Separation of duties and IT security
Separation of duties, also known as Segregation of duties, is the concept of having more than one person required to complete a task. It is a key concept of internal controls and is the most difficult and sometimes the costliest one to achieve. The idea is to spread the tasks and privileges for security tasks among multiple people. No one person should do everything.
Separation of duties is already well-known in financial accounting systems. Companies of all sizes understand not to combine roles such as receiving checks and approving write-offs, depositing cash and reconciling bank statements, approving time cards and have custody of pay checks, and so on.
The concept of Separation of duties became more relevant to the IT organization when regulatory mandates such as Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA) were enacted. A very high portion of SOX internal control issues, for example, come from or rely on IT. This forced IT organizations to place greater emphasis on Separation of duties across all IT functions, especially security.
What is Separation of Duties?
Separation of duties, as it relates to security, has two primary objectives. The first is the prevention of conflict of interest (real or apparent), wrongful acts, fraud, abuse and errors. The second is the detection of control failures that include security breaches, information theft and circumvention of security controls. Correct Separation of duties is designed to ensure that individuals don’t have conflicting responsibilities or are not responsible for reporting on themselves or their superior.
There is an easy test for Separation of duties.
- Can any one person alter or destroy your financial data without being detected?
- Can any one person steal or exfiltrate sensitive information?
- Does any one person have influence over controls design, implementation and reporting of the effectiveness of the controls?
The answers to all these questions should be “no.” If the answer to any of them is “yes,” then you need to rethink the organization chart to align with proper Separation of duties. Also, the individual responsible for designing and implementing security must not be the same person that is responsible for testing security, conducting security audits or monitoring and reporting on security. Also, the person responsible for information security should not report to the CIO. The reason for this is that the CIO has a vested interest in having the rest of the C-Level staff believe that there are no cybersecurity issues. Anything that is discovered by the tester has the potential to be swept under the rug and not addresses as quickly as it should be. Best industry practice is that the person testing your cybersecurity should not be a member of your organization. They should be a disinterested third party.
Here are a few possible ways to accomplish proper Separation of duties:
- Have the individual responsible for information security report to chairman of the audit committee.
- Use a third party to monitor security, conduct surprise security audits and security testing.
- Have an individual (CISO) responsible for information security report to the board of directors.
The importance of Separation of Duties for security
The issue of Separation of duties in security continues to be significant. It is imperative that there be separation between operations, development and testing of security and all controls to reduce the risk of unauthorized activity or access to operational systems or data. Responsibilities must be assigned to individuals in such a way as to mandate checks and balances within the system and minimize the opportunity for unauthorized access and fraud.
Remember, control techniques surrounding Separation of duties are subject to review by external auditors. Auditors have in the past listed this concern as a material deficiency on the audit report when they determine the risks are great enough. It is just a matter of time before this is done as it relates to IT security. For this reason, as well as objectivity, why not discuss separation of duties as it relates to IT security with your external auditors? It can save you a lot of aggravation, cost and political infighting by getting what they view as necessary in your case.
DNV GL has helped companies implement Separation of duties policies and procedures and has also performed audits to assure that procedures are being followed. Also, we have a team of cybersecurity professionals that can come into your organization to test your cybersecurity through vulnerability assessments and penetration testing. If you would like more information about the services we can offer you, please contact me.