ERP, CRM and eCommerce Blog

Data Security has been top of our minds at Ignify. We spent over 18 months strengthening the security for Ignify eCommerce including taking it through its PCI compliance. I am glad to report that the PCI Standards Council passed Ignify eCommerce on the PA DSS II standard and makes us the only eCommerce platform that offers integration with mid-market ERPs to have achieved that. Based on my experiences in leading this effort – I came up with some trends and tips that can help you and any business that is looking or is selling online. Some background first – per the DataBreaches website,  2009 has been the first year that the number of data breach incidents recorded has actually dropped, since 2005. If that makes you feel a little more secure – there is a counter side. The same site reports on personal records that have been exposed – 220 million records in 2009 as compared with 35 million in 2008.

There are two important trends to note here. The first – Technology advancements (and simplifications) have made breaches increasingly difficult. Second – The people side of the equation; where small entry errors have lead to large scale breaches sometimes becoming more difficult to manage than technology issues. The fact is that there are people involved with keeping information secure. It is extremely critical that processes such as implementing an immediate access termination when employees leave an organization, are well oiled and working at all times.

My prediction is that 2010 will see more breaches due to human errors rather than technology errors. For example, there have been 11 breaches reported on privacyrights.org in November 2009. Out of these 8 breaches are human errors while 3 are technical holes or hacks. 

With a poor economic state and online shopping becoming a necessary tool for tough times, merchant readiness for handling confidential data both on the technology and people front is critical for a successful online presence. As the New Year approaches, it is important to review the lessons learned from the past year and reflect how we can use past trends to correct and innovate data security in 2010.

What have we learned in the past year?

Lesson 1: Be ready to handle confidential data before you turn on the switch

The healthcare industry was attacked with a flurry of data breaches in 2009. Most recently and noticeably in August, Anthem Blue Cross and Blue Shield of California was involved in a data breech of more than 850,000 physicians throughout the United States including critical personal information such as; Social Security, taxpayer ID, and NPI numbers, may have been compromised when a laptop containing sensitive data was stolen in Chicago.

What can we learn from this very basic case of information theft? Anthem and Blue Shield were not prepared to handle confidential data. Carrying secure data on physical media has specialized security needs and merchants should have those processes well tied together. At times, it boils down to simple processes that include how authorization and communication is carried out in an organization.

Technology has matured thanks to collective learning becoming a part of the technology itself; but organizations do not assimilate best practices at the same pace – people unfortunately make mistakes and security mistakes can be fatal to your business.

Once the switch is turned on and systems start humming, there is a human tendency to start focusing on day to day operational issues and data security begins to take a back seat. As a merchant, it’s important that you have your people related systems in place to conduct regular audits and trainings to keep data security in the front. Does it have to be expensive – No – Simple devices such as funny posters on the wall or creative emails do a great job of reminding everyone of the threat.

Lesson 2: Think about Data Security upfront while working on your online initiatives

Whether you are working with a vendor or in-house staff, ensure that you have proven expertise on board. With a vendor this could mean checking if their systems have necessary security certifications. As an example – PCI PA Certification applies to all software vendors handling card data in any form or fashion and the certification body has published information of certified software for public access. For in-house staff, there are a couple of options – SSCP certifications for network administrators and CSSLP certifications for developers.

Using these public initiatives – you can learn about data security and make decisions that have the data security green light.

Lesson 3: If you are an eCommerce merchant, get PCI certified

PCI over years has become a leading authority for merchants to learn around data security threats and mechanisms to prevent those. As a merchant you can get PCI DSS certified by ensuring that you meet all criteria laid out by the Security Council. The cost for such certifications has been coming down but they may still be prohibitive for some merchants. In such cases there is self assessment available that any merchant can use to ensure that they can handle confidential data.

Treat PCI certification as a fixed asset purchase, it would serve you over a longer period and would get you a benefit – trust of your customers – that has a very definite ROI over a period of time.

Lesson 4: Compliance is not a golden ticket: Secure your systems: once, twice, three times.

In July, Network Solutions LLC, a web hosting firm announced a data breach of approximately 574,000 individuals’ credit card information. The company claimed that it discovered unauthorized code on servers that supported its e-commerce merchants' websites. It was determined that the transaction data of about 4,343 of its merchant websites was breached sometime between March 12, 2009 and June 8, 2009. In a statement release by Network Solutions, the firm claimed to have been violated despite is PCI compliance status.

