Separation of duties and IT security
Separation of duties (SoD) is a key concept of internal controls and is the most difficult and sometimes the most costly one to achieve. This objective is achieved by disseminating the tasks and associated privileges for a specific security process among multiple people.
SoD is already well-known in financial accounting systems. Companies of all sizes understand not to combine roles such as receiving checks (payment on account) and approving write-offs, depositing cash and reconciling bank statements, approving time cards and have custody of pay checks, and so on.
The concept of SoD became more relevant to the IT organization when regulatory mandates such as Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA) were enacted. A very high portion of SOX internal control issues, for example, come from or rely on IT. This forced IT organizations to place greater emphasis on SoD across all IT functions, especially security.
Now a new regulatory mandate, the EU’s General Data Protection Regulation (GDPR), set to take effect in May 2018, will require the C-suite to take a hard look at how its corporate organization charts support the new regulation and possibly re-think how required SoD will ensure GDPR compliance and pass audit.
What is SoD?
SoD, as it relates to security, has two primary objectives. The first is the prevention of conflict of interest (real or apparent), wrongful acts, fraud, abuse and errors. The second is the detection of control failures that include security breaches, information theft and circumvention of security controls. Correct SoD is designed to ensure that individuals don’t have conflicting responsibilities or are not responsible for reporting on themselves or their superior.
There is an easy test for SoD. First, ask if any one person can alter or destroy your financial data without being detected. Second, ask if any one person can steal or exfiltrate sensitive information. Third, ask if any one person has influence over controls design, implementation and reporting of the effectiveness of the controls. The answers to all these questions should be “no.” If the answer to any of them is “yes,” then you need to rethink the organization chart to align with proper SoD.
Moreover, the individual responsible for designing and implementing security must not be the same person as the person responsible for testing security, conducting security audits or monitoring and reporting on security. The reporting relationship of the individual responsible for information security should no longer be to the CIO, as has traditionally been the case.
Here are a few possible ways to accomplish proper SoD:
- Have the individual responsible for information security report to chairman of the audit committee.
- Use a third party to monitor security, conduct surprise security audits and security testing. They report to the board of directors or the chairman of the audit committee.
- Have an individual (CISO) responsible for information security report to the board of directors.
- Have the individual (CISO) responsible for information security report to internal audit as long as internal audit does not report to the executive in charge of finances like the CFO.
How the GDPR affects security SoD
The GDPR requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. The regulation also spells out roles within companies that are responsible for carrying out and reporting on the requirements. This means that companies need to review it carefully and apply necessary changes to customer data use and protection policies and ensure compliant SoD.
The roles that the GDPR expects to be responsible for ensuring compliance are data controller, data processor and the data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.
Data processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance. It’s possible, then, that both your company and processing partner such as a cloud provider will be liable for penalties.
The GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance. Companies required to have a DPO process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority.
GDPR clearly stipulates internal record keeping requirements, and that DPO appointments will be mandatory for those controllers and processors whose core activities comprise processing operations that require regular monitoring of data subjects on a large scale, of special categories of data, or data relating to criminal convictions and offenses.
The DPO, then, is a pivotal role for ensuring compliance. The GDPR states that the DPO:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could results in a conflict of interest
The importance of SoD for security
The issue of SoD in security continues to be significant. It is imperative that there be separation between operations, development and testing of security and all controls to reduce the risk of unauthorized activity or access to operational systems or data. Responsibilities must be assigned to individuals in such a way as to mandate checks and balances within the system and minimize the opportunity for unauthorized access and fraud.
Remember, control techniques surrounding SoD are subject to review by external auditors. Auditors have in the past listed this concern as a material deficiency on the audit report when they determine the risks are great enough. It is just a matter of time before this is done as it relates to IT security. For this reason as well as objectivity, why not have a discussion about separation of duties as it relates to IT security with your external auditors? It can save you a lot of aggravation, cost and political infighting by getting what they view as necessary in your particular case.