It has always been an interesting discussion with Auditors regarding
security for small departments with 1 or 2 developers that are also the
Security officers. Who watches the watchers? I have found that the key
element is to have lots of documentation and reports to show what has
changed and why.
Regarding Help Desk tools, we purchased Track-IT from Numara Software (
http://www.numarasoftware.com/Track-It.asp ). We have used it a couple
of years now and are quite happy with the functionality. Our users enter
their own tickets into the system and can check on the status of their
requests all via a web browser. A number of our Sox Controls are handled
via this tool as well as it is our repository of all change request
documentation. In addition, I use it to inventory I.T. assets; track key
software licensing; and to produce reports for monthly and quarterly
management reviews of I.T.
Regards,
Jon Le Roi
Director of I.T.
Tegal Corporation
-----Original Message-----
From: mapics-l-bounces@xxxxxxxxxxxx
[mailto:mapics-l-bounces@xxxxxxxxxxxx] On Behalf Of LeLeux@xxxxxxxxxxxx
Sent: Thursday, July 24, 2008 1:19 PM
To: MAPICS ERP System Discussion
Cc: 'MAPICS ERP System Discussion'
Subject: Re: [MAPICS-L] Change Management
We have the same issue at a location where there is only 1
programmer/gatekeeper, and it's 'manageble' thru 'downstream
controls' and
mitigating factors:
1. No below senior-level programmer has direct access to payroll, AP,
or
GL data for update.
2. Inventory reports are emailed weekly to senior management, any
sizeable
inventory irregularities would be reflected on those reports.
3. Invoice to pack slip match is performed daily by the Accounting
Dept.
Any irregularities would be reflected in their daily edits.
4. AR lock-box receipts are checked daily (by Accounting Dept) to
verify
that bank transactions match AR postings. Bank balances are reviewed
and
reconciled by general accountant monthly.
5. The Accounting Dept. does a monthly audit to verify that all
shipments
have been invoiced.
6. Checks can only be generated through MAPICS using password
protected
accounts (Payroll and AP).
7. Payroll can only be posted to XXX Bank by a password controlled
account
used by Senior Payroll Administrator.
8. Payroll and AP checks can only be processed through XXX Bank by a
password controlled account used by Accounting Manager.
9. Both AP & Payroll checks are controlled through the Positive Pay
method
by which dollar amounts and check numbers are authenticated.
10. Payroll and AP perform reconciliation every month.
And since Dale brought it up...it would also be nice to find a help
desk
tool that is rich in features and doesn't soak you on annual
maintenance.
-----mapics-l-bounces@xxxxxxxxxxxx wrote: -----
To: "'MAPICS ERP System Discussion'" <mapics-l@xxxxxxxxxxxx>
From: "Gindlesperger, Dale" <DGindle@xxxxxxxxxxxx>
Sent by: mapics-l-bounces@xxxxxxxxxxxx
Date: 07/24/2008 12:29PM
Subject: Re: [MAPICS-L] Change Management
I should mention that when we were a publicly traded company, we
also
had a help desk product, and all project requests went thru the
help
desk, and there was a cross reference to all of the changed
programs.
The help desk ticket# was in all programs modified for it, and the
programs were listed in the resolution portion of the help ticket.
That
was our documentation.
And it made MUCH more sense than multiple IDs for the same people,
depending if they were running a production job vs. doing
programming.
That was deemed satisfactory.
Dale "Cork" Gindlesperger
Link Computer Corporation
-----Original Message-----
From: mapics-l-bounces@xxxxxxxxxxxx
[mailto:mapics-l-bounces@xxxxxxxxxxxx] On Behalf Of Burns, Bryan
Sent: Thursday, July 24, 2008 3:01 PM
To: MAPICS ERP System Discussion
Subject: Re: [MAPICS-L] Change Management
Greg,
I like your solution, I like it a lot! Thanks. And thanks also to
Dale, Nick, Phil, Dave and Greg! Very good input.
Bryan Burns
iSeries Specialist
ECHO, Incorporated
Lake Zurich, Illinois
-----Original Message-----
From: mapics-l-bounces@xxxxxxxxxxxx
[mailto:mapics-l-bounces@xxxxxxxxxxxx] On Behalf Of Greg Wenzloff
Sent: Thursday, July 24, 2008 8:19 AM
To: MAPICS ERP System Discussion
Subject: Re: [MAPICS-L] Change Management
Bryan,
We designated 11 MAPICS files as being financially significant for
SOX.
Then we journalled those files.
We run a nightly program to read the journal and list whenever
anyone
with *allobj authority touches one of them.
If they are touched then justification is required.
The controller signs this daily report.
SOX auditors are OK with this arrangement.
Greg
-----Original Message-----
From: Burns, Bryan [mailto:Bryan_Burns@xxxxxxxxxxxx]
Sent: Thursday, July 24, 2008 9:03 AM
To: MAPICS-L@xxxxxxxxxxxx
Subject: [MAPICS-L] Change Management
We'll be undergoing an internal controls IT audit later this year
and
like a lot of small shops, our MIS staff has *ALLOBJ special
authority
in their user profiles. In addition, all our AMFLIBx files have
authority for *PUBLIC as *CHANGE. Because our users don't have a
command line and we control ODBC updates through an exit point
package,
*PUBLIC having *CHANGE to files isn't an issue. But the MIS staff
having *ALLOBJ to production files and being able to DFU any one of
them
is an issue.
I believe there're at least 3 ways we can approach this:
1. Implement object level authority. (This is something
management
really doesn't want to consider).
2. Run a nightly program to GRTOBJAUT of *EXCLUDE for every
object
in our production libraries for every MIS user profile. In
addition,
remove *ALLOBJ special authority from the MIS user profiles.
3. Implement a third party package like Authority Broker from
the
PowerTech Group.
Have any of you had a similar security set-up as we have and had to
comply with Sarbanes-Oxley regulations or something similar? If
so, I'd
like your input on the three approaches above or any other approach
you
might recommend.
Thanks in advance,
Bryan Burns
iSeries Specialist
ECHO, Incorporated
Lake Zurich, Illinois
_______________________________________________
This is the MAPICS ERP System Discussion (MAPICS-L) mailing list To
post
a message email: MAPICS-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or
change list options,
visit:
http://lists.midrange.com/mailman/listinfo/mapics-l
or email: MAPICS-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/mapics-l.
_______________________________________________
This is the MAPICS ERP System Discussion (MAPICS-L) mailing list
To post a message email: MAPICS-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/mapics-l
or email: MAPICS-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/mapics-l.
_______________________________________________
This is the MAPICS ERP System Discussion (MAPICS-L) mailing list
To post a message email: MAPICS-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/mapics-l
or email: MAPICS-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/mapics-l.
_______________________________________________
This is the MAPICS ERP System Discussion (MAPICS-L) mailing list
To post a message email: MAPICS-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/mapics-l
or email: MAPICS-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/mapics-l.
_______________________________________________
This is the MAPICS ERP System Discussion (MAPICS-L) mailing list
To post a message email: MAPICS-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/mapics-l
or email: MAPICS-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/mapics-l.
The information in this email, including any attachments, is confidential and intended only for the recipient(s) listed. Any use of this email for any other purpose is prohibited. If you have received this email in error, please notify me immediately by reply email, delete this email, and do not disclose its contents to anyone.
As an Amazon Associate we earn from qualifying purchases.