Separation of duties and IT security

Muddied responsibilities create unwanted risk and conflicts of interest. New regulations such as GDPR now require that you pay more attention to roles and duties on your security team.

Separation of duties (SoD) is a key concept of internal controls and is the most difficult and sometimes the most costly one to achieve. This objective is achieved by disseminating the tasks and associated privileges for a specific security process among multiple people.

SoD is already well-known in financial accounting systems. Companies of all sizes understand not to combine roles such as receiving checks (payment on account) and approving write-offs, depositing cash and reconciling bank statements, approving time cards and have custody of pay checks, and so on.

The concept of SoD became more relevant to the IT organization when regulatory mandates such as Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA) were enacted. A very high portion of SOX internal control issues, for example, come from or rely on IT. This forced IT organizations to place greater emphasis on SoD across all IT functions, especially security.

Now a new regulatory mandate, the EU’s General Data Protection Regulation (GDPR), set to take effect in May 2018, will require the C-suite to take a hard look at how its corporate organization charts support the new regulation and possibly re-think how required SoD will ensure GDPR compliance and pass audit.

What is SoD?

SoD, as it relates to security, has two primary objectives. The first is the prevention of conflict of interest (real or apparent), wrongful acts, fraud, abuse and errors. The second is the detection of control failures that include security breaches, information theft and circumvention of security controls. Correct SoD is designed to ensure that individuals don't have conflicting responsibilities or are not responsible for reporting on themselves or their superior. 

There is an easy test for SoD. First, ask if any one person can alter or destroy your financial data without being detected. Second, ask if any one person can steal or exfiltrate sensitive information. Third, ask if any one person has influence over controls design, implementation and reporting of the effectiveness of the controls. The answers to all these questions should be “no.” If the answer to any of them is “yes,” then you need to rethink the organization chart to align with proper SoD. 

[Related: General Data Protection Regulation (GDPR) requirements, deadlines and facts]

Moreover, the individual responsible for designing and implementing security must not be the same person as the person responsible for testing security, conducting security audits or monitoring and reporting on security. The reporting relationship of the individual responsible for information security should no longer be to the CIO, as has traditionally been the case. 

Here are a few possible ways to accomplish proper SoD: 

  • Have the individual responsible for information security report to chairman of the audit committee. 
  • Use a third party to monitor security, conduct surprise security audits and security testing. They report to the board of directors or the chairman of the audit committee. 
  • Have an individual (CISO) responsible for information security report to the board of directors. 
  • Have the individual (CISO) responsible for information security report to internal audit as long as internal audit does not report to the executive in charge of finances like the CFO. 

To continue reading this article register now

The 10 most powerful cybersecurity companies