[BreachExchange] Separation of duties and IT security

Audrey McNeil audrey at riskbasedsecurity.com
Fri Aug 4 14:28:56 EDT 2017 

http://www.csoonline.com/article/2123120/government/it-
audit-separation-of-duties-and-it-security.html

Separation of duties (SoD) is a key concept of internal controls and is the
most difficult and sometimes the most costly one to achieve. This objective
is achieved by disseminating the tasks and associated privileges for a
specific security process among multiple people.

SoD is already well-known in financial accounting systems. Companies of all
sizes understand not to combine roles such as receiving checks (payment on
account) and approving write-offs, depositing cash and reconciling bank
statements, approving time cards and have custody of pay checks, and so on.

The concept of SoD became more relevant to the IT organization when
regulatory mandates such as Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley
Act (GLBA) were enacted. A very high portion of SOX internal control
issues, for example, come from or rely on IT. This forced IT organizations
to place greater emphasis on SoD across all IT functions, especially
security.

Now a new regulatory mandate, the EU’s General Data Protection Regulation
(GDPR), set to take effect in May 2018, will require the C-suite to take a
hard look at how its corporate organization charts support the new
regulation and possibly re-think how required SoD will ensure GDPR
compliance and pass audit.

What is SoD?

SoD, as it relates to security, has two primary objectives. The first is
the prevention of conflict of interest (real or apparent), wrongful acts,
fraud, abuse and errors. The second is the detection of control failures
that include security breaches, information theft and circumvention of
security controls. Correct SoD is designed to ensure that individuals don't
have conflicting responsibilities or are not responsible for reporting on
themselves or their superior.

There is an easy test for SoD. First, ask if any one person can alter or
destroy your financial data without being detected. Second, ask if any one
person can steal or exfiltrate sensitive information. Third, ask if any one
person has influence over controls design, implementation and reporting of
the effectiveness of the controls. The answers to all these questions
should be “no.” If the answer to any of them is “yes,” then you need to
rethink the organization chart to align with proper SoD.

Moreover, the individual responsible for designing and implementing
security must not be the same person as the person responsible for testing
security, conducting security audits or monitoring and reporting on
security. The reporting relationship of the individual responsible for
information security should no longer be to the CIO, as has traditionally
been the case.

Here are a few possible ways to accomplish proper SoD:

- Have the individual responsible for information security report to
chairman of the audit committee.
- Use a third party to monitor security, conduct surprise security audits
and security testing. They report to the board of directors or the chairman
of the audit committee.
- Have an individual (CISO) responsible for information security report to
the board of directors.
- Have the individual (CISO) responsible for information security report to
internal audit as long as internal audit does not report to the executive
in charge of finances like the CFO.

How the GDPR affects security SoD

The GDPR requires businesses to protect the personal data and privacy of EU
citizens for transactions that occur within EU member states. The GDPR also
regulates the exportation of personal data outside the EU. The regulation
also spells out roles within companies that are responsible for carrying
out and reporting on the requirements. This means that companies need to
review it carefully and apply necessary changes to customer data use and
protection policies and ensure compliant SoD.

The roles that the GDPR expects to be responsible for ensuring compliance
are data controller, data processor and the data protection officer (DPO).
The data controller defines how personal data is processed and the purposes
for which it is processed. The controller is also responsible for making
sure that outside contractors comply.

Data processors may be the internal groups that maintain and process
personal data records or any outsourcing firm that performs all or part of
those activities. The GDPR holds processors liable for breaches or
non-compliance. It’s possible, then, that both your company and processing
partner such as a cloud provider will be liable for penalties.

The GDPR requires the controller and the processor to designate a DPO to
oversee data security strategy and GDPR compliance. Companies required to
have a DPO process or store large amounts of EU citizen data, process or
store special personal data, regularly monitor data subjects, or are a
public authority.

GDPR clearly stipulates internal record keeping requirements, and that DPO
appointments will be mandatory for those controllers and processors whose
core activities comprise processing operations that require regular
monitoring of data subjects on a large scale, of special categories of
data, or data relating to criminal convictions and offenses.

The DPO, then, is a pivotal role for ensuring compliance. The GDPR states
that the DPO:

- Must be appointed on the basis of professional qualities and, in
particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Must be provided with appropriate resources to carry out their tasks and
maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could results in a conflict of
interest

The importance of SoD for security

The issue of SoD in security continues to be significant. It is imperative
that there be separation between operations, development and testing of
security and all controls to reduce the risk of unauthorized activity or
access to operational systems or data. Responsibilities must be assigned to
individuals in such a way as to mandate checks and balances within the
system and minimize the opportunity for unauthorized access and fraud.

Remember, control techniques surrounding SoD are subject to review by
external auditors. Auditors have in the past listed this concern as a
material deficiency on the audit report when they determine the risks are
great enough. It is just a matter of time before this is done as it relates
to IT security. For this reason as well as objectivity, why not have a
discussion about separation of duties as it relates to IT security with
your external auditors? It can save you a lot of aggravation, cost and
political infighting by getting what they view as necessary in your
particular case.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170804/6a540dba/attachment.html>

More information about the BreachExchange mailing list