Itar (us)

We are considering what would happen if foreign company were added to our instance of Epicor.

Since Epicor ERP is not really an engineering system, what are the regulatory risks of letting non-us persons access the data? An export happens when a non-us person looks at some information like a custom print, CAD, firmware or work instructions and can glean clues as to how a military article is made. This is not to be confused with classified information which is totally another level.

In Epicor all of those are links to our file server so nobody from the outside can get to them.

The only thing I can think of that could be considered an export is bills of materials.

I realize from a user perspective it’s easy to compartmentalize into separate companies. What about administrators? Is there a way to prevent them from pulling an ITAR Bill of Materials?

One of the things that I always question is are there any comments on your BOO that would provide information. It is not always just the documentation, it can be what users add into the system too.

We are ITAR regulated, and outsider access to our data is strictly prohibited.

If you have multiple companies in Epicor, you can restrict access to different companies by user. You can’t add a new company to yourself, even if your user is a Security Manager, I believe.

If the foreign person has a user account on the ITAR regulated company, and the user account is a Security Manager, then they can modify access as desired (through menu maintenance, add/remove access groups to their account, etc…)