What can we learn? Being compliant is the minimum bar required to switch your online systems. Remaining compliant means you work carefully with your team and processes that handle confidential data. Security standards and guidelines are great to learn from but they are not a solution in itself. Data security is fast becoming a people problem and not a technology problem. Having right people in your team to do regular audits and compliance checks becomes a very difficult and expensive lesson to learn after a data breach occurs.

Lesson 5: Be transparent with your customers at all times!

So what if a breach finally happens? What should you do? First thing is to inform everyone who got affected and immediately reach out to law agencies for help.
Anthem was heavily criticized for not notifying the victims of the theft (mostly healthcare providers) in a timely manner. Reports indicated that several states, of the 50 states affected, were not notified until up to two months after the breach, giving cyber criminals more than enough time to wreak a significant amount of damage with your personal information, under the radar.

Transparency is important if a data breach incident occurs. The quicker response you have to a data breach, the faster and easier the issues can be resolved and data can be recovered and/or protected. It is critical that your customers are educated and aware of the dangers of the marketplace. There are free resources that allow consumers to monitor, freeze and simply check their credit status with the three major reporting agencies Equifax, Experian and TransUnion to protect themselves from personal data breaches; putting the power in their own hands.

As a merchant or data custodian, it is your responsibility to educate all affected parties on the steps they can take to avoid the damage.

The future of Data Security: Where do we go from here?

Finally, the law seems to be catching up – With the recent pass of The Data Breach Notification Act (Bill S. 139), introduced in January by Senator Dianne Feinstein, D-Calif., data security has become a hot topic discussion with all types of businesses. The Data Breach Notification Act will require any federal agency or business entity to notify an individual of a security breach involving personal information without “unreasonable” delay, meaning “any time necessary to determine the scope of the security breach, prevent further disclosures, and restore the reasonable integrity of the data systems and provide notice to law enforcement when required.” The bill also requires that major media outlets notify residents of respective states that are affected by the breach.

A complimentary bill to the Data Breach Notification Act also passed concurrently, the Protecting the Privacy of Social Security Numbers Act (Bill S.141), introduced in July by Sen. Patrick Leahy, D-Vt. This bill sets notification requirements and tighter criminal penalties for identity theft and willful concealment of a breach and requires businesses to implement preventive security standards to guard against threats to their databases.

Data Security now has increasing legal ramifications as well. Just the way you would invest in your business to comply with local laws of the land; data security is another investment being made mandatory by law, which is good. The maturity of technology and related people challenges means that merchants of all sizes have to continuously worry about the people they put in charge for keeping the systems secure and handling confidential data.

Let 2010 be a year when you commit to train and educate your people to make your organization ready to handle confidential data. Rework your processes next year to have a continual audit of your systems to make sure that they remain ready. At the end of the day; your processes should NOT be like this one.

Pankaj Kumar is the CTO of Ignify. Ignify is a technology provider of ERP, CRM, and eCommerce software solutions to businesses and public sector organizations. Ignify eCommerce is the only PCI certified eCommerce solution in the market that integrates with the Microsoft Dynamics ERP and Sage ERP solutions.  Ignify has been included as the fastest growing business in North America for 3 years in a row by Deloitte, Inc Magazine and Entrepreneur Magazine.

 Microsoft today announced that Microsoft Dynamics GP 11 will be released to market  in May 2010 and provided a roadmap of future versions including Dynamics GP 12 and Dynamics GP 14. Microsoft Dynamics GP v11 provides deeper functionality such as credit card integration, provides a role tailored BI beyond the role center that is there today and provides additional office integration and workflow. Finally – Dynamics GP will provide the ability to email reports and extract  the reports to Word. The detailed timeline for the next few months is listed below

Timeline

•	Microsoft Dynamics GP 11 will reach General Availability in May 2010.
•	Release to Manufacturing is scheduled for April.
•	A partner-ready, beta Virtual PC image will be ready in March.

Sandeep Walia is the President & CEO of Ignify. Ignify is a technology provider of ERP, CRM, and eCommerce software solutions to businesses and public sector organizations. Ignify is a Microsoft Dynamics Inner Circle Partner  and ranked in the top 18 Microsoft Dynamics partners. Ignify has been included as the fastest growing business in North America for 3 years in a row by Deloitte, Inc Magazine and Entrepreneur Magazine. 

Finance user would like to see both the Account and Offset accounts against each Ledger Voucher in one report. The main financial reports that were available in earlier versions of AX do not show the offset account information against each Voucher. Dynamics AX 2009 with the GLS layer has this new feature in the form of Inquiries and also Report.

I've documented how you can do this. First you need a few pre-requisites to be set up for this feature to work. The first one is the financial period.

