The key to data security: Separation of duties

Another example is in a warehouse, where the person receiving goods from a supplier and the person authorizing payment to the supplier are two different employees. Similarly, the person maintaining inventory records does not physically control the inventory, which reduces the possibility of inventory theft or incorrect reporting. Segregation of duties is a common concept in financial and accounting processes. Payroll is one example where the segregation of duties works well and is even desirable. When looking to understand how to apply a SOD matrix to a business process, it’s helpful to use an example. Let’s say we want to examine a purchasing workflow for potential role and duty conflicts.

Just because the operating system says you have read access rights to a database table, doesn’t mean you should be decrypting the social security number or using FTP to transfer the file. I’m happy with our implementation that is based on explicit authorization by a security administrator, and application white lists. I just listened to a discussion of database security hosted by Oracle that was very well done. At one point the discussion turned to current threats and how the Enterprise has lost the ability to use perimeter protection for sensitive data.

segregation of duties (SoD)

So, if a 50 percent probability for a $20,000 loss was on the indifference curve for Company A, then the company may live with that risk without spending resources to create controls to lower the probability of the occurrence. Using SOD control concepts generally lowers risk and helps keep an organization at or under its preference for a given risk type. Use automated tools to manage and audit database access and activities, user rights, and privileged users. End users cannot access or modify production data, except through an appropriate administrative application. Software developers, contractors, and third-party vendors cannot access production systems, database management systems, or system-level technologies. Implementation should use the principle of least privilege necessary to complete a transaction.

This simply means that they have multiple roles in a process, which allows them to perform a combination of important activities that could potentially harm the integrity of the process and, ultimately, the organization. A third example is within the real estate business, where the person selling a property or other fixed asset to a customer cannot record the sale or collect the payment from the customer. Segregation of duties is also known as separation of duties and is an essential element of an enterprise control system. Segregation of duties breaks business-critical tasks into four separate function categories–authorization, custody, recordkeeping, and reconciliation. Ideally, no one person or department holds responsibility in multiple categories–workflow roles should be adequately separated with a system of checks and balances so all positions can regulate each other. Segregation of duties is designed to prevent unilateral actions within an organization’s workflow, which can result in damaging events that would exceed the organization’s risk tolerance.

Three things to remember for following security best practices:

The process used to ensure a person’s authorization rights in the system is in line with his role in the organization. This is not an exhaustive presentation of the software development life cycle, but a list of critical development functions applicable to separation of duties. The accounting profession has invested significantly in separation of duties because of the understood risks accumulated over hundreds of years of accounting practice. Similarly, the person who pushes code to production cannot carry out the other three tasks. In the case of the fraud scheme that impacted the AMA, stronger SoD are required to avoid this type of fraud going forward.

The Thales Accelerate Partner Network provides the skills and expertise needed to accelerate results and secure business with Thales technologies. Thales Partner Ecosystem includes several programs https://online-accounting.net/ that recognize, rewards, supports and collaborates to help accelerate your revenue and differentiate your business. Provide more value to your customers with Thales’s Industry leading solutions.

Separation of Duties

However, SMBs do need to be proactive and watchful, because all it takes is one “bad apple” to trigger a potentially catastrophic outcome. The average cost of a data breach in an SMB is estimated between $120,000 and $1.2 million per incident, and 60% of SMBs go out of business within six months of a cyberattack. Use a third party to monitor security, conduct surprise security audits and security testing. They report to the board of directors or the chairman of the audit committee. There are five primary options for achieving separation of duties in information security.

The next category would be duty (Custody, Authorization, Record-keeping, Reconciliation) followed by procedure and role . Regularly reviewing vendors and payees is also another internal control that might have reduced the risk of fraud. For the AMA, controls would have been established in the technology solution that required at least two people to sign off on goods and services invoices. Had the employee attempted to authorize payments on his own, the system would have alerted the appropriate stakeholder and payment could have been stopped. According to the guidelines, an effective SoD mitigates all risk deriving from the risk scenarios presented in their sample framework. However, SoD governance may also benefit from using third-party audits by a separate function (e.g., internal audit) or an external entity (e.g., external audit). ISACA offers a guide on implementing segregation of duties based on best practices.

