Rhand Leal Today’s automated solutions and information and communication technologies allow a few people to handle a great deal of information and processes (e.g., stock exchange operators and air traffic controllers).
While this is good to improve productivity, a potential side effect is that these few people may end up gathering excessive knowledge and/or privilege over the operating environment and, in case they are absent or have malicious intent, this can prove to be an unacceptable risk, which must be handled.
This article will present a widely used concept to approach this situation, the segregation of duties, and how ISO 27001 considers it in an ISMS to minimize the risk that a single position may have the opportunity to compromise an organization’s activities.
The principles that can be applicable to segregation of duties in your ISMS:
- sequential separation, when an activity is broken into steps performed by different persons
- individual separation, when at least two persons must approve an activity before it is done
- spatial separation, when different activities are performed in different locations
- factorial separation, when several factors contribute to activity completion
Segregation of duties general definition, purpose, and principles
Segregation of duties definition is based on shared responsibilities of a process that separate the critical functions of that process to more than one person or department.
Segregation of duties refers to practices where the knowledge and/or privileges needed to complete a process are broken up and divided among multiple users so that no single one is capable of performing or controlling it by himself.
The main purpose of segregation of duties is to mitigate the risk of fraud, waste, and error. In a perfect system, no individual should oversee more than one type of function. Without this split in key processes, risks are far less manageable. Imagine what would happen if the keys, lock, and code for a nuclear weapons system were all in the hands of one person. The principles that can be applicable to segregation of duties are:
- sequential separation, when an activity is broken into steps performed by different persons (e.g., solicitation, authorization and implementation of access rights)
- individual separation, when at least two persons must approve an activity before it is done (e.g., contractor payment)
- spatial separation, when different activities are performed in different locations (e.g., locations to receive and store raw material)
- factorial separation, when several factors contribute to activity completion (e.g., two-factor access authentication).
You may note that these principles can be used in isolation or together, depending upon the security an organization requires to protect its processes.
ISO 27001 series objectives and guidance on segregation of duties
ISO 27001 considers segregation of duties to be one of the potential controls to be applicable to control implementation and operation of information security within the organization (control A.6.1.2 from Annex A).
The standard control requires conflicting duties and areas of responsibilities to be segregated in order to reduce the risk of an asset’s unauthorized or unintentional modification or misuse. The determination of whether the control is applicable and which duties and areas should be under A.6.1.2 must be made according the results of a risk assessment.
Since the segregation of duties concept is straightforward, ISO 27002, the standard that provides practices for information security controls, does not provide much additional orientation other than that previously presented, besides for two points:
- control design must consider the possibility of collusion (when two or more parties agree to commit fraud or gain unfair advantage by compromising a process execution)
- when segregation of duties is difficult or impossible to achieve, compensating controls should be applied (detailed information will be presented in further in this article)
Implementing segregation of duties
But, how is segregation of duties implemented? Basically, these steps should be followed as part of a risk treatment plan:
- Identification of functions that are indispensable to the organization’s activities, and potentially subject to abuse, considering either business drivers or regulatory compliance (e.g., SOX)
- Division of the function into separate steps, either considering the knowledge necessary for the function to work or the privileges that enable that function to be abused
- Definition of one or more segregation principles to be applied to the functions. Examples of functions and segregation principles to be applied are:
- authorization function (e.g., two people need to authorize a payment)
- documentation function (e.g., one person creates a document and another approves it)
- custody of assets (e.g., backup media creation and storage in different sites)
- reconciliation or audit (e.g., one person takes inventory, and another validates it)
The most practical way to document segregation is by preparing a segregation of duties matrix. It lists potential conflicts to determine what risk may be realized and whether a user should have access or authorizations to a combination of functions. The segregation of duties matrix should include the process or process steps and authorizations checked. To give an example, the employee who is responsible for approving changes to firewall rules should be different from the person(s) who implements those changes.
For more information about documenting responsibilities, see: How to document roles and responsibilities according to ISO 27001.
Alternatives to segregation of duties
Sometimes the segregation of duties is impractical because the organization is too small to designate functions to different persons. In other cases, breaking down tasks can reduce business efficiency and increase costs, complexity, and staffing requirements.
In these situations, compensating controls should be in place to ensure that even without segregation of duties the identified risks are properly handled. Examples of compensating controls are:
- Monitoring activities: these allow activities to be supervised while in progress, as a way to ensure they are being properly performed. For more information, see: Logging according to ISO 27001 A.8.15.
- Audit trails: these enable the organization to recreate the actual events from the starting point to its current status (e.g., who initiated the event, the time of day and date, etc.). For more information about how to determine the information to be tracked see: ISO 27001 internal audit: The complete guide.
- Management supervision: this allows the proper and timely evaluation and handling of exceptional situations.
Sometimes, having all your eggs in one basket is not a good idea
Wrongdoing requires three factors to be possible: means, motive, and opportunity. Extremely lean processes increase the risk of wrongdoing by concentrating means and opportunity (access to and privileges over the process). By implementing segregation of duties, an organization minimizes the risk by splitting knowledge and privileges.
However, the benefits of segregation of duties to security must be balanced with the increased cost/effort required. By using the ISO 27001 requirements for risk assessment, an organization can identify the most vulnerable and the most mission-critical elements of the business to which segregation of duties will represent real added value to the business and other interested parties.
To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.
