5 Ways to Protect Personal Data
in JD Edwards
It seems like hardly a week goes by without news of another high profile data breach, often affecting companies that we would expect to be well-protected from such attacks.
Activity is fuelled by the thriving underground market for lucrative personal data such as credit card details, health information and bank credentials – which can fetch $1,000 or more, depending on the balance.
Companies need to be vigilant. The 2016 Cost of Data Breach Study by the Ponemon Institute and IBM found that globally data breaches cost companies an average total of $4m per occurrence – but in the US the average cost rose to $7.01m. The study also estimated that over the next 2 years companies have a 26% probability of a material data breach involving 10,000 or more stolen records.
48% of breaches are malicious and caused by hackers or ‘criminal insiders.’ Data thieves are often skilled technicians such as programmers or system administrators, who maintain infrastructure such as servers and databases and have wide ranging system access. They may also be support or business users known as intermediaries, who collect and sell stolen data.
So it’s important to understand how personal data is stored and accessed within your ERP system and to take steps to protect it.
Specifically, within JD Edwards you should consider these five measures:
- Implement a security strategy that addresses data privacy.
Your security configuration defines how much control you have over who can access which data. A closed-door model is key, along with implementing these recommendations:
- Databrowser security – in JD Edwards 9.2 you can now provision by application, form or reporting code
- Media Object security – this can be secured, especially if you store sensitive information like contracts with signatures
- Address Book Permission lists – to mask sensitive information like telephone numbers, email addresses and home addresses
- Row Security – to lock down and grant back access to sensitive data such as that held in the Human Resource module.
- Create security processes and policies.
Clearly documented processes and policies help to promote staff awareness and accountability. Examples include:
- User Lifecycle Documentation – it is important to document processes for how Users are setup (requiring approvals), modified (changes in access) and most importantly terminations (removal from the system). Expiring Roles is not enough to reduce risk; the User Profile should be removed from the system in its entirety (the information will remain in security history). This will make it more difficult for someone to obtain unauthorized access.
- Generic IDs – should be limited in number. Document procedures for using the ID and restrict activity such as menu traversal and sign on without authorization. These IDs should never be granted full access.
- Terms of Usage – on an annual basis companies should educate the user base on proper usage of computer systems. Users need to be reminded not to share User IDs and not to walk away from workstations while signed into JD Edwards or the network. Locking your computer before walking away from your desk will help to prevent security breaches.
- Implement a database security strategy.
Some companies think their closed-door security model is enough and often forget about database access. The two must be considered together and in the event you decide to provision direct access to the database, do so with your front end security model in mind. On each database (remember pre-production databases most likely contain refreshed data from production which is just as valuable) you can:
- Create connection roles
- Set password policies
- Create view only and update roles
- Define permissions by role
- Limit what tables can be accessed by role.
- Don’t forget to consider the security setup of Third Party tools.
Be aware that third party tools such as Oracle’s Real User Experience Insight application can provide access to the source system’s data.
Middleware such as Oracle Fusion Middleware may expose data while it is being transmitted from one system to another.
Most importantly, bolt on reporting tools are not forced to correspond and link to a User’s JD Edwards security profile. The security setup within the tool may be able to be overridden at the User ID level.
Such third-party tools, the data within them and access to them should be taken into account in your overall security strategy.
- Know how to identify suspicious activity.
Do you know what suspicious activity on your system looks like?
Would you know how to identify it and to whom you should report it?
What defines suspicious activity will largely depend on what your business identifies as sensitive data, but a few key things should be considered:
- Ensure your password policy is set up within JD Edwards – set up triggers or watchlists around invalid password attempts to spot potential hacking
- Limit the number of rows that can be exported to Excel from within JD Edwards
- Use 21CFR11 to audit key tables with sensitive information
- Consider using a third party tool such as Q Software’s Fraud Detector to monitor changes to high risk data.
Being proactive is key to protecting your data. Don’t cross your fingers and hope that your company doesn’t become one of the 1,093 with reported breaches. Ensure your security strategy is best practice, your users are knowledgeable and accountable and your clients are confident that their data is protected.
We understand that securing your data can be a daunting task. If you would like to discuss your specific challenges, please contact us.