The purpose of segregation of duties in ISO 27001 is to ensure that a single point of compromise does not have significant impacts on the business.Conflicts can occur when two or more employees have similar or different responsibilities towards a particular task. When this happens, the employees may end up doing the same thing twice, or doing different things that cancel out each other’s efforts. This wastes corporate resources and reduces productivity, which affects both the company’s bottom line and morale.In order to make sure that your organisation does not suffer from this problem, it is important to understand what conflicting areas of responsibilities are, why they happen and how you can prevent them from occurring in your organisation. For the most part, this means separating duties so that different people handle different roles in the organisation.
Conflicting duties and areas of responsibility must be segregated in order to reduce the opportunities for unauthorized or unintentional modification or misuse of any of the organisation’s assets.The risk being that if a single post is responsible for highly privileged actions and is not monitored or controlled, then compromise of that role could result in disastrous impacts to the organisation. For example, malicious system or network admins managing the network could greatly disrupt or leak highly sensitive data if not controlled and monitored through controls. The organisation needs to ask itself whether or not the segregation of duties been considered and implemented where appropriate.To be compliant with this requirement, the organisation must be able to demonstrate that highly privileged role functions and conflicting duties/areas of responsibility are sufficiently segregated. For example, this may be achieved by providing additional layers of authorization for privileged tasks such as issuing or revoking user accounts, or system management functions. A two-man rule might be appropriate in certain circumstances, in others it may be appropriate to provide an extra layer of authorization before a task can be carried out supported by enhanced monitoring of user operations. This provides a defense in depth approach and means that any unauthorized activity can be tracked, monitored and alerted upon.
A 5.3 Segregation of Duties
Conflicting duties and conflicting areas of responsibility should be segregated.
To reduce the risk of fraud, error and bypassing of information security controls.
ISO 27002 Implementation Guidance
Segregation of duties and areas of responsibility aims to separate conflicting duties between different individuals in order to prevent one individual from executing potential conflicting duties on their own. The organization should determine which duties and areas of responsibility need to be segregated. The following are examples of activities that can require segregation:
- initiating, approving and executing a change;
- requesting, approving and implementing access rights;
- designing, implementing and reviewing code;
- developing software and administering production systems;
- using and administering applications;
- using applications and administering databases;
- designing, auditing and assuring information security controls.
The possibility of collusion should be considered in designing the segregation controls. Small organizations can find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls should be considered, such as monitoring of activities, audit trails and management supervision. Care should be taken when using role-based access control systems to ensure that persons are not granted conflicting roles. When there is a large number of roles, the organization should consider using
automated tools to identify conflicts and facilitate their removal. Roles should be carefully defined and provisioned to minimize access problems if a role is removed or reassigned.
Segregation of duties reduces the risk of intentional manipulation or error and increases the element of checking. Functions that should be separated include those of authorization, execution, custody, and recording and, in the case of a computer-based accounting system, systems development, and daily operations. Segregation of duties is the concept of having more than one person required to complete a task. Today’s automated solutions and information and communication technologies allow a few people to handle a great deal of information and processes (e.g., stock exchange operators and air traffic controllers). While this is good to improve productivity, a potential side effect is that these few people may end up gathering excessive knowledge and/or privilege over the operating environment and, in case they are absent or have malicious intent, this can prove to be an unacceptable risk, which must be handled. This is a best practice, especially in cases where sensitive data is being handled. This is seemingly obvious, but often difficult to do in practice. Essentially try to eliminate processes or situations where someone can access, change or use information assets without detection. For example network access and logging should be conducted by someone different from those authorized to use the data. If in doubt – no-one holds the keys to something from which they could gain.
Segregation of duties is a control put in place by many organizations to mitigate the risk of an insider threat or accidental employee mistakes. Sometimes this isn’t practical or possible, but the institution should be aware of the risks of a single person having too much access. Ideally, critical processes or activities should be split up between multiple people. For example, the initiation of a process, its execution, and authorization should be separated when possible. When this is not possible, monitoring and auditing critical processes are very important. Segregation of duties refers to practices where the knowledge and/or privileges needed to complete a process are broken up and divided among multiple users so that no single one is capable of performing or controlling it by himself.
The main reason to apply segregation of duties is to prevent the perpetration and concealment of fraud and error in the normal course of the activities, since having more than one person to perform a task minimizes the opportunity of wrongdoing and increases the chances to detect it, as well as to detect unintentional errors. Wrongdoing requires three factors to be possible: means, motive, and opportunity. Extremely lean processes increase the risk of wrongdoing by concentrating means and opportunity (access to and privileges over the process). By implementing segregation of duties, an organization minimizes the risk by splitting knowledge and privileges. However, the benefits of segregation of duties to security must be balanced with the increased cost/effort required. By using the ISO 27001 requirements for risk assessment, an organization can identify the most vulnerable and the most mission-critical elements of the business to which segregation of duties will represent real added value to the business and other interested parties.
The principles that can be applicable to segregation of duties are:
- Sequential separation, when an activity is broken into steps performed by different persons (e.g., solicitation, authorization and implementation of access rights)
- Individual separation, when at least two persons must approve an activity before it is done (e.g., contractor payment)
- Spatial separation, when different activities are performed in different locations (e.g., locations to receive and store raw material)
- Factorial separation, when several factors contribute to activity completion (e.g., two-factor access authentication).
These principles can be used in isolation or together, depending upon the security an organization requires to protect its processes.
Segregation can be implemented by:
- 1.Identification of functions that are indispensable to the organization’s activities, and potentially subject to abuse, considering either business drivers or regulatory compliance (e.g., SOX)
- 2.Division of the function into separate steps, either considering the knowledge necessary for the function to work or the privileges that enable that function to be abused
- Definition of one or more segregation principles to be applied to the functions. Examples of functions and segregation principles to be applied are:
- authorization function (e.g., two people need to authorize a payment)
- documentation function (e.g., one person creates a document and another approves it)
- custody of assets (e.g., backup media creation and storage in different sites)
- reconciliation or audit (e.g., one person takes inventory and another validates it )
Sometimes the segregation of duties is impractical because the organization is too small to designate functions to different persons. In other cases, breaking down tasks can reduce business efficiency and increase costs, complexity, and staffing requirements. In these situations, compensating controls should be in place to ensure that even without segregation of duties the identified risks are properly handled. Examples of compensating controls are:
- Monitoring activities: these allow activities to be supervised while in progress, as a way to ensure they are being properly performed.
- Audit trails: these enable the organization to recreate the actual events from the starting point to its current status (e.g., who initiated the event, the time of day and date, etc.).