ISO Archives

Segregation of duties in IT security is one of the most basic ways to protect your environment. ISO/IEC 27001 requires separation of duties and responsibilities that potentially conflict. In doing this, your organization lowers the risk of both malicious and accidental modification or misuse. In addition, the standard incorporates these conflicting duties and areas as part of the ongoing risk assessment.

Why Segregation of Duties in IT Matters

The first reason businesses segregate duties is to prevent a conflict of interest, wrongful act, fraud, abuse, or error. The second reason is to make sure that any control failures are detected. If an employee is responsible for reporting on themselves or their superior, their fear of repercussion may impede them from fixing a faulty control.

At the most basic level, no single person should be able to change or destroy information without others noticing. However, you also have to make sure that all sensitive information is appropriately protected. Finally, the person who controls the design and implementation of IT controls needs to be different from the person who reports on how well those controls work.

Fundamentally, internal and external audit function as ways to incorporate segregation of duties. Since internal audit may have a vested interest in not reporting problems, external audits are the gatekeepers for internal audit.
While these multiple control layers can feel redundant or excessive, the financial risk and reputational cost associated with misused information can ruin your business. Keeping access and reporting segregated ensures ongoing compliance.

How to Segregate Job Functions

While businesses normally think of segregating duties in IT controls as a matter of software or hardware safety, the reality is that employees present the largest risk to most companies. Whether you do it purposefully or accidentally, segregating your employees’ access and duties within your organization is one of the best ways to protect your physical and technological assets.

As with any other controls you put in place, documentation of how you separate the different employee duties is key to compliance. To make sure that the appropriate employees have the correct access, you need to align job descriptions with software settings. To do this, you need to make sure that you have an effective user access review program in place.

In assigning access based on job function, you want to start by assessing risk. For example, if the same person who reviews time cards also has custody of paychecks, this poses a huge risk of fraud. Most businesses recognize this and separate those job roles.

What Steps Help Segregate Duties

Sometimes the types of duties clearly lend themselves to segregation from one another. Sometimes, however, the conflict of interest is embedded within the overall function.

Dividing the functions necessary to your organization acts as the first step. Once you have done this, you need to break down those functions into their discrete parts. Think about it like breaking apart a machine, comprised of many intricate gears that integrate to function fully. However, some gears are more vital than others for the machine’s efficiency. A weakness in one area can compromise the whole machine.
The same is true with companies. Breaking out your functions into their individual steps allows you to see points of potential abuse or weakness. Moreover, should a function be compromised, you can better track the source of the problem if you know the steps involved.

Once you determined the various points of potential weakness, you need to segregate the duties. There are several ways to do this. Authorization function requires two people to give approval for something. Documentation function requires that one person write down the function while another approves it. Custody of assets means that you put creation and storage of information in two different places. Reconciliation or audit means that one person takes inventory while the other reviews the work for completeness.

How GRC Automation Helps Track Controls Over Segregation of Duties in IT

When a single function can be broken down into multiple steps, tracking the controls can become frustrating. For a small organization, the functions might be easy to track because there are a limited number of employees.

Once an organization incorporates startup budget constraints, its management often chooses to organize these controls in spreadsheets. However, as the company expands and matures, so do the processes.

Being able to more efficiently map job descriptions to employee access means having stronger controls. Automation allows clearer visibility into how functions are separated into their parts and how those parts work to create a whole. By having a single source of truth, you can see all of your internal controls in one place and ensure that the appropriate segregations have been established.

How to Use Audit to Help with Segregation of Duties in IT

Traditionally, your CIO has handled reporting on the end testing controls. However, since the CIO oversees and designs implementation, they have a vested interest in the controls’ effectiveness. This is one of the reasons that having both a CISO and CIO matters.

Audit, however, has an interest only in testing the controls. This means that having an audit function automatically segregates duties over the controls. The question then becomes, why have an internal and external audit?

Your internal audit function is a self-assessment of your business. Pretend to be your internal auditor for a moment. Controls cost money. As the internal auditor, your job is to make sure those controls are appropriate. However, when you tell those in charge of the controls that problems exist, they get upset. Sometimes, the Board gets upset. Sometimes, the boss gets upset.

Though this is the internal auditor’s job, corporate culture can lead the internal auditor to prioritize protection of themselves or the departments with whom they work over robust information security. Perhaps they massage the message. If that happens, the report may technically note issues in the controls, but may do so in a way that makes it seem less important.

