Separation of Duties
A common theme in compliance requirements is to reduce the ability of any one element to compromise data security. In the User Domain, this means that no single person should have the ability to bypass security controls that protect data. Each computer user’s role should limit the scope of permitted actions.
Most computer systems restrict access to deny unauthorized users. The first step in gaining access to data is to identify yourself to the information system and authenticate your identity. This process commonly involves providing a user ID and a password. Once you are identified and authenticated, the operating system grants authority in the form of permissions and rights. These permissions and rights are defined by your assigned roles. You can only accomplish what your assigned roles allow.
The concept of separation of duties requires that users from at least two distinct roles be required to accomplish any business-critical task. This means that users from at least two roles must collude to compromise data security. Although collusion is still possible, it is far less likely than if a single user could gain exclusive access to sensitive data without anyone else looking. Going further, separation of duties helps avoid conflicts of interest. For example, the role of administering a system should not be the same role that audits that system for potential compliance violations. Table 8-1 contains some examples of separation of duties in IT environments. Figure 8-4 illustrates separation of duties in an IT environment.
TABLE 8-1 Examples of separation of duties in an IT environment.
| Role Restriction | Description |
|---|---|
| Only grant limited access for external personnel to the computer and files they need for the current project. | External personnel can help complete projects but should have limited access to resources. This restriction helps reduce the number of people who have access to each part of a system and reduces the opportunities for data compromise. |
| Prohibit all access to production environments for developers. | Developers have the ability to write programs that access sensitive data and should not have the ability to bypass configuration-management controls. Configuration-management controls require a separate role to promote software from development to production. |
| Do not allow general administrative users to create backups of critical data. | It is easy to create backups on media that fit in a pocket. Create a role for backup operators and only allow a small number of individuals to create backups. |
FIGURE 8-4 Separation of Duties
The problem is that excessive access rights represent a serious security risk. As an individual changes role, that person’s access rights must be adjusted. Prior access rights that are no longer needed must be removed. New access rights must be properly approved and granted. This change is for the employee’s protection as much as it is for the organization. When a security incident occurs, one of the first steps is to identify who may have had access. This is accomplished by reviewing individuals’ access rights. Employees can avoid suspicion when they have no access to affected systems, applications, and information. Removing unneeded access also reduces security vulnerabilities. In the event an employee’s ID and password are compromised, hacked access rights would be contained within the employee’s current role. Consider the following example:
In a bank, a teller may be able to initiate the process of sending money between banks from one account to another. This is an important service needed to provide commercial customers. Before the money is sent, however, the bank manager must approve the transfer. This dual control creates a separation of duties to reduce fraud. If the manager was once a teller and retained access to transfer rights, then there is a serious security risk. The employee in this scenario could start and approve the transfer of money.