IT Governance, Risk, and Compliance

Jan 24 2009   6:30PM GMT

Safeguarding Information Assets – Part II



Posted by: Robert Davis
Tags:
CISA
CISM
COBIT
Information Asset Protection
Information Security Governance
Information Security Management
ISACA
IT Controls
Security Frameworks

Responsibilities separation commonly employs segregation-of-functions and segregation-of-duties methodologies. Segregation-of-functions is the construction of individual work units – such as divisional, departmental or sectional organizational groups – to achieve management’s intentions while simultaneously complying with generally accepted control principles. In contrast, segregation-of-duties is the delineation of employee responsibility assignments within a defined work unit to achieve management’s intentions while simultaneously complying with generally accepted control principles. As a basic tenet for adequate control, segregation-of-functions and segregation-of-duties supports policies, procedures, directives, and an organizational structure established to inhabit one individual from conducting unauthorized actions or gaining unauthorized access to assets or records. Consequently, responsibilities separations are designed and deployed organizational controls that enable ISG to prevent, detect, and/or deter errors, mistakes, omissions, irregularities as well as illegal acts.

The appropriate functional responsibilities separation in a computer system requires defining IT and operational user work units considering control context. Segregation-of-functions assures organizational responsibilities do not impinge upon independence or corrupt information system asset integrity.

Processing centralization, through IT, does not relieve management from separating duties within operational and technical departments. Complete segregation-of-duties within a department is generally more feasible in large rather than small entities. Large entities tend to follow rigid norms and are conductive to high specialization-of-duties, detail labor division, lavish and elaborate administration, and minimal personal interaction. Contrastingly, small entities are characterized by flexible norms and have low specialization-of-duties, broad span-of-control, exiguous and simplistic administration, and extensive personal interaction.

Various control techniques can be activated selectively or collectively to enforce segregation-of-functions and segregation-of-duties, including:

  • Role Identification
  • User Authentication
  • Transaction Authorization
  • Information Access
  • Asset Custody

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: