IT Security Best Practices: Segregation of Duties

We hear the phrase “Segregation of Duties” talked about quite a bit when we talk about IT Security. One reason as to why this is such a talked about and ultimately important topic has to do with the fact that the risks associated with Segregation of Duties often go unnoticed until they are properly risk assessed and ultimately remediated. Let’s start by defining what Segregation of Duties means and then provide a simple analogy to demonstrate this point further. First, the America Institute of Certified Public Accountants (AICPA) defines Segregation of Duties as the “shared responsibilities of key processes that disperses the critical functions of that process to more than one person or department.” That’s certainly a mouthful so let’s break it down into an analogy that we have seen and can understand. 

If you’re anything like me, you love political dramas about the President of the United States or other high ranking cabinet officials. In a recent episode of the CBS Drama Madam Secretary, the Secretary of State was appointed President of the United States on an interim basis. One of the scenes shows one of the high ranking Generals with the briefcase that contains the access codes for the United States nuclear weapons (this is the same one that is sometimes handcuffed to high ranking military personnel in other TV shows). The interim President is given the access card required to activate the controls. Imagine for a moment if the President was given the briefcase, access card, and access codes to launch these nuclear weapons? What would happen? Obviously we hope that nothing would happen, however by having the Military General carry the briefcase and the President carry the access card, this is a Segregation of Duties. They have dispersed the critical functions of the process of launching nuclear weapons across multiple people so no one person can act alone and make that decision. This might be an extreme example and by now you have read 311 words and wondering what this has to do with Information Security, right? Read on.

With a large organization, Segregation of Duties is easier to accomplish due to the likelihood of access to more resources. But what about a small business that only has 5 people in their IT Department? What happens when Segregation of Duties is not possible due to a lack of resources? This is where the concept of compensating controls comes into play. Without going too far into this topic, compensating controls are controls implemented by an organization due to a legitimate technical or business constraint, but have sufficiently mitigated the risk associated with the requirement through the implementation of other controls. Here is a brief list of some of the compensating controls that might make sense for your organization from the CISA Review Manual:

• Audit Trails – This allows the organization or IT Auditor to recreate the transaction from origination to its current state.
• Reconciliation
• Exception Reporting
• Transaction Logs – Either Automated or Manual
• Supervisory Reviews
• Independent Reviews

So how do you know if you are properly segregating the duties within your organization or you might require compensating controls be implemented? First, look at your organization and what your employees are responsible for. Everyone has to wear multiple hats and take on multiple roles in small businesses but if you have your VP of Operations as your Information Security Officer and your Compliance Officer, that could be a red flag that you need to segregate some of these duties and/or implement compensating controls. Second, you might want to consider having an IT Risk Assessment completed by an independent third party. This will give you an objective viewpoint of your organization and potential conflicts that you might have based on your structure and recommendations on compensating controls to implement to mitigate those risks and conflicts.

For more information on how Compass IT Compliance can assist your organization in that process, contact us. Also download our IT Risk Assessment and IT Audit brochure to learn more about the services that we offer!