Segregation of Duties in IT: Ya Gotta Keep ‘Em SeparatedPublished August 29, 2017 by Karen Walsh • 5 min read
Segregation of duties in IT security is one of the most basic ways to protect your environment. ISO/IEC 27001 requires separation of duties and responsibilities that potentially conflict. In doing this, your organization lowers the risk of both malicious and accidental modification or misuse. In addition, the standard incorporates these conflicting duties and areas as part of the ongoing risk assessment.
Why Segregation of Duties in IT Matters
The first reason businesses segregate duties is to prevent a conflict of interest, wrongful act, fraud, abuse, or error. The second reason is to make sure that any control failures are detected. If an employee is responsible for reporting on themselves or their superior, their fear of repercussion may impede them from fixing a faulty control.
At the most basic level, no single person should be able to change or destroy information without others noticing. However, you also have to make sure that all sensitive information is appropriately protected. Finally, the person who controls the design and implementation of IT controls needs to be different from the person who reports on how well those controls work.
Fundamentally, internal and external audit function as ways to incorporate segregation of duties. Since internal audit may have a vested interest in not reporting problems, external audits are the gatekeepers for internal audit.
While these multiple control layers can feel redundant or excessive, the financial risk and reputational cost associated with misused information can ruin your business. Keeping access and reporting segregated ensures ongoing compliance.
How to Segregate Job Functions
While businesses normally think of segregating duties in IT controls as a matter of software or hardware safety, the reality is that employees present the largest risk to most companies. Whether you do it purposefully or accidentally, segregating your employees’ access and duties within your organization is one of the best ways to protect your physical and technological assets.
As with any other controls you put in place, documentation of how you separate the different employee duties is key to compliance. To make sure that the appropriate employees have the correct access, you need to align job descriptions with software settings. To do this, you need to make sure that you have an effective user access review program in place.
In assigning access based on job function, you want to start by assessing risk. For example, if the same person who reviews time cards also has custody of paychecks, this poses a huge risk of fraud. Most businesses recognize this and separate those job roles.
What Steps Help Segregate Duties
Sometimes the types of duties clearly lend themselves to segregation from one another. Sometimes, however, the conflict of interest is embedded within the overall function.
Dividing the functions necessary to your organization acts as the first step. Once you have done this, you need to break down those functions into their discrete parts. Think about it like breaking apart a machine, comprised of many intricate gears that integrate to function fully. However, some gears are more vital than others for the machine’s efficiency. A weakness in one area can compromise the whole machine.
The same is true with companies. Breaking out your functions into their individual steps allows you to see points of potential abuse or weakness. Moreover, should a function be compromised, you can better track the source of the problem if you know the steps involved.
Once you determined the various points of potential weakness, you need to segregate the duties. There are several ways to do this. Authorization function requires two people to give approval for something. Documentation function requires that one person write down the function while another approves it. Custody of assets means that you put creation and storage of information in two different places. Reconciliation or audit means that one person takes inventory while the other reviews the work for completeness.
How GRC Automation Helps Track Controls Over Segregation of Duties in IT
When a single function can be broken down into multiple steps, tracking the controls can become frustrating. For a small organization, the functions might be easy to track because there are a limited number of employees.
Once an organization incorporates startup budget constraints, its management often chooses to organize these controls in spreadsheets. However, as the company expands and matures, so do the processes.
Being able to more efficiently map job descriptions to employee access means having stronger controls. Automation allows clearer visibility into how functions are separated into their parts and how those parts work to create a whole. By having a single source of truth, you can see all of your internal controls in one place and ensure that the appropriate segregations have been established.
How to Use Audit to Help with Segregation of Duties in IT
Traditionally, your CIO has handled reporting on the end testing controls. However, since the CIO oversees and designs implementation, they have a vested interest in the controls’ effectiveness. This is one of the reasons that having both a CISO and CIO matters.
Audit, however, has an interest only in testing the controls. This means that having an audit function automatically segregates duties over the controls. The question then becomes, why have an internal and external audit?
Your internal audit function is a self-assessment of your business. Pretend to be your internal auditor for a moment. Controls cost money. As the internal auditor, your job is to make sure those controls are appropriate. However, when you tell those in charge of the controls that problems exist, they get upset. Sometimes, the Board gets upset. Sometimes, the boss gets upset.
Though this is the internal auditor’s job, corporate culture can lead the internal auditor to prioritize protection of themselves or the departments with whom they work over robust information security. Perhaps they massage the message. If that happens, the report may technically note issues in the controls, but may do so in a way that makes it seem less important.
The potential for that conflict of interest means that external audit acts as balance to internal politics. Moreover, it acts as a check on internal audit’s capabilities. This shores up your compliance program. In many ways, this offers a segregation of duties that provides a check and balance similar to tripartite government.
You need both an external auditor and an internal auditor to monitor your controls most effectively. Your internal auditor helps monitor your organization with a sense of how your company works. They provide you with someone who knows your business and can continually monitor your controls. You external auditor provides an entirely independent review unconnected to your company’s internal politics, offering insights that come from a fresh set of eyes.
How Using Automation Creates Better Audit Outcomes
Automation provides a single source of truth for audits. Internal audit needs to work with external audit to both create and disseminate documentation of your controls.
Internal audit contacts individuals to get documentation that supports the written segregation processes. However, this information gathering can be cumbersome. Multiple emails with various individuals can lead to ongoing communication problems.
GRC automation facilitates the scheduling of tracking and notifications. In addition, instead of having to spend time sifting through emails to track down responses, internal audit can review the submissions in one place. This single source of truth then provides the internal audit function with the appropriate documentation for external audit.
Streamlining the documentation process leads to greater cost savings when it comes to time spend on audit work. Internal audit can spend more time on the review process and focus more on the details of reconciliation. External audit can see more clearly into your organization’s compliance stance. All of this leads to stronger audit ratings and faster audits.
Auditing segregation of duties in IT helps keep your company free from fraud and creates greater security over your information assets. Using GRC automation to create a single source of truth for your audits provides a value add by lowering the amount of time spent on mundane administrative work.
For more information about how GRC automation offers efficiency and cost savings, watch our on-demand webinar, “6 Time Saving Steps to Simplifying Your GRC Strategy.”