Why Segregation of Duties is Critical
Segregation of duty policies provides logical and physical security controls around the sensitive data of an organization. These policies improve the security and compliance of the IT infrastructure. Segregation of duties is a combination of assigning specific rights and permissions to users and establishing processes through which specific tasks are done. The goal is to prevent users from performing fraudulent or malicious actions. For example, an administrator who requests a change to a file system cannot be the same person who approves the change.
U.S.-based public companies are subjected to regulations like Sarbanes-Oxley or HIPAA or private industry requirements like the Payment Card Industry Data Security Standard, which demands that companies that accept credit cards have sufficient security and controls around personal and financial data to prevent loss from external or internal causes.
IT auditors analyze these controls and processes to ensure that duties and roles are properly segmented and management oversight of the processes and users is present.
What to Include in a Segregation of Duties Policy
Every level of the organization needs its own roles and duties clearly defined, from the lowest intern up to the executive officers. Particular attention is paid to the information technology staff. These users and administrators possess access to the very bits, bytes and hardware that sensitive data reside on. A system administrator can read the e-mails, a database administrator has direct access to tables containing customer information, or a user is granted root privileges on financial systems.
Physical access: Determine which employees have physical access to the data center. Log entry and exit of authorized employees.
Define logical ownership: For every server, network device or other piece of the infrastructure there is a business owner of that asset. Servers fall under the ownership of the system administrators but the applications running on those servers have owners, too. Webmasters own the webserver application, Human Resources owns any HR applications and so on.
Classify data access: Establish levels of sensitivity such as top secret, secret and unclassified and which users have access to that data. Implement mandatory and discretionary access control lists and log user activity around that data.
Define compensating controls: Smaller organizations need to implement compensating controls in situations where fewer people need access to sensitive servers and data. Collection and regular review of log data permit an organization to track user activity. Change audit software helps maintain the integrity of critical files and directories.
What IT Auditors Look For
Certified Information System Auditors (CISA) are trained to look for evidence that a policy defining segregation of duties not only exists but is also enforced. A CISA starts by looking at the policy itself and reviewing the language. Next they interview staff and request additional documentation and reports for evidence that the policy is effective. The auditor may choose to test a sample of the controls for their efficacy. Any gaps found where a user can bypass the policy or process are written up as findings and reported back to the organization and audit committee.
ISACA. CISA Review Manual 2005, Information Systems Audit and Control Association, 2005