In general, governance, risk and compliance, or GRC, is a set of integrated capabilities that ensure an organization’s ability to achieve objectives, address uncertainty, and act with integrity.
What are the fundamental steps to a successful JD Edwards GRC policy? These might not be ALL applicable to ALL organizations but ALL organizations should be asking these questions.
Want to learn more? View the on-demand webinar JD Edwards EnterpriseOne: Segregation of Duties, Risk Management, and GRC to learn more about how you can use the functionality of JD Edwards to establish an effective and efficient security strategy to ensure protection from fraud while enabling user protection.
The 12 JD Edwards GRC Strategy Tips:
- Are user-ID’s on your system unique?
- Shared user IDs should not be used, ever.
- User Access Controls – can you prove least privilege?
- Who has access to your systems?
- Users should only have the access they need to do their jobs.
- Excess access creates risk in the system.
- Employee access requirements change over time and need to be reviewed regularly.
- User Provisioning – who approves, is there an audit trail?
- Who is approving access to the system?
- It should not be someone in the IT department?
- It should be a strategic business decision. It should either be a member of the internal audit team or a business manager responsible for the function.
- An audit trail is a necessity.
- Security changes – are they checked, approved & documented?
- Who checks and approves security changes?
- Is your SOD model routinely reviewed & approved?
- This is dynamic and needs to be reviewed and updated regularly.
- Are proactive SoD checks in place (prior to live role assignment)?
- Proactive SoD checks should be a requirement.
- This should use automated tools that informs the approver of any security risks or issues.
- This should be an automated process and not be managed manually via a spreadsheet, etc…
- Are terminated users removed or disabled in a timely manner?
- This can be a critical issue if not addressed immediately.
- What are your critical/sensitive objects (a business decision)?
- This is one of the easiest opportunities for fraud in JD Edwards.
- Using least privilege and alerts can help to protect and monitor these events.
- Are you checking for access to sensitive objects?
- Use least privilege to limit access to sensitive objects.
- Do you know who has system administration or elevated access.
- Universal/system administrator access is generally not necessary.
- Or should be limited to only a few users.
- And should be audited and tracked carefully.
- Do you run a Periodic Access Review that management understands?
- Most companies need to perform user certification reviews yearly or quarterly.
- With proper tools these can be easy and simple.
- Is Audit Reporting on Access & SoD automatic?
- Reduce the pressure from the auditors by having audit reporting automated.
- Allows you to focus on anomalies rather than reporting challenges.
Your ERP system contains all your key company data – the “keys to the kingdom”. Most companies will experience some type of theft or fraud at some point – its not a question of if but when. The basic causes include a lack of controls or systems to ensure the protection of your data and key business processes. A good GRC policy will help align business processes to reduce and manage risks while identify areas of concern and ensuring compliance with laws and regulations.
JD Edwards security can be complex and challenging. A third-party, managed service approach can often help. Many companies will simply not have enough knowledgeable staff to be compliant and fill all the necessary roles of a strong GRC policy. Engaging an experienced third-party partner can create a more complete, compliant, and secure ERP security strategy.