Posted by: Robert Davis
CISA, CISM, COBIT, Information Asset Protection, Information Security Governance, Information Security Management, ISACA, IT Controls, Security Frameworks
Responsibilities separation commonly employs segregation-of-functions and segregation-of-duties methodologies. Segregation-of-functions is the construction of individual work units – such as divisional, departmental or sectional organizational groups – to achieve management’s intentions while simultaneously complying with generally accepted control principles. In contrast, segregation-of-duties is the delineation of employee responsibility assignments within a defined work unit to achieve management’s intentions while simultaneously complying with generally accepted control principles. As a basic tenet for adequate control, segregation-of-functions and segregation-of-duties supports policies, procedures, directives, and an organizational structure established to inhabit one individual from conducting unauthorized actions or gaining unauthorized access to assets or records. Consequently, responsibilities separations are designed and deployed organizational controls that enable ISG to prevent, detect, and/or deter errors, mistakes, omissions, irregularities as well as illegal acts.
The appropriate functional responsibilities separation in a computer system requires defining IT and operational user work units considering control context. Segregation-of-functions assures organizational responsibilities do not impinge upon independence or corrupt information system asset integrity.
Processing centralization, through IT, does not relieve management from separating duties within operational and technical departments. Complete segregation-of-duties within a department is generally more feasible in large rather than small entities. Large entities tend to follow rigid norms and are conductive to high specialization-of-duties, detail labor division, lavish and elaborate administration, and minimal personal interaction. Contrastingly, small entities are characterized by flexible norms and have low specialization-of-duties, broad span-of-control, exiguous and simplistic administration, and extensive personal interaction.
Various control techniques can be activated selectively or collectively to enforce segregation-of-functions and segregation-of-duties, including:
- Role Identification
- User Authentication
- Transaction Authorization
- Information Access
- Asset Custody