General Ledger > Setup > Periods > Periods

Setup Period names for each period. Example in below screenshot.

 

General Ledger > Inquiries > Detail Ledger

Select Ledger accounts and Period names.

Detail ledger form shows all the details of each Voucher against selected ledger account in the selected period name.

 

If you want to view the offset account against each Voucher, you can do it by selecting the record and clicking on Offset account button. If you want to view all the details against each ledger account selected above click on Print.

 

Select TW213 in Print layout code and run the report. Report is generated with required information. This report can be extracted into a txt file and excel thereafter.

 

This post is written by Madhubabu Rapolu. Madhubabu is a Business Analyst in the Microsoft Dynamics AX Practice at Ignify . Ignify is a Global Microsoft Dynamics Inner Circle Partner specializing in Dynamics AX for Retail, Distribution, Manufacturing and Chemicals verticals. For help on Microsoft Dynamics ERP email us at dynamics@ignify.com

Workflows are a powerful and yet surprisingly easy to use feature in SharePoint. You can use workflows to manage a business process or any series of tasks required to get a job done. You might use a workflow, for example, to manage expense reporting, manage time sheet or leave applications.

Out of the box SharePoint approval workflow allows you to configure the workflow on a list or on any library. It is pretty straight forward to configure with static approvers and can specify when to start and end the workflow.

But, if you want your workflow to choose an approver based on some criteria then things can get a little complex. I have provided an business example of  of how you can make this happen along with relevant code.  Ignify recently implemented a multi-level routing workflow for a  non-profit organization serving 24 million members. I have built on our experience from that project and other Microsoft SharePoint Server implementations 

Scenario: You have a leave request application in your SharePoint and the company policy is leave request should go to the submitting employee’s supervisor for approval.

In the above scenario, the supervisor can be different for each employee. How will you pass this dynamic supervisor information to your approval workflow?

Solution:

• Determine the GUId or Index value of your approval workflow.
• Determine the Association data that the workflow requires to start.
• Modify the Association data to provide appropriate approvers.

Steps :

1. Configure the approval workflow to the list or a library with some specific values.
2. Don’t specify the option of starting the workflow when an item is created or modified.
3. After configuring the other necessary parameters, your list or library is set with an approval workflow.

Now your list or library will have the workflow configured and the workflow will have the association data which we can modify and start the workflow.

Accessing the workflow from code.

One of the biggest developer-focused enhancements in SharePoint is, for handling server-side events. For example, when a user performs an action that modifies content in a SharePoint site—say, creating or modifying an item from a list—there is an opportunity for a developer to respond to this user action with an event handler that executes server-side logic written in C# or Visual Basic.

So here we will make use of the list events to modify the workflow association data and start the workflow.

Creating a list event:

1.  Open visual studio
2.  Create a new project with project type as class library.
3.  Add reference tot he class library Windoes Sharepoint Services(Microsoft.Sharepoint.dll)

Sample code

Override the Item added event in this scenario because we are going to start the workflow when a leave request is being made.

using System;

using System.Collections.Generic;

using System.Linq;

using System.Text;

using Microsoft.SharePoint;

using Microsoft.SharePoint.Workflow;

using System.IO;

using System.Diagnostics;

namespace DynamicApproval

{

public class LeaveApproval : SPItemEventReceiver

{

public override void ItemAdded(SPItemEventProperties properties)

{

try

{

SPSite objSiteCollection = new SPSite("Your Sharepoint Site URL");

SPWeb objSPSite = objSiteCollection.OpenWeb();

SPList objList = objSPSite.Lists[properties.ListId];

 

//Disabing the event firing during the process.

this.DisableEventFiring();

objSPSite.AllowUnsafeUpdates = true;

 

SPListItem objLeaveItem = properties.ListItem;

string LeaveRequestor = Convert.ToString(objLeaveItem["Employee name filed in the List"]);

//Getting the approver from the list where the employee information is maintained.

//If you have a well structured Active directory you can query the AD

//and get the respective superviosr of the employee.

string Approver = GetApprover(LeaveRequestor);

//Setting the due date

DateTime dt = System.DateTime.Now;

DateTime dtnew = dt.AddDays(7);

string strDueDate = dtnew.ToShortDateString();

SPWorkflowAssociation objAssociationTemplate = objList.WorkflowAssociations["Workflow Index or the Association GUID"];

//Sample association data.

//Asssociation data should be a well structured XML.

//Supplying the approver to the association data.

