Validating Security Operations and Administration Roles, Responsibilities, and Accountabilities Throughout the IT Infrastructure

There are many different roles for security operations and administration across the IT infrastructure. Security operations and administration are responsible for implementing the policy framework to protect the confidentiality, integrity, and availability of the company’s information and supporting technologies. The foundation of these operations is first based on assigning, identifying, and classifying the information and information systems, and then implementing and maintaining the appropriate controls to protect the information and infrastructure.

The tasks include managing authentication and access controls, security hardware, and security software. Security operations and administration personnel are directly involved in the implementation and administration of controls designed to allow access only to those authorized. They also maintain the systems that prevent fraud, violations, and other malicious and even unintentional breaches of confidentiality, integrity, and availability.

Those assigned to protect assets are not above committing irregular or illegal acts. In fact, without proper controls in place, such activities are easier to perform. This includes fraud, theft, suppression of information, and other legal violations. Examples of safeguards that need to be verified include the following:

• Security operation policies—Policies form the foundation for holding staff accountable. Policies define the behaviors that must be complied with by security and administration personnel. Periodically testing the staff on the organization’s policies helps increase accountability.

• Assignment of responsibilities—Those assigned with security and administration roles need to have clear expectations and responsibilities. This helps foster and enforce accountability within the individual roles.

• Maintenance procedures—These provide clear guidance for the security operations and administration staff in the performance of their duties to prevent misconfigurations and errors.

• Segregation of duties—Segregation of duties (SOD) divides roles and responsibilities so a single individual or group can’t undermine a critical process. From an IT perspective, this includes, for example, separating testing, development, and production environments to prevent unauthorized changes. Another example includes preventing the person who approves configuration changes from being the person who implements them. Segregation of duties is also referred to as separation of duties or separation of responsibilities.

• Rotation of duties—The safeguard of rotation of duties rotates employees into different functions and helps mitigate collusion to circumvent what segregation of duties helps prevent.

• Least privilege—The safeguard of least privilege involves users having access only to what they need to perform their duties.

• Mandatory vacation—For sensitive positions, a contiguous one-week vacation should be required. This reduces the opportunity for an employee to commit unethical or illegal acts. It allows others to fill in to support the position and verify the work being performed.

• Screening—Employees responsible for managing security and sensitive data within an organization should be carefully screened prior to employment. This includes background checks, for example, to ensure the individuals are suited for the position.

• Training and awareness—A continuous program of training is necessary to ensure employees understand the responsibilities associated with their duties and are adequately prepared to perform them effectively.

Security operations and administration personnel need to be held accountable. Strong accountability also serves the goal of preventing fraud and inappropriate use.