This article is part six of a ten-part series that will focus on lessons learned from decades of project and program management within higher education.
Implementing an ERP system in higher education institutions requires a robust focus on security. Protecting sensitive data, maintaining system integrity, and ensuring compliance with regulations are essential for a successful ERP deployment. Security should be addressed at the beginning of a project and throughout the project lifecycle. Here are key points to consider for maximizing security in ERP projects:
Update and Revisit Data Stewardship and Governance
- Access to Data: Clearly define who needs access to what data and why. Establish access levels based on roles and responsibilities. Implement the principle of least privilege so that the minimum level of access is given to complete required responsibilities and job duties.
- Approval Process: Implement a rigorous approval process for data access to ensure only authorized personnel can view or manipulate sensitive information. Don’t forget to include data stores and warehouses in the review and approval process. The same rigor needs to be applied to the ERP application and the reporting environments.
- Data Usage Agreements: Create data usage agreements that outline how data can be used, shared, and protected, ensuring all stakeholders understand their responsibilities.
Vendor Product Security Model
- Different from Legacy Systems: Understand that the security model of the new ERP system is likely different from legacy systems. Adapt to these changes proactively.
- Role-Based Access Control (RBAC): Transition from person-specific access to position-based access. This helps streamline access control and ensures consistency.
- Leveraging New Capabilities: New security capabilities in the ERP system may impact legacy roles. Evaluate and adjust roles and responsibilities accordingly. Make sure to include a review of separation of duties and responsibilities for the new design.
Recommended Security vs. Unit Selection
- Project-Recommended Security: The project team should suggest best practices and recommended security configurations. This approach ensures a consistent application of security policies and best practices. Including a security expert on the project team to advise the team on best practices and standards is advisable.
- Unit Selection: Support units in selecting security configurations that align with their specific needs while adhering to overall security standards. This approach provides maximum flexibility but may challenge consistency.
User Acceptance Testing (UAT)
- Security Readiness: Ensure security roles and permissions are ready to support UAT. This includes roles that provide access to sensitive data.
- Testing Access: Review and test access to all aspects of the system, including online access, integrations, internal reports, and external data stores. This helps identify and address any security gaps before full deployment.
Engage Key Stakeholders
- CISO and Internal Audit: Involve the Chief Information Security Officer (CISO), internal audit teams, and executives in the implementation of new policies and restrictions. Their oversight and support are crucial for enforcing security measures.
- Policy Implementation: Collaborate with these stakeholders to implement new policies and restrictions that enhance security without hindering productivity.
Conclusion
By focusing on these critical security aspects during the ERP implementation process, higher education institutions can protect their data, ensure compliance, and build a secure foundation for their new system. Engaging key stakeholders, revisiting data governance, and thoroughly testing security measures will help maximize the lessons learned and contribute to a successful ERP deployment.
For more information or to schedule a conversation, please click here!
About the author:
Christopher (Chris) Mercer has over forty years of experience in higher education, including the last twenty-five years consulting as an Executive Program/Project Director/Manager and other leadership roles. Chris has managed or been engaged in more than four dozen programs\projects during his career.