISO 17799 – ISO 17799
 is a de facto international standard that provides guidelines and
recommendations for security management.
 ISO 17799 is divided into 10 modules that are used to
implement security.
 Technology Component
The technology component of information security can be broken
down into five pillars
1. Identification and authentication
2. Authorizations
3. Identification and authentication
4. Identification and authentication
5. Non-repudiation
 Technology Component
1. Identification and authentication
The first responsibility of information security within an ERP
system is to ensure that the ERP system is only accessed by
legitimate, authorized users

2. Authorization
One of the most critical aspects to consider within ERP security is
to restrict the access rights and actions of the users within the
ERP system
 The access rights of a user are controlled by the authority
assigned to the user ID.
Confidentiality
 Protecting the confidentiality of data implies the assurance
that only authorized people are able to view specific data sets
Integrity
 Integrity means that only authorized users can modify the data
of the ERP system.
 Modification refers to the update, deletion and creating of data
within the ERP system.
Non-repudiation
 The organization ensures that a transaction that is done is
legitimate and can be proven as such in case of a query or
dispute.
 Organizations can make use of digital signatures or public key
encryption to enforce valid and legal transactions.
 ERP security measures (security plan)
Overview
 Today's ERP systems are largely Web browser-based meaning
they can be accessed anytime and anywhere.

 In addition, supply chain or eCommerce environments within

the ERP are exposed to the intricacies of the Internet world.
 Hackers are becoming more and more sophisticated at gaining access
to systems.

 Worms, viruses, and Trojan horses are common, and hackers are now
using a variety of other methods to capture information to gain access
to systems

 Therefore there is a need for an ERP system's security

 A good security plan will consist of the software products needed to

ensure proper and secure access, but will also consider physical
access and user security awareness.
 measures

• User names and passwords

• Physical hardware security
• Network security
• Awareness
• Security monitoring and assessment
• Intrusion detection
• Portable devices
• Encryption
 User names and passwords

The current trend is t o provide access to systems through an ID

Management system.

Users must be made to understand the importance of a good

password that is not crackable.

There also needs to be a policy of changing

passwords periodically.
In addition, there need to be policies for how a password is reset if it
is forgotten, and for the suspension or deletion of user IDs if an
employee leaves the company or changes roles in the organization.

Physical hardware security

physical access includes network closets or switch rooms and access
to PCs. All must be secure.

Thefts of laptop computers with sensitive information on them has

become a bigger issue for companies.
Thieves often take out the hard drive and connect it to another PC,
and the data is readily available.

The encryption of hard drives, especially from laptops, is one

solution that is becoming more and more available.

Network security
There are likely many people doing a wide variety of illegal activities
on the internet.

There are devices that will address significant amounts of network

security, but it is complex and requires constant updating.
Most companies implement some form of firewall(s), virus
controls, and network or server, or both, intrusion detection to
safeguard the networked environment.

Operating systems need the latest patches and virus software needs
to be updated regularly with anti-spyware installed to prevent
further access.

All need to work together to ensure the network environment

remains secure and stable.
 Intrusion detection
Network and server intrusion detection comes in many forms o
fhardware and software.

An intrusion detection system (IDS) generally detects unwanted

manipulations to computer systems, mainly through the Internet.

The manipulations may take the form of attacks by skilled

malicious hackers, or script kiddies using automated tools.
Real-time monitoring and after-the-fact reporting of anomalies in and
misuse of network and server activities will assist in spotting
intrusions and safeguarding systems from inappropriate access to
information stored in the ERP.

An intrusion detection system is used to detect all types of malicious

network traffic and computer usage that can't be detected by a
conventional firewall.

This includes network attacks against vulnerable services, data driven

attacks on applications, host based attacks such as privilege
escalation, unauthorized logins and access to sensitive files, and
malware (viruses, trojan horses, and worms).
 Portable devices
The theft of laptops and PDAs that have stored identity information
is common.

Laptops can be stolen from offices, cars, trains, airplanes, homes.

Once stolen the storage media can be mined for information that
can be used to gain access to confidential data.

Use of passwords and data encryption is important in securing a

portable device, but the key is for the users to be very aware of
what is being stored and to ensure its safety from hackers and
thieves.
 Awareness
There should be two facets to awareness.

First, ensure that users are aware of security risks (e.g., writing down or
choosing simple passwords).

Second, enforce policies and procedures related to access.

Security monitoring and assessment

A periodic review of who has access, what they have access to, and how
often they are accessing the system should be part of the review.

Setting up and reviewing audit logs must be addressed with an

ERP implementation. Logging transactions and reviewing them on
a daily or at worst a weekly basis is a must for any financial
transactions.

Audit logs will reveal any unusual transactional activity and help to
minimize revenue loss due to fraud or hacking.

Encryption
Encryption involves using a key, usually a very long prime number
that is difficult to guess or program, to scramble at one end and
unscramble at the other end.
One way hackers gain access to systems is through the monitoring
data of passing through a network. If it is unscrambled, the process
with the right tools and knowledge is relatively simple.

Customers and users are sending and storing confidential data (e.g.,
credit card numbers and social security numbers) over the network.

Encrypting that sensitive information will help to prevent theft of

information.

In today's ERP implementations, network data encryption and even

storing encrypted data needs should be addressed.
Even the encryption of sensitive data on laptop hard drives or
PDA storage should be encrypted for security purposes.

If the laptop or PDA is then stolen, accessing the hard drive to

retrieve data will be next to impossible without the proper key.
 Disaster Recovery and Business continuity Plan

Disaster Recovery Plan (IT)

The disaster recovery plan typically refers to the plans in place to
restore essential Information Technology (IT) systems and
applications that enable critical business processes.(Jon B. &
Trey M.,2014)
 Business continuity
...the development of strategies, plans and actions which provide
protection or alternative modes of operation for those activities or
business processes which, if they were to be interrupted, might
otherwise bring about a seriously damaging or potentially fatal loss
to the enterprise.(Jon B. & Trey M.,2014)

Mission-critical systems must have a plan in place that will provide

for the recovery of a number of disasters that can occur to a
business. ERP systems play a key role in company business and
profits.
When a system is unavailable significant revenues are often lost.

All departments that use an ERP system must play a part in

providing business continuity while a system is unavailable

In plannjng for a disaster a company must address the level of risk

versus the amount of money to ensure that systems are available
as quickly as possible. .
Some of these costs include
 alternate sites or mirrored sites to ensure ongoing business
availability,
 software and data back-ups stored offsite,
 alternative computer centers with the network connecti vity,
and workstations neededto run the business and
 the support to ensure that the sites remain in synchronization
as the software and hardware configurations are changed
 REFERENCES
• Jon B. & Trey M. (2014).Business Continuity and Disaster
Recovery: Trends, Considerations, & Leading Practices. Los
Angeles. [].protiviti.
• Marnewick. C & Labuschagne L. ( 2016). A SECURITY
FRAMEWORK FOR AN ERP SYSTEM. [].Academy for
Information Technology, University of Johannesburg.[]
• UNESCO. (2005). Ethics and Moraliy. []. Prentice Hall.[].