Separation of duties is a key concept of internal controls. This objective is achieved by disseminating the tasks and associated privileges for a specific security process among multiple people.
The term SoD is widely used in financial accounting systems. Companies in all sizes understand the importance of not combining roles such as receiving checks (payment on account), approving write-offs, depositing cash and reconciling bank statements, approving time cards, and having custody of paychecks.
Separation of duties is a common policy when people are handling money so that fraud requires collusion of two or more parties. This greatly reduces the likelihood of crime. Information should be handled in the same way. It is therefore imperative that an organization be designed so that no person acting alone can compromise security controls.
SoD is fairly new to the IT organization, but it's not a surprise that concerns are being raised about separation of duties in IT given that a very high portion of Sarbanes-Oxley Act internal control issues come from or rely on IT. Separation of duties is a fundamental principle of many regulatory mandates such as Sarbanes-Oxley and the Gramm-Leach-Bliley Act. As a result, IT organizations must now place greater emphasis on separation of duties across all IT functions, especially security.
Separation of duties, as it relates to security, has two primary objectives. The first is the prevention of conflict of interest, the appearance of conflict of interest, wrongful acts, fraud, abuse and errors. The second is the detection of control failures that include security breaches, information theft and circumvention of security controls. (Security controls are measures taken to safeguard an information system from attacks against the confidentiality, integrity and availability of computer systems, networks and the data they use.)
Separation of duties restricts the amount of power or influence held by any individual. It also ensures that people don't have conflicting responsibilities and are not responsible for reporting on themselves or their superiors.
There is an easy test for separation of duties. First, ask if any one person can alter or destroy your financial data without being detected. Then ask if any one person can steal or exfiltrate sensitive information. Finally, ask if any one person has influence over controls design and implementation as well as over reporting of the effectiveness of the controls. If the answer to any of these questions is yes, then you need to take a hard look at the separation of duties.
The individual responsible for designing and implementing security can't be the same person as the person responsible for testing security, conducting security audits, or monitoring and reporting on security. Therefore, the individual responsible for information security should not report to the chief information officer.
There are five primary options for achieving separation of duties in information security. This list is in order of acceptability based on my experience.
- Option 1: Have the individual responsible for information security report to chief security officer, who takes care of information and physical security. Have the CSO report directly to CEO.
- Option 2: Have the individual responsible for information security report to chairman of the audit committee.
- Option 3: Use a third party to monitor security, perform surprise security audits and do security testing, and have that party report to the board of directors or the chairman of the audit committee.
- Option 4: Have the individual responsible for information security report to the board of directors.
- Option 5: Have the individual responsible for information security report to internal audit as long as internal audit does not report to the executive in charge of finances.
The issue of separation of duties is growing in importance. A lack of clear and concise responsibilities for the CSO and chief information security officer has fueled confusion. It is imperative that there be separation between the development, operation and testing of security and all controls. Responsibilities must be assigned to individuals in such a way as to establish checks and balances within the system and minimize the opportunity for unauthorized access and fraud.
Remember, control techniques surrounding separation of duties are subject to review by external auditors. Auditors have in the past listed SoD failures as a material deficiency on audit reports when they determine the risks are great enough. It is just a matter of time before this is done for IT security, so why not have a discussion about separation of duties with your external auditors now? Getting their views early can save you a lot of cost and political infighting.
Kevin G. Coleman is a 15-year veteran of the computer industry. A Kellogg School of Management executive scholar, he was the former chief strategist of Netscape Communications Corp. He is now a senior fellow at The Technolytics Institute Inc., an executive think tank.
This story, "The key to data security: Separation of duties" was originally published by CSO.