Continuing great job on the discussions – I enjoy your thoughtfulness and depth in answering. I trust the questions help you explore and understand topics being discussed in a given week.
You raised most of the important points but let me summarize my view.
Q1: What is segregation of duties (SOD) and why is it a commonly used control? – We discussed this topic in class. Great examples of IT roles that should be segregated (e.g. development from DBA, development and security, development and move code, developers not in production system, development from audits). We’ll discuss controls related to development more thoroughly in future classes.
Q2: Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? You nailed the core issue – ERP systems are large and complex. Therefore the security is also large and complex – especially when there are complex requirements (many people needing broad access).
Q3: What are Key competencies of person responsible for security? I like the terms you chose. Specifically: Skepticism and curiosity
Functional Knowledge – critical to effectively make decisions
Decision making – to which I would add good judgement.
Data analytic – I call this basic smarts. Security is highly complex and requires strong cognitive skills.
Q4: Companies are dynamic entities. Best practices for managing system users and their security access? You provide many great ideas including: Password policies and procedures, documenting change (more on this in a couple weeks), periodic user access reviews, least privilege access, proper management approvals, etc. Bottom line is that security although sometimes viewed as a backroom IT task requires strong processes to be done well.