During Quest Forum Digital Event: JD Edwards Week, The Anschutz Corporation’s Dan Eppich and Q Software’s Mike Ward presented how Anschutz established an enterprise security solution that support the new requirements regarding GDPR, CCPA, and Big Four auditing requirements.
Anschutz is a long-time user of auditing and security management solutions. The company recognized the need for a more secure enterprise and took steps to establish one. Eppich, Anschutz’s Chief Information Security Officer, discussed how security within an ERP is directly related and accountable to know and understand the larger privacy initiatives happening at each state and internationally.
Anschutz is a holding company based in Denver, Colorado. It was founded in 1965 and continues to grow organically and through acquisition. Anschutz performs business in America, Europe, Australia, and Asia. A handful of the companies held by Anschutz include AEG (sports and entertainment), Xanterra (parks and lifestyle), The Broadmoor (hospitality), Walden Media (media), and Guardian Centers (catastrophe-training).
As for IT infrastructure, Anschutz’s global instance is E1 9.2 across five countries. They are multi-language, but the primary language is English. The system recently moved from the 400 onto a SQL database. There are 500+ users, the majority of whom are in finance. The company uses Orchestrator, BIP, and Q Software. They do a large amount of API work with Aelius. Eppich became CIO in December of 2019. Prior to his hire, the entire on-premises system was moved to an Anschutz-owned data center in Des Moines.
The Business Perspective
Security caught the attention of Anschutz when significant breaches regarding credit cards occurred in several companies. Eppich was tasked with auditing the company’s security. At the same time, new litigation occurred as a result of breaches in companies like Marriott and Hilton. Anschutz recognized a precedent being set to penalize the holding companies of those establishments. Therefore, establishing great security became the major focus of Eppich’s team to protect Anschutz’s data and resources.
Regulator Framework for a Private Company
Private companies were once regulated by the Massachusetts Data protection law, but this law was fairly lax in execution. Since then, the New York Shield Act, CCPA, and GDPR have raised expectations and requirements which constrict private companies.
Eppich and his team created specific goals and objectives for their security projects. These included gaining clarity on where the data was resident. They would also attempt to leave not data subject requests unanswered, track opt-in, and work into the existing security program in lieu of a separate one. Finally, the team at Anschutz would determine the scope with the data (owner, co-owner, processor).
There were several challenges to overcome. First, they were dealing with a lack of infrastructure for subject requests. There was a concern that requests would land in inboxes that no one was assigned to. Second, amended language was required for policy that was possible to comply with. To answer scope needs, the team had to answer data questions such as:
- Who needs to know?
- Who needs to be involved?
- How will users communicate with all affected parties?
The biggest hurdle to overcome was that of data mapping.
According to Eppich, the major activity included a slow ramp-up of importance. Eppich says they became a sort-of fire-and-brimstone marketing for right-to-act. The team needed buy-in from stakeholders, as well as marketing, sales, and IT in order to achieve project objectives.
The team prioritized customer privacy over company desires.
- What will the customer give us?
- What will we have?
- Will we sell it?
They ascertained whether adequate communication channels were in place and petitioned for additional tools that would create sustainable processes.
Security Across the Entire Enterprise
In recent history, technology has become the driving force behind every facet of the business. For best practices and efficient resource allocation, security considerations should occur at the beginning of sales and marketing projects. For Eppich’s project, functional groups at Anschutz came together to ensure compliance. A sense of teamwork built morale as the departments were less siloed, benefitting the company in a holistic manner.
It is advantageous to consult outside counsel for ever-changing regulatory compliance requirements. With rules changing from state to state, it is extremely difficult to maintain compliance without some help. The culture continues to evolve regarding data management and classification.
One of the best approaches you can take is to reduce data retention. Essentially, if you don’t have it, you don’t have to worry about the privacy associated with it. Therefore, how much private data do you have to have to run your business? With the right to act, an individual can litigate against you for his or her personal record. You cannot do what has always been done. Scanning drivers’ licenses or credit cards for future use apart from a well-thought-out process is dangerous. Furthermore, you must consider who will have access to the data. Security risks abound, and you must be ready.
