How Separation of Duties Increases Cyber Security Posture!
by David Wren
Whether you have an organization of 25 or 25,000 people, implementing a Separation of Duties (SoD) strategy will increase digital security protections and limit risk. Many organizations have practiced SoD for years in the areas of finance for accounts receivable and payable, with the help of an outside firm for independent audit and review. Separation of Duties is also known as Segregation of Duties, or in government as Separation of Powers (e.g., legislative, administrative and judicial branches). Their primary objectives are preventing conflicts of interest, human error, abuse, and outright fraud. Secondary objectives include detecting failures in operational controls, policies and procedures. There are many ways that organizations practice SoD to increase efficacy, improve operations and limit risk and exposure.
When it comes to your digital assets and overall networking capability, SoD plays a critical operational role and enhances overall security posture. SoD became prevalent in IT organizations in the early 2000’s, when government and industry regulations like Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley (SOX) began to mandate the principle. Today we see SoD as a requirement of the newer Cybersecurity Maturity Model Certification (CMMC) and the EU’s General Data Protection Regulation (GDPR).
Implementing, managing and meeting the requirements of SoD can be difficult and sometimes costly to achieve. However, an effective strategy minimizes exposure to fraud, data security breaches, information theft, and shortcutting of control mechanisms. SoD should be designed where any individual does not have conflicting responsibilities and is not responsible for self-reporting or reporting on their direct superiors.
In previous articles, we talked about threat actors and, more often than not, they are outsiders. However, an insider threat can be more destructive financially to an organization over a longer period of time. Insider threats are usually a function of disgruntled, rogue or manipulated employees. Employing SoD helps to limit risks associated with this type of threat. My company has worked many cases over the past few years where bad actors were insiders. Increasing controls and monitoring behavior help to identify, limit and prevent risk before major losses occur.
In the realm of information technology and digital security, SoD prevents one person from controlling the entire process. First, ask yourself whether any one person in your company can change or destroy a system without being detected. Second, ask if any one person can extract or steal data undetected. Third, ask whether only one person designed, implemented and reports on the overall effectiveness of controls. The answer to all of these questions should be NO. The majority of larger organizations have changed their reporting structures within IT and IT security functions from a singular Chief Information Officer (CIO), who is responsible for all aspects of IT, to the separation of security and addition of a Chief Information Security Officer (CISO). Such actions separate the power and responsibility for operations and security of the digital environment.
Smaller organizations can achieve the same mechanism of control by employing outsourced partners. However, be sure that you achieve a system of checks and balances with some form of audit capability for reporting. For example, if you have a single IT partner who monitors and manages your systems, reports on your systems and provides security metrics, then you have no true SoD. There are many service providers that operate as one-stop shops for IT management and security. If your partner falls into this category, ask yourself the following questions. When was the last time they told you they misconfigured a system, left an unused port open on a firewall or forgot to patch a critical server issue? Have you experienced a security incident while they were managing your network? How well are they challenging and reporting on themselves?
We work with many organizations and IT service providers to provide expert-level cybersecurity solutions while practicing true SoD. Call us today for a free consultation. Protecting your digital assets and brand identity are our top priorities. n
David Wren, CISM is President of Network Technology Partners, a regional Cyber Security Intelligence firm headquartered in St. Louis, MO. He can be reached at email@example.com