Separation of Duties
Separation of Duties is a term defined as “a security principle that says no one person should be able to effect a breach of security” (Definition of: separation of duties, 2008). What this means, is that one person should not be, on the whole, responsible for both the design and implementation of security within an organization. The goal being that there is not one single point of failure where one person can subsequently take advantage of a process inside a company and benefit from ill-gotten gains.
This principle is readily practiced in the area of finance and is becoming more popular within the Information Technology field. For example, within the area of finance, the Department of General Services of California has a section within its State Administrative Manual that quotes the requirements of the Financial Integrity and State Manager’s Accountability Act of
1983, which “…requires that the head of each State agency establish and maintain an adequate system of internal control within their agencies. A key element in a system of internal control is separation of duties” (Department of General Services of California, 2008). The manual then goes on to list explicitly how entities are designated, the actions they may take, the number of actions each entity may take, and the level of authorization for each duty.
In general, Information technology takes the same approach, by following the same principle; that certain key duties should be performed by different individuals. Such duties may be the physical custody or access to certain assets; authorization or approval of transactions affecting those assets; recording transactions for those assets; control or review responsibility for those assets. (The University of British Columbia, 2006). By having these and other duties performed by separate individuals, there becomes a system of checks and balances that is established. This also creates a system of reducing errors and/or...
References: Definition of: separation of duties . (2008). In PCmag.com Encyclopedia [Web]. New York: The Computer Language Company Inc.. Retrieved October 6, 2008, from http://www.pcmag.com/encyclopedia_term/0,2542,t=separation+of+duties&i=51110,00.asp
Department of General Services of California. (2008). State Administrative Manual. Retrieved August 6, 2008, from http://sam.dgs.ca.gov/TOC/8000/8080.htm
National Institute of Standards and Technology. (1995). An introduction to role-based access control. Retrieved October 6, 2008, from http://csrc.nist.gov/groups/SNS/rbac/documents/design_implementation/Intro_role_based_access.htm
Sans Technology Institute. (2008). Separation of Duties in Information Technology. Retrieved August 6, 2008, from http://www.sans.edu/resources/securitylab/it_separation_duties.php
The University of British Columbia. (2006, August 30). Separation of duties – The most important internal control. Retrieved October 6, 2008 from http://www.csoonline.com/article/446017/Separation_of_Duties_and_IT_Security
Please join StudyMode to read the full document