Organizations looking to secure their enterprise resource planning (ERP)'s security defenses are often required to sort through vendor claims of features that are unique to their solution (i.e., leading-edge, disruptive, or other catchy buzz words). Rather than focusing on features and marketing buzz words, organizations should first create a prioritized list of their requirements and then evaluate the solution's capabilities to satisfy those requirements cost-effectively.
Here are seven questions to ask vendors focused on essential capabilities that are based on leading practices from organizations, including Gartner, Forrester, ISO, NIST, COBIT, and COSO. These capabilities should guide every organization's evaluation of ERP application security, risk and compliance solutions and help them understand which features are genuinely the most valuable.
1. Will this Solution Enable Effective Governance & Oversight?
Governance is one of the most overlooked capabilities, yet it can be the root cause of many failed security, risk and compliance programs. Governance is a strategic activity performed by senior executives to define their expectations for the performance of application security, risk and compliance operations. The International Organization of Standards (ISO) provides guidance on establishing effective governance over risk management programs, including establishing, performing and measuring governance efficiency.
There are two key governance capabilities you should be looking for in your application security solutions.
- Effective identity & access management (IAM) and identity governance & administration (IGA) capabilities to monitor attempts to log into the system and user behavior analysis to detect anomalies and threats as they occur at the transaction and data field level within the system.
- Effective policy-based access control (PBAC) capabilities, sometimes called attribute-based access control (ABAC), that allow you to configure policy requirements into the access controls to enable automated policy enforcement. I recommend avoiding solutions that require a one-to-one configuration of PBACs and focusing on those that offer a one-to-many configuration to improve the efficiency of your control configuration and change management effort. PBAC/ABAC could be the most valuable investment, offering the biggest value for the dollar, in your security defense because PBAC/ABAC security models support the Adaptive Security, Zero-Trust, Least Privilege and the Defense in Depth principles discussed below.
2. Does the Solution Enable Zero Trust?
Look for an application security solution based on the zero-trust principle of never trusting and always validating the identity. Zero trust can be enabled in many ways. One is through the use of multi-factor authentication (MFA) when logging into a system, accessing critical transactions and accessing critical data fields. Using layers of MFA is referred to as creating layers of security or defense in depth.
3. Will the Solution Allow Me to Enable Layered Security?
Also known as defense in depth (DiD), layered security enables overlapping layers of controls that typically provide the three control capabilities needed to secure assets: prevention, detection and response. While no individual security control is guaranteed to stop 100% of cyber threats, layered security provides mitigations against a wide variety of threats while incorporating redundancy in the form of compensating controls if one control should fail.
4. Can I Establish a Balanced Defensive Control Capability With this Solution?
The COSO framework is famous globally for its 17 principles of control capabilities that recommend evaluating your application security, risk, and compliance controls framework to ensure you have an adequate balance of predictive, detective and reactive control capabilities. Gartner also recommends leveraging predictive, preventative, detective, and responsive security control capabilities. Look for an application security solution that supports the ability to configure predictive, detective, and reactive access, transaction, and data security controls to effectively comply with compliance regulations. This is typically found in an application security solution established on the policy-based access control (PBAC) security model.
5. Can I Enable Adaptive Security & Control Capabilities?
Adaptive security may be the most valuable defensive capability. The key to the adaptive security model is providing contextual-based controls at the transaction and data field level to enforce policy requirements. Gartner recommends transitioning from static security typically found in a Role-Based Access Control (RBAC) security model to an adaptive security model like Policy-Based Assess Control (PBAC). Unlike RBAC, which grants access based on roles, PBAC grants access based on contextual attributes, which allows for a highly focused approach to transaction and data security that RBAC cannot provide.
6. Can the Solution Help You Understand Your Current Risk Exposure & Vulnerabilities?
The first step in any battle is to assess your defensive capabilities to identify weaknesses that need resolving. This capability ensures you conduct a thorough risk assessment to identify and quantify your potential security risk exposure and then evaluate the design and operating effectiveness of those controls intended to mitigate those risks to identify vulnerabilities that cybercriminals could exploit. Part of this risk assessment should assess your security control environment's capability to detect, prevent, respond, and recover from threat events and your current compliance posture with regulations.
7. Will it Allow Me to Implement a Continuous Improvement Process?
Finally, you should look for a solution that provides you with the capabilities to perform your security risk assessment by continuously monitoring your key risk indicators to detect and respond to anomalies and threats. Look for an artificial intelligence (AI) and machine learning (ML) continuous access risk assessment solution to provide a risk impact analysis and recommend appropriate mitigation actions.
Make Capabilities Based on Leading Practice Standards Your Guide to Choosing the Most Valuable Features
Checking off a list of features and benefits is an important first step to evaluating an ERP application security, risk and compliance solution for your organization. However, features don't necessarily equate to capabilities built on standards and frameworks. Instead, you should be looking for features that align with and enable the capabilities you want from a solution. These seven questions can help you understand which features are genuinely the most valuable and guide you to making a decision that's the most beneficial to your organization.