//In the same way you can add any number of approvers with a new <my:Person> tag thus making it as a multi level.

string AssociationData = "<my:myFields xml:lang=\"en-us\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:my=\"http://schemas.microsoft.com/office/infopath/2003/myXSD\">\r\n <my:Reviewers>\r\n \r\n <my:Person>\r\n <my:DisplayName>";

AssociationData = AssociationData + Approver + "</my:DisplayName>\r\n <my:AccountId>" + Approver + "</my:AccountId>\r\n <my:AccountType>User</my:AccountType>\r\n </my:Person></my:Reviewers>";

AssociationData = AssociationData + "\r\n <my:CC></my:CC>\r\n <my:DueDate xsi:nil=\"false\"></my:DueDate>\r\n <my:Description></my:Description>\r\n <my:Title></my:Title>\r\n <my:DefaultTaskType>1</my:DefaultTaskType>\r\n <my:CreateTasksInSerial>true</my:CreateTasksInSerial>\r\n <my:AllowDelegation>true</my:AllowDelegation>\r\n <my:AllowChangeRequests>true</my:AllowChangeRequests>\r\n <my:StopOnAnyReject>true</my:StopOnAnyReject>\r\n <my:WantedTasks xsi:nil=\"true\"></my:WantedTasks>\r\n <my:SetMetadataOnSuccess>false</my:SetMetadataOnSuccess>\r\n <my:MetadataSuccessField></my:MetadataSuccessField>\r\n <my:MetadataSuccessValue></my:MetadataSuccessValue>\r\n <my:ApproveWhenComplete>true</my:ApproveWhenComplete>\r\n <my:TimePerTaskVal>" + strDueDate + "</my:TimePerTaskVal>\r\n <my:TimePerTaskType xsi:nil=\"true\"></my:TimePerTaskType>\r\n <my:Voting>false</my:Voting>\r\n <my:MetadataTriggerField></my:MetadataTriggerField>\r\n <my:MetadataTriggerValue></my:MetadataTriggerValue>\r\n <my:InitLock>false</my:InitLock>\r\n <my:MetadataStop>false</my:MetadataStop>\r\n <my:ItemChangeStop>false</my:ItemChangeStop>\r\n <my:GroupTasks>true</my:GroupTasks>\r\n</my:myFields>";

//Starting the workflow.

objSiteCollection.WorkflowManager.StartWorkflow(objLeaveItem, objAssociationTemplate, AssociationData, true);

}

catch (Exception ex)

{

EventLog.WriteEntry("Starting Workflow", ex.Message, EventLogEntryType.Error);

}

}

/// <summary>

/// Getting the supervisor name of the employee from a sharepoint list.

/// </summary>

/// <param name="Employee">Name of the employee who submits the leave.</param>

/// <returns>login name of the approver.</returns>

private string GetApprover(string Employee)

{

string approver = string.Empty;

SPSite objSiteCollection = new SPSite("Sharepoint Site");

SPWeb objSPSite = objSiteCollection.OpenWeb();

SPList objApproverList = objSPSite.Lists["Employee information List Name"];

SPListItemCollection Collection = objApproverList.Items;

foreach (SPListItem item in Collection)

{

string EmployeeinList = Convert.ToString(item["Employee Name Field in the List"]);

if (EmployeeinList.ToLower().Trim() == Employee.ToLower().Trim())

{

string Approver = Convert.ToString(item["Approver field Name"]);

//Since the shapoint list item gives the person or name field name with id;Name format

//and hence we need to find out the login name of the approver for submitting to the workflow.

//The Id is being retrieved from the name returned using the substring.

int approverID = Convert.ToInt32(Approver.Substring(0, approverID.IndexOf(';')));

//Will return the user information based on the ID.

SPUser user = objSPSite.SiteUsers.GetByID(approverID);

if (user != null)

{

approver = Convert.ToString(user.LoginName);

}

break;

}

}

return approver;

}

}

}

Register the item added event to your list or library where the workflow is configured.

Now when an employee submits a new leave request, it will select the appropriate supervisor and starts the workflow.

Hope this will help in configuring the out of the box SharePoint approval workflow with dynamic approvers and also to configure any levels with the out of the box approval workflow capabilites rather than creating a new one from scratch.

This post is written by Sandeep Komalan. Sandeep is a Senior Technical Analyst – Web Application in the Microsoft SharePoint Practice at Ignify. Ignify has over 300 person years of SharePoint experience and internally leverages SharePoint as a tool to collaborate across all its offices and for all its projects. For help on SharePoint Services email us at sharepoint@ignify.com