Separation of Duties
Separation of Duties is a term defined as “a security principle that says no one person should be able to effect a breach of security” (Definition of: separation of duties, 2008). What this means, is that one person should not be, on the whole, responsible for both the design and implementation of security within an organization. The goal being that there is not one single point of failure where one person can subsequently take advantage of a process inside a company and benefit from ill-gotten gains.
This principle is readily practiced in the area of finance and is becoming more popular within the Information Technology field. For example, within the area of finance, the Department of General Services of California has a section within its State Administrative Manual that quotes the requirements of the Financial Integrity and State Manager’s Accountability Act of
1983, which “…requires that the head of each State agency establish and maintain an adequate system of internal control within their agencies. A key element in a system of internal control is separation of duties” (Department of General Services of California, 2008). The manual then goes on to list explicitly how entities are designated, the actions they may take, the number of actions each entity may take, and the level of authorization for each duty.
In general, Information technology takes the same approach, by following the same principle; that certain key duties should be performed by different individuals. Such duties may be the physical custody or access to certain assets; authorization or approval of transactions affecting those assets; recording transactions for those assets; control or review responsibility for those assets. (The University of British Columbia, 2006). By having these and other duties performed by separate individuals, there becomes a system of checks and balances that is established. This also creates a system of reducing errors and/or...
Please join StudyMode to read the full document