A CASE FOR INFORMATION OWNERSHIPIN ERP SYSTEMS TO ENHANCE SECURITYProf. S.H. von Solms, M.P. HertenbergerRand Afrikaans University, Johannesburg, South AfricaProf. S.H. von SolmsEmail address: basie@rau.ac.zaMobile telephone number: +27 82 553 2436Fax number: +27 (11) 489 2138Postal address: PO Box 524, Auckland Park, 2006, South AfricaM.P. HertenbergerStudent number: 8914123Email address: manfred.hertenberger@sbs.siemens.co.zaMobile telephone number: +27 83 377 0921Fax number: +27 (11) 652 7411Postal address: P.O. Box 2838, Northriding, 2162, South AfricaABSTRACTThis study investigates the lack of information ownership in current Enterprise Resource Planning (ERP) software systems. The purpose is to show how difficult, time consuming and costly the implementation of security within such systems is. The focus is on the investigation of security implementations within well-known ERP software packages such as SAP R/3 and Oracle E-Business Suite. The results of the study indicate that central administration, control and management of security within the ERP systems under investigation weaken security. It was concluded that central administration of security should be replaced by a model that distributes the responsibility for security to so-called information owners. Such individuals hold the responsibility for processes and profitability within an organization. Thus, they are best suited to decide who has access to their data and how their data may be used. Information ownership, coupled with tight controls can significantly enhance information security within an ERP system.KEY WORDSDatabase security; security policy; misuse detection; authentication; information flow.