Ensuring ‘Clean’ Access Security in ERP Environments: Tips from Protiviti

NetSuite Application Security

Managing segregation of duties (SoD) risks is an important consideration for businesses implementing an internal control framework as part of their road map to becoming a public company.

One area where SoD risk can run high is within enterprise resource planning (ERP) environments, unless they are designed from the outset with compliance in mind.

When businesses take steps to define security requirements in the early stages of an ERP implementation, upgrade or re-implementation project, they can help ensure efficiency and a “clean slate” with regard to mitigation of security risks prior to go-live.

NetSuite ERP application security: in focus

In a recent webinar and white paper, Protiviti — in partnership with Fastpath, a provider of security access and SoD monitoring and compliance solutions — offered recommendations for designing NetSuite ERP application security. NetSuite is one of the leading ERP cloud solutions used by businesses today.

“We share an approach for designing ‘clean security,’” says John Livingood, a director in Protiviti’s ERP solutions practice. “Typically, companies that implement or design security are only thinking about what their users need to perform in a system. They aren’t necessarily keeping in mind different types of financial- and IT-related access risks that can compromise the company.”

Protiviti recommends a “top down” method as the best approach to security design not only for NetSuite, but any ERP environment.

“It starts with developing a series of policies and roles that are relevant to the organization from a financial and IT risk perspective,” Livingood explains.

This initial step toward improvement includes outlining and classifying SoD policies into risk levels, so management can prioritize areas of focus during the build or security remediation phases, he says.

Signs it’s time to assess security design

According to Protiviti’s white paper, organizations that meet any of the following criteria should consider assessing their security design and implementing security monitoring solutions:

  • Organization-specific SoD policies have not been defined, approved by the business, or are outdated.
  • Creation of new roles and/or new role assignments generates a significant number of SoD conflicts requiring remediation or mitigation.
  • A significant number of SoD conflicts exist within the current roles.
  • The ERP environment consists of more roles than users.
  • SoD checks are performed manually — or not performed at all.
  • Automated security monitoring solutions are not in place to support ongoing monitoring of the environment.
  • There is lack of business involvement in the SoD risk management process.

Getting clean, staying clean

Livingood says the utilization of leading practices, and the implementation of automated security monitoring solutions, can help to accelerate and increase efficiency in the security design process.

But the work doesn’t stop there. Livingood says any organization that wants to achieve and maintain clean security in their ERP environment, whether they’re using NetSuite or another solution, will need to know the governance process to stay clean. “You can get clean, but you have to maintain it,” he explains.

Among the recommendations from Protiviti for staying clean: establishing provisioning and monitoring processes to maintain the security environment; leveraging governance, risk and compliance (GRC) solutions for automated monitoring of security roles and users; and involving your  external auditors in the solution design for reliance of management’s SoD controls.

Learn more

Follow this link to access the Protiviti and Fastpath webinar, “How to Manage Segregation of Duties in Your NetSuite Environment.”

Visit the Protiviti website to download the companion white paper for this presentation, Designing NetSuite ERP Application Security – Leveraging Fastpath Assure Access Monitoring Solutions.

For additional information on this topic, contact John Livingood at Protiviti.

Related resources