The potential for that conflict of interest means that external audit acts as balance to internal politics. Moreover, it acts as a check on internal audit’s capabilities. This shores up your compliance program. In many ways, this offers a segregation of duties that provides a check and balance similar to tripartite government.

You need both an external audit and or an internal auditor to monitor your controls most effectively. Your internal auditor helps monitor your organization with a sense of how your company works. They provide you with someone who knows your business and can continually monitor your controls. Your external auditor provides an entirely independent review unconnected to your company’s internal politics, offering insights that come from a fresh set of eyes.

How Using Automation Creates Better Audit Outcomes

Automation provides a single source of truth for audits. Internal audit needs to work with external audit to both create and disseminate documentation of your controls.
Internal audit contacts individuals to get documentation that supports the written segregation processes. However, this information gathering can be cumbersome. Multiple emails with various individuals can lead to ongoing communication problems.

GRC automation facilitates the scheduling of tracking and notifications. In addition, instead of having to spend time sifting through emails to track down responses, internal audit can review the submissions in one place. This single source of truth then provides the internal audit function with the appropriate documentation for external audit.

Streamlining the documentation process leads to greater cost savings when it comes to time spend on audit work. Internal audit can spend more time on the review process and focus more on the details of reconciliation. External audit can see more clearly into your organization’s compliance stance. All of this leads to stronger audit ratings and faster audits.

Auditing segregation of duties in IT helps keep your company free from fraud and creates greater security over your information assets. Using GRC automation to create a single source of truth for your audits provides a value add by lowering the amount of time spent on mundane administrative work.

For more information about how GRC automation offers efficiency and cost savings, watch our on-demand webinar, “6 Time Saving Steps to Simplifying Your GRC Strategy.”

The ISO Framework is one of the basics of information security and its controls. While many managers focus on computers and their controls, risk management principles in ISO 27001 are changing the way you need to approach compliance. This focus on the technology side can often lead to a compliance gap. New to the task of managing ISO compliance software? Below is a basic understanding of ISO 27001 and some tips towards achieving compliance.

What is ISO 27001?
ISOs are internationally agreed upon standards for information security. ISO 27001 creates a set of rules giving managers discrete steps to follow. These steps organize their information systems and ensure ongoing security compliance. Since ISOs are not regulated by a single governmental entity, businesses specifically choose to engage in compliance and certification to strengthen their security standards. These actions important because they help increase customer confidence.

The International Organization for Standards (or “ISO”) developed the / and defines it as a “family of standards [that] will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.” In other words, ISO 27001 not only covers a corporation’s internal information, it covers third party providers as well. Since ISO 27001 is a living document, it continually evolves to address new information needs. These updates provide ongoing guidance to meet continued security concerns.

Why ISO 27001?
Most companies use processes and procedures to create consistency and counteract management and staffing changes. However, with this broad definition, many organizations may feel overwhelmed at the idea of embarking on the certification process. Anthony Jones of IS Partners, LLC notes that only about one-third of companies aware of the standard choose to adopt it. ISO certification is a long and detailed process. However, the cost of the certification process in terms of ongoing time and energy is equal to or less than not being compliant.

For CISOs, an ISO certification primarily provides a benefit of continuously updated monitoring. Rather than having to seek out the information on their own, CISOs obtain updated notifications of changes from their certification body. Moreover, the steps to certification as well as compliance audit reviews require risk assessments. These focus management on documented risk treatment instead of perceived risk.

Why not ISO 270001?
An ISO 27001 certification requires a lot of information, time, effort, and manpower. Many CISOs fear that failing an ISO 27001 audit will result in the loss of customer trust. However, regardless of whether a business formally applies for ISO certification, it often uses many of the same processes and procedures. Companies follow these protocols because the industry recognizes them as standards.

To ISO or Not To ISO? That is the Question
Many compliance managers connect ISO 27001 compliance with the wrinkled nose look that often accompanies an old tuna sandwich. This is because these managers have a stale and outdated way of managing an ISO audit. Fortunately for compliance teams, now’s the time to rethink how this is done. An ISO Certification doesn’t have to be painful to achieve. With the proper ISO audit software and process, compliance teams can now achieve an ISO Certification and protect both the business and the customer long term.

How to Prepare for an ISO 27001 Audit

Segregation of Duties in IT: Ya Gotta Keep ‘Em Separated