Consider utilizing tools to help with security concerns and in order to be ready for an audit. Make sure to show privilege. This is where auditors begin. Eppich highly recommends tools for:
- Data Mapping
- Data Subject Communication Channels
- CRM tracking
- Opt-In Management
JDE Internal Controls for Data Privacy
Ward predicts a much stronger focus on compliance processes across the United States over the next two years. He expects this due to his experience with Asian and European regulation. Ward insists on secure data holding across the ERP with the ERP security life cycle. The ERP security life cycle is a set of functions across your ERP system that make it both controlled and controllable. The six areas are displayed below:
- Role-Based Access Control – Manage roles instead of users.
- If you have 500 users categorized into 50 roles, you only need to manage 1/10th of the size of the user level. There are considerable issues for setting this up, including privilege. The overarching theme is to avoid giving access to someone unless their job absolutely requires it.
- User Provisioning – Allocate the role to the user.
- This is a business issue, not IT. The CFO should think about these issues and give approval if a user should receive a second role. How do you know what the net effect of access is? The individual in charge of business approval should be able to view this information.
- Segregation of Duties – Don’t give too much access to any one user.
- Segregate access, assess risk, stop fraud, and detect and pro-act before approving.
- Audit Reporting – Your external auditor checks internal controls.
- You should have a concise set of controls that are sustainable and workable.
- Periodic Review – The sign-off process that must be executed for user certification.
- Present the information so that the end user manager can understand and sign off either annually or quarterly.
- Continuous Monitoring – The front door was shut through role management. The back door is shut through continuous monitoring of sensitive tables with alerts.
- If a change is made to a master file, receive an alert.
Realistically, Eppich spoke about overlaying processes on top of the security life cycle to manage data privacy. As you are audited to make sure these processes are in place, there is a set of tools available to help:
Some key issues in overlaying these processes include cost pressure, cloud-based skills, and risk assessment. Ward calls this the efficiency conundrum.
Internal control weaknesses are responsible for nearly half of frauds. Put sustainable controls in place around your ERP system to eliminate weaknesses and manage your risk.
The Anschutz IT team learned several lessons in their journey toward a secure enterprise. Eppich sums them up as with these tips and tricks:
- Start small. Get something in place and then build from it.
- Hire outside help for one-time tasks such as data mapping and documentation.
- Request additional help for litigation. The Anschutz legal team did not have the security expertise to carry this project.
- Manage change. Don’t just plug holes in the dam— Implement new processes to keep from acquiring new holes.
- Track how big the problem is. Track your data subject requests and how long each takes to resolve.
10 Tips for ERP Security & Compliance
- Evaluate the risks (Experience is key)
- Encryption & Authentication
- Know your business processes
- Audit live security
- Plan your roles – Authorization
- A risk matrix (yours, not someone elses’)
- Build IT general controls
- Use the tools and the experience
- Periodic Review – Involve the business
- Least privilege
According to Eppich and Ward at Anschutz, everything in compliance is evolving. You must utilize legal review continuously to stay in compliance, as one 48-hour window could move you out of compliance. Buy-in from your entire organization is crucial to establishing good security, and data mapping are absolutely critical. Data classification and retention should be placed under review.
Take advantage of the lessons learned by Anschutz to best prepare your business to proactively avoid security risks and expensive compliance issues. Get your company out of the gross negligence game.
INFOCUS Envision will take place virtually on April 12-15, 2021! This year, INFOCUS is a two-part virtual conference series – made up of INFOCUS Envision and INFOCUS Dive Deep – that connects hundreds of IT leaders and business users to JD Edwards experts, industry innovators, technology leaders, and Oracle product teams for insights, education, and information.
Join us for four jam-packed days of strategic insights and actionable learning designed to transform your team, your vision, and your business! Registration is now open, and you can take care of Early Bird savings if you register before March 29!