Segregation of duties (SoD) has been a source of guidance for audit and accounting systems for a long time; nevertheless, many IT security controls imposed by recent trends and regulations can be viewed through its lenses.
Privacy by design and privacy by default, for example, as required by the new EU regulation recently approved by the European Parliament, require that duties are well separated and roles are well defined from the beginning.
Privacy by design must be introduced in the design of processes and in the design of systems and tools. For example, a client recently asked for a solution to make service desk personnel able to reset user passwords without knowing the user’s new password and without resorting to the self-help password reset. This does not only require a supporting tool but also a sound access management process in which SoD is the central issue.
On the market side, the segregation between development and operations functions blurs with the widespread adoption of movements such as Development and Operations (DevOps), but SoD must still be achieved. This can be obtained by properly differentiating duties, e.g., responsibilities of the different environments (development, test, production).
Enforcing controls by means of the appropriate tools is an important issue, and it may lead to higher levels of segregation. For example, for a long time the common practice has been to use (masked) data from the production databases in the test environment; now, some tools are available that synthetize artificial test data to be used in the test environments. Such tools guarantee better coverage and enhanced privacy and effective segregation between environments. This helps test data and production data remain separated, and responsibilities of the test and the operations teams remain separated as well. Segregation encompasses data in addition to duties in this case.
New technologies, new regulations (e.g., EU’s data protection regulation, the ISO 25000 family of standards on data quality) and new trends such as DevOps introduce new requirements and new risk.
SoD can be used within a consistent risk assessment framework, e.g., COBIT® 5 for Risk, both as a security control and as a magnifying lens that can help spot IT risk.
Read Stefano Ferroni’s recent Journal article:
“Implementing Segregation of Duties,” ISACA Journal, volume 3, 2016.
Stefano Ferroni, CISM, ISO 27001 LA, ITIL Expert
[ISACA Journal Author Blog]