//
you're reading...
Information Security, IT & TECHNOLOGY

The Necessity of SoD


ISACA-Logo

Segregation of duties (SoD) has been a source of guidance for audit and accounting systems for a long time; nevertheless, many IT security controls imposed by recent trends and regulations can be viewed through its lenses.

Privacy by design and privacy by default, for example, as required by the new EU regulation recently approved by the European Parliament, require that duties are well separated and roles are well defined from the beginning.

Privacy by design must be introduced in the design of processes and in the design of systems and tools. For example, a client recently asked for a solution to make service desk personnel able to reset user passwords without knowing the user’s new password and without resorting to the self-help password reset. This does not only require a supporting tool but also a sound access management process in which SoD is the central issue.

On the market side, the segregation between development and operations functions blurs with the widespread adoption of movements such as Development and Operations (DevOps), but SoD must still be achieved. This can be obtained by properly differentiating duties, e.g., responsibilities of the different environments (development, test, production).

Enforcing controls by means of the appropriate tools is an important issue, and it may lead to higher levels of segregation. For example, for a long time the common practice has been to use (masked) data from the production databases in the test environment; now, some tools are available that synthetize artificial test data to be used in the test environments. Such tools guarantee better coverage and enhanced privacy and effective segregation between environments. This helps test data and production data remain separated, and responsibilities of the test and the operations teams remain separated as well. Segregation encompasses data in addition to duties in this case.

New technologies, new regulations (e.g., EU’s data protection regulation, the ISO 25000 family of standards on data quality) and new trends such as DevOps introduce new requirements and new risk.

SoD can be used within a consistent risk assessment framework, e.g., COBIT® 5 for Risk, both as a security control and as a magnifying lens that can help spot IT risk.

Read Stefano Ferroni’s recent Journal article:
Implementing Segregation of Duties,” ISACA Journal, volume 3, 2016.

Stefano Ferroni, CISM, ISO 27001 LA, ITIL Expert

[ISACA Journal Author Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 115,070 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,068 other followers

Twitter Updates

Archives

June 2016
M T W T F S S
« May   Jul »
 12345
6789101112
13141516171819
20212223242526
27282930  
%d bloggers like this: