Separation of Duties: An Introduction
In the first of two posts, Pirean Security Consultant Vincent Cassidy explains the principle of Separation of Duties and why it should be a fundamental principle in any organisation's Security Management strategy.
Separation of duties is a fundamental security principle that ensures that a single person does not have the ability to abuse their powers or make significant errors. Also known as “segregation of duties” and “separation of powers”, the general principle is that collusion/error between a number of people is required to abuse the process. No single person should have the authority to cause damage acting on his or her own. This security principle is not restricted to computer systems and has been in use in modern society for centuries.
The pattern to minimize risk through SoD controls is defined as i :
- Starting with a function that is indispensable, but potentially subject to abuse.
- Dividing that function into separate steps, each of which is necessary for the function to work, or for the power that enables that function to be abused.
- Assigning each step to a different person or organization.
The greater the number of people that need to be employed in a process, the less likely the error or fraud is likely to occur.
Other factors such as splitting the tasks across different departments and physical locations can also be contributing factors to reducing inherent risk.
With the advent of Information Technology we have invented new ways for employees to steal or simply lose money:
“Increasing use of electronic means to conduct business leads to significant increases in processing performance and efficiency. These advantages, however, come at a cost. One such cost is an increased information security risk”. ii
When designing information systems care must be taken to define granular security permissions and roles so that separation of duties policies can be enforced.
Unfortunately, separation of duty controls are often forgotten as our modern organizations competitively strive for faster, cheaper and more profitable ways of performing their daily business transactions, sometimes with disastrous consequences (for example, why have two people to do a job when it is more efficient to have one?). Even when separation of duty controls have been built into an information system, users are often trying to find ways around them because of business pressure. In large companies it is the role of the Internal Auditor to identify these lapses of control but very often this is an impossible task.
The Information Security Standard - ISO 27001 also identifies that separation of duties may be difficult to achieve, especially for small businesses:
“Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision should be considered. It is important that security audit remains independent.” iii
Information and Access Control systems often implement Static or Dynamic SoD rules:
- Static SoD is where control is established with mutually exclusive privileges, such as input and approve, which must never be given to the same individual.
Dynