Topic
Implementing security policies in an organization requires separation of duties when it comes to the IT staff. What does this concept mean and how do organizations ensure they are compliant?
Instructions
1) APA format
2) References
3) Body Citations
4) No Plagiarism
5) 350 words
6) 2 responses (each 150 words)
Response#1(Venkatesh)
Separation of duties (SoD) refers to an internal control framework used to prevent errors and fraud by ensuring that a task has two individuals responsible (Rouse, 2014). As such, this approach ensures that a task gets broken down to parts that an individual can accomplish its requirements. The key objectives of this approach are, first, to prevent conflict of interest, and secondly, improve the ability to detect control failures including security breaches, theft of information and bypassing security controls (Behr & Coleman, 2017). The approach improves security and breaks down tasks to obtain different components. Nevertheless, it can impact negatively on the efficiency of the business, increase costs, and complexity alongside staffing necessities. Therefore, the implementation of this approach is subject to the vulnerability of an organization and other essential aspects of the business.
The organization should undertake several measures to ensure that they comply with the separation of duties. First, they should undertake data discovery as well as a classification that helps to determine the location of sensitive data alongside assessing levels of risk to integrity, availability and confidentiality (Imperva, 2020). Secondly, it is prudent to identify an individual, group or roles that can help to encrypt, alter, or destroy important data intentionally or accidentally, filtrate sensitive information, and influence design, and testing as well as implementation and sensitive data reporting. Compliance to the separation of duties should ensure that they create a matrix or risk map. Lastly, the organization should execute controls used to separate duties based on the developed matrix mentioned above. As such, the least privilege principle should be used in the process to allow for the completion of the tasks. This will help the organization to operate with compliance assurance.
Reponse#2(Rhoini)
Separation of duties (SoD) is a major part of the internal controls and is the most difficult and sometimes the costliest one to achieve. The objective of the SoD is achieved by disseminating the tasks and associated privileges for a specific security process among different people. SoD is well known in the financial accounting systems. Organizations of all sizes understand not to combine roles such as receiving checks of payments and accounts and approving write-offs, depositing cash and reconciling bank statements, approving time cards and have custody of the pay checks.
The SoD became more relevant to the IT organization when regulatory mandates such as GrammLeach-Bliley and Sarbanes-Oxley(SOX) were enacted. A high portion if SOX internal control issues, for example come from or rely on IT. This forced IT organizations to place greater emphasis on SoD across all IT functions, especially security. Some of few possible ways to accomplish proper SoD:
- Use a third party to monitor security, conduct surprise security audits and security testing. They report to the board of directors or the chairman of the audit committee.
- Have the individual responsible for information security report to chairman of the audit committee.
- Have an individual (CISO) responsible for information security report to the board of directors.
- CISO responsible for information security report to internal audit as long as internal audit does not report to the executive in charge of finances like the CFO.
SoD is a control and as such should be viewed within the frame of risk management activities. This key element must be kept in mind when assessing potential conflicts and designing rules. Processes must be thoroughly analyzed and some choices have to be made to detect and resolve potential conflicts. If any conflicts are left, some compensating control must be put in place to properly manage the associated risk.
