In the beginner’s guide to ISO 27001 Segregation of Duty you will learn
- what Segregation of Duty is
- how to implement Segregation of Duty
- examples of Segregation of Duty
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
Table of contents
What is Segregation of Duty?
Segregation of duty is the act of dividing up critical tasks and responsibilities so that no one person has complete control over a process.
By doing this you can:
- Prevent fraud: the single biggest reason to implement segregation of duty is to eliminate the opportunity for fraud and to make it more difficult for a single individual to manipulate a process for personal gain.
- Enhance security: by implementing role based access (RBAC) and dividing roles and responsibilities based on business need and the experience of individuals will protect against unauthorised access and use.
- Reduce errors: by involving more than one person mistakes and inconsistencies can be caught that a single person may not catch or see.
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
Examples
The following are some common real world examples of Segregation of Duty:
Change Control: the change control process usually has several key steps that include the request for change, the approval of the change and the implementation of the change. There would clearly be a conflict of interest if the person requesting was the same person that approved and then actioned the change. In fact it would make the purpose of having a change control process redundant.
Human Resources: there are many processes in HR that require fairness and objectivity. Take the key processes of hiring, performance management and financial rewards such as pay rise reviews and bonus allocation. If the same individual is responsible for all of these key processes then there is a conflict of interest and a lack of impartiality.
Information Technology (IT): as most processes and business operations rely on the use of information technology this presents the biggest risk to information security and the confidentiality, integrity and availability of data. Most fraud occurs via a compromise of IT. Having one individual with total control can lead to changes being made that cannot be caught with tracks being covered via the manipulation or removal of monitoring and logging.
Key Principles
- Implement Role Based Access Control: role based access is one of the most common and practical approaches to implementing segregation of duty. By taking the time to identify the roles that you require and removing conflicts in those roles and then assigning individuals to roles rather that allocating access on a case by case basis will significantly help you to remove conflicts in a consistent way.
- Divide Responsibilities: understanding and documenting your processes and systems will allow you to identify the key roles and responsibilities which can then be allocated to more than one individual and ensure no one person has complete control for a process or system. This is part of role based access control.
- Prevent Collusion: the way that teams are structured and where they are located and how they interact can have an impact on introducing the opportunity for collusion. Collusion is the working together to commit fraud or circumvent controls.
- Monitor and Review: it may be the case that segregation of duty does not work as intended or requires continual improvement. By implementing logging, monitoring and review on a regular basis allows for the identification and management of when it goes wrong and the ongoing and continual improvements to ensure that it remains effective.
Approaches to Segregation of Duty
There are many standard approaches with the most common being:
- Sequential separation: the two signature principle
- Individual separation: the four eyes principle
- Spatial separation: the principle of separate actions in separate locations
- Factorial separation: process completion requires several factors to be true
ISO 27001 requirement for Segregation of Duty
The ISO 27001 standard specifically addresses Segregation of Duty in ISO 27001 Annex A 5.3 Segregation of Duties
How to implement Segregation of Duty
For a detailed guide on how to implement Segregation of Duty, read the implementation guide ISO 27001 Annex A 5.3 Segregation of Duties
Get the Help of the ISO 27001 Ninja
Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.