Separation of Duties Security: Ensuring Security Supports SoD

Ask a third party entity to monitor security and conduct surprise security tests and audits. The third party should report to an audit separation of duties breach committee or the board of directors. A SoD implementation should prevent individuals from having conflicting responsibilities.

In information systems, segregation of duties helps reduce the potential damage from the actions of one person. IS or end-user department should be organized in a way to achieve adequate separation of duties. According to ISACA’s Segregation of Duties Control matrix, some duties should not be combined into one position. This matrix is not an industry standard, just a general guideline suggesting which positions should be separated and which require compensating controls when combined. SoD policies are the processes, guidelines and/or rules that an organization has created to make sure security controls are in place while also balancing operational efficiencies and costs. Initially, organizations had to manually create and manage these policies and then manually audit them to maintain compliance. This led to SoD policies that were out of date and inaccurate while also increasing employee time trying to maintain and fix the policies.

Palo Alto Networks Simplifies SASE Management

Pathlock provides a robust, cross-application solution to managing SoD conflicts and violations. Finance, internal controls, audit, and application teams can rest assured that Pathlock is providing complete protection across their enterprise application landscape. Document all roles, responsibilities, and controls—SoD definitions can be forgotten over time or lost when new employees replace previous ones. To ensure you retain all important information, you should create detailed documentation of roles within the organization and the risk of ownership each represents. Increased protection from fraud and errors must be balanced with the increased cost/effort required. When it comes to risk management in Governance Risk and Compliance , effective SOD practices can help reduce innocent employee errors and catch the not-so-innocent fraudulent filings.

• Organizations can create SoD matrices by hand or with spreadsheet software, such as Excel.
• The largest companies and most respected brands in the world rely on Thales to protect their most sensitive data.
• Set-aside of a judgment that was entered as the result of a party’s failure to comply with the disclosure statutes or intentionally omitted an asset.
• Learn how implementing proper SoD controls can reduce risk, improve compliance, and increase operational efficiencies.
• Saviynt provides this solution for all the leading financial management platforms including SAP, Oracle , Workday, PeopleSoft, JDEdwards, NetSuite.

The basis of SoD is the understanding that running a business should not be a single-person job. No one person should have the power or control to perform any kind of task that may lead to fraudulent or criminal activity that could damage the company. Segregation of duties is based on the idea of shared responsibilities, wherein the critical functions of a key process are dispersed to more than one person or department to mitigate the risk of fraud or other unethical behaviors. SoD is an important element of both enterprise risk management and compliance with laws such as the Sarbanes-Oxley Act of 2002 . The separation of duties plan should set up a tracking process for monitoring which employees gain access to which types of sensitive customer data.

Top Highlights from the 2022 State of Enterprise Identity Report

By separating those in the organization who handle receipts from those who make the bank deposits from those who pay the bills, for instance, the organization reduces the chances of fraud. I just returned from a trip to Europe and Encryption Key Management was a very hot topic. This is a topic I very much like to speak about, given our recent release of Alliance Key Manager. It still surprises me how many conversations I had with technology companies who understood the need to have a proper key manager either embedded within or integrated from the outside of their program or appliance. Split Knowledge applies to the manual generation of encryption keys, or at any point where encryption keys are available in the clear.

The security team needs to ensure that only those members of the organization who need to see sensitive personal data for customer relations have access to this data. Governmental oversight requires protecting sensitive data for customers and employees. If hackers steal credit card information or Social Security numbers, your organization could end up receiving significant financial penalties. While expectations for data protection in the medical and financial industries are wide-spread, and easily understood, compliance regulations affect business and organizations of all sizes.

This means that companies need to review it carefully and apply necessary changes to customer data use and protection policies and ensure compliant SoD. A lack of clear and concise responsibilities for the CSO and chief information security officer has fueled confusion. It is imperative that there be separation between the development, operation and testing of security and all controls. Responsibilities must be assigned to individuals in such a way as to establish checks and balances within the system and minimize the opportunity for unauthorized access and fraud. Without SOD, either of these scenarios clearly shows the possibility of disastrous outcomes. As a result, the risk management goal of SOD controls is to prevent unilateral actions from occurring in key processes where irreversible affects are beyond an organization’s tolerance for error or fraud. By separating these functions, each area is a “check and balance” of the functions of the other area.