What to Include in a Segregation of Duties Policy
Every level of the organization needs its own roles and duties clearly defined, from the lowest intern up to the executive officers. Particular attention is paid to the information technology staff. These users and administrators possess access to the very bits, bytes and hardware that sensitive data reside on. A system administrator can read the e-mails, a database administrator has direct access to tables containing customer information, or a user is granted root privileges on financial systems.
Physical access: Determine which employees have physical access to the data center. Log entry and exit of authorized employees.
Define logical ownership: For every server, network device or other piece of the infrastructure there is a business owner of that asset. Servers fall under the ownership of the system administrators but the applications running on those servers have owners, too. Webmasters own the webserver application, Human Resources owns any HR applications and so on.
Classify data access: Establish levels of sensitivity such as top secret, secret and unclassified and which users have access to that data. Implement mandatory and discretionary access control lists and log user activity around that data.
Define compensating controls: Smaller organizations need to implement compensating controls in situations where fewer people need access to sensitive servers and data. Collection and regular review of log data permit an organization to track user activity. Change audit software helps maintain the integrity of critical files and directories.