Reminder: Exercise 4 – Segregation of Duties is now due (via e-mail) on Saturday November 11 at 11:59 pm.
UpdatedGuide (Updated with additional SAP screen shots November 6 @ 7:30 pm)
Week 9: Security: User Management, Segregation of Duties (SOD) Wrap-up
Continuing great job on the discussions – I enjoy your thoughtfulness and depth in answering. I trust the questions help you explore and understand topics being discussed in a given week.
You raised most of the important points but let me summarize my view.
Q1: What is segregation of duties (SOD) and why is it a commonly used control? – We discussed this topic in class. Great examples of IT roles that should be segregated (e.g. development from DBA, development and security, development and move code, developers not in production system, development from audits). We’ll discuss controls related to development more thoroughly in future classes.
Q2: Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? You nailed the core issue – ERP systems are large and complex. Therefore the security is also large and complex – especially when there are complex requirements (many people needing broad access).
Q3: What are Key competencies of person responsible for security? I like the terms you chose. Specifically: Skepticism and curiosity
Functional Knowledge – critical to effectively make decisions
Decision making – to which I would add good judgement.
Data analytic – I call this basic smarts. Security is highly complex and requires strong cognitive skills.
Q4: Companies are dynamic entities. Best practices for managing system users and their security access? You provide many great ideas including: Password policies and procedures, documenting change (more on this in a couple weeks), periodic user access reviews, least privilege access, proper management approvals, etc. Bottom line is that security although sometimes viewed as a backroom IT task requires strong processes to be done well.
Exercise 3: Possible ‘Missing CO Object’ Error
When performing Task 4 (Enter Journal Entry Transactions into the General Ledger) and the use of transaction FB50 you many find that one or more General Ledger accounts require the entry of a Cost Center (CO) value. You get and error such as ‘Account xxxxxxx requires the assignment of a CO object’.
This is an additional financial control.
This short guide shows how to address this issue.
Real World Control Failure: Post your Presentation
Your options for posting your Real World Control Failure presentations are:
- Post as a comment to this post. This requires you to embed a URL to where your presentation is stored (e.g. on OneDrive or Google Drive).
- Post as a new blog post. You can upload your presentation as media when creating the blog post. Make sure to select the ‘Real World Control Failure Presentations’ category.
- Edit this post or send me your presentation and I’ll include in the list below.
| Date | Student | Subject / Link |
| October 16 | Candace Nelson | Salvation Army |
| October 23 | Lezlie Jiles | USIS Separateblog post |
| October 30 | Andres Galarza | Ukrainian Artillery App |
| October 30 | Parneet Toor | UBS Rogue Trading Scandal |
| November 6 | Khawlah AlSwaillem | Marrone Bio Innovations |
| November 12 | Kevin Berg | Leone Industries |
| November 13 | Xiaomin Dong | PTC Inc. China |
| November 13 | Yijiang Li | Yahoo |
| November 27 | Qiyu Chen | Google Mail Hack |
| November 30 | Mengting Li | Target |
| December 1 | Binju Gaire | Advanced Emissions Solutions |
| December 4 | Jing Jiang J | Satyam Computer Services |
| Michelangelo Collura | Lehman Brothers |
Exercise 3 – Due Date Changed to Saturday October 28
I have changed the due date for Exercise 3 (Journal Entries) from Thursday until Saturday October 28 at the end of the day.
Note: this is a group exercise. Only one submission file (spreadsheet) is due from each team.
Week 9: Questions
- What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
- Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
- What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
- All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
Week 8: Security 2, Finance 2 Wrap-up
Continuing great job on the discussions. Keep up the good work. My summary view is:
Q1: Do businesses rely too much on security administrators vs. security of the entire network? Most of you highlighted the network being the highest risk. I tend to agree with you – as in today’s computer environments, the network get’s you in the door. Nevertheless, it’s important to manage all areas of security and make sure even the administrators are using state of the art practices and techniques. Risks are everywhere.
Q2: Why only have one posting period open at a time? As you pointed out, this is mainly to prevent errant postings in the wrong month. It also supports the discipline of making sure when events occur in the real or physical world, the corresponding transaction(s) occur in the ERP system.
Q3: What’s the most important finance / accounting control? …authorization control? Some good discussion on this question. I would have preferred you using my list to prioritize but most of you didn’t have that list due to my late posting of the video. My experience is that documented policies & procedures with strong reconciliation and auditing that they are followed is critical. Focus as usual on the high value and high risk items.
Q4: Have you experienced difficult, cumbersome, … security problems? Thanks for sharing some great stories of your real experiences. Most of you highlighted password headaches. Regardless, it’s important to understand the end results of what users are actually doing (law of unintended consequences). If you lock down the process tight so everyone writes the password down on their screen – in the end you have poor security. In the end, a balance is necessary – is the complexity worth the headache? However, who gets to set balance is usually someone at the top of the organization.
Exercise 3 (Journal Entries) Clarifications
As a result of some questions raised in class I have added some clarifying comments in the assignment. The comments are on page 9 in the previous events section. Note the changes in bold below.
The updated Exercise 3 Guide is here and also posted on the assignment page.
Events of interest that Occured Previously (in Prior year if no year is listed)
Date Description of Event
| January 1, 2008 | Production Machinery, Equipment and Fixtures were placed in service. They are expected to last 15 years with no salvage value. | |
| July 30 | Payment for GBIs advertisement in the English language edition of Italian Cycling Journal. Advertisement to run in six consecutive monthly publications starting in August. Assume this is the extent of GBIs prepaid advertising. | |
| December 22 | Windy City Bikes in Chicago, IL invoicied $22,000 for bicycle accessories from GBI. The terms of payment for Windy Citys order are 2 / 20 net 60 days (in laymans terms this means 2% discount if paid in 20 days and net open receivable is due in 60 days). |
Guest Lecturer Steven Yannelli Bio
Below is a brief bio of our guest lecturer on Monday (October 23)
“Steven Yannelli is a recognized leader in SAP application security who has worked in ERP security for the past 15 years. For six years, he managed the largest international SAP implementation to date (at Walmart) and has been a consultant with Deloitte & Touche and PriceWaterhouseCoopers. He is also a US Army combat veteran who served as a Captain and Commanding Officer within the 56thStryker Brigade Combat Team. He deployed to Iraq from 2008-2009 where he managed a secure communications network.
Steven holds a CISSP certification and a graduate degree from Drexel University. He is now a Senior Manager at CSL Behring and currently leads their global SAP security and consulting teams across four countries.”
Week 8: Questions
- Do you believe businesses rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
- What is the relevance of only being able to have one posting period open at a time for real time financial postings? What does this prevent from happening?
- Consider the list of financial and accounting controls discussed in class. Rank them. Which to you believe is the most important, the least. Why?
- You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain