The EDUCAUSE/Internet2 Computer and Network Security Task Force consulted with IT security professionals on campus about concerns with the current state of security in enterprise resource planning (ERP) systems. From these conversations, it was clear that security issues generally fell into one of two areas: (1) It has become extremely difficult to understand how to securely configure an ERP system and the myriad of products purchased to integrate with it; (2) The overhead of managing access and authorization roles--for both the ERP and third-party software integrated with the ERP--is huge. Given the concerns of security professionals on campus and the growing number of policies requiring certification before an ERP system can be purchased, members of the task force wondered if ERPs in use on the majority of campuses today could pass a stringent security review. The task force proposed developing a checklist of effective practices for ERP security. Such a checklist would provide guidance to ERP vendors about the security features that are most important to higher education and to higher education security and administrative systems professionals for both the product-evaluation and system-configuration phases of implementing an ERP. The task force organized the checklist into four subsections: (1) Questions for Similar Institutions; (2) Sample Work Products and Other Documentation; (3) Vendor Security Certification; and (4) Integrated Third-Party Products. Within each subsection, the deal killers are listed first, as the "must-have" features, followed by the desired features. The author suggests that the institution and the vendor need to work closely to ensure that ERP security considerations are understood and addressed, resulting in an ERP implementation that reliably meets the project's goals while effectively safeguarding the vast amounts of sensitive information contained in such systems.