Separation of duties is a common policy when people are handling money so that fraud requires collusion of two or more parties. This greatly reduces the likelihood of crime. Information should be handled in the same way. Separation of duties as it related to information systems is not just a possible Sarbanes-Oxley issue but is a requirement for PCI compliance as well. It is therefore imperative that an organization structure be design such that no individual acting alone can compromise security controls. There are five primary options for achieving separation of duties in the information security space. This list is in order of acceptability based on my experience.
- Option 1: Have the individual responsible for information security report to CSO (chief security officer) who takes care of information security and physical security and the CSO reports directly to CEO.
- Option 2: Have the individual responsible for information security report to Chairman of the Audit Committee.
- Option 3: Use a third party to monitor security, surprise security audits and security testing and they report to the Board of Directors or the Chairman of the Audit Committee.
- Option 4: Have individual responsible for information security report to the board of directors.
- Option 5: Have the individual responsible for information security report to internal audit as long as internal audit does not report to the executive in charge of finances like the CFO.
The issue of separation of duties is growing in importance. A lack of clear and concise responsibilities for the CSO and CISO has fueled confusion. It is imperative that there be separation between operations, development and testing of security and all controls to reduce the risk of unauthorized activity or access to operational systems or data. Responsibilities must be assigned to individuals in such a way as to mandate checks and balances within the system and minimize the opportunity for unauthorized access and fraud.
Remember, control techniques surrounding separation of duties are subject to review by external auditors. Auditors have in the past listed this concern as a material deficiency on the audit report when they determine the risks are great enough. It is just a matter of time before this is done as it relates to IT security. For this reasons as well as objectivity, why not have a discussion about separation of duties as it relates to IT security with your external auditors? It can save you a lot of aggravation, cost and political infighting by getting what they view as necessary in your particular case.
Kevin G. Coleman is a fifteen year veteran of the computer industry. A Kellogg School of Management Executive Scholar, he was the former Chief strategist of Netscape. Now he is a Senior Fellow and International Strategic Management Consultant with the Technolytics Institute -- an executive think-tank. He has published over sixty articles covering security and defense related matters including UnRestricted Warfare and Cyber Warfare & Weapons. In addition he has testified before the US Congress on Cyber Security and is a regular speaker at security industry events and the Global Intelligence Summit.