Industry View
Separation of Duties and IT Security
Muddied responsibilities create unwanted risk. Kevin Coleman says auditors may start labeling poorly defined IT duties as a material deficiency.
By Kevin Coleman, Technolytics Institute
Separation of duties is a common policy when people are handling money so that fraud requires collusion of two or more parties. This greatly reduces the likelihood of crime. Information should be handled in the same way. Separation of duties as it related to information systems is not just a possible Sarbanes-Oxley issue but is a requirement for PCI compliance as well. It is therefore imperative that an organization structure be design such that no individual acting alone can compromise security controls. There are five primary options for achieving separation of duties in the information security space. This list is in order of acceptability based on my experience.
Option 1: Have the individual responsible for information security report to CSO (chief security officer) who takes care of information security and physical security and the CSO reports directly to CEO.Option 2: Have the individual responsible for information security report to Chairman of the Audit Committee.
Option 3: Use a third party to monitor security, surprise security audits and security testing and they report to the Board of Directors or the Chairman of the Audit Committee.
Option 4: Have individual responsible for information security report to the board of directors.
Option 5: Have the individual responsible for information security report to internal audit as long as internal audit does not report to the executive in charge of finances like the CFO.
The issue of separation of duties is growing in importance. A lack of clear and concise responsibilities for the CSO and CISO has fueled confusion. It is imperative that there be separation between operations, development and testing of security and all controls to reduce the risk of unauthorized activity or access to operational systems or data. Responsibilities must be assigned to individuals in such a way as to mandate checks and balances within the system and minimize the opportunity for unauthorized access and fraud.
Remember, control techniques surrounding separation of duties are subject to review by external auditors. Auditors have in the past listed this concern as a material deficiency on the audit report when they determine the risks are great enough. It is just a matter of time before this is done as it relates to IT security. For this reasons as well as objectivity, why not have a discussion about separation of duties as it relates to IT security with your external auditors? It can save you a lot of aggravation, cost and political infighting by getting what they view as necessary in your particular case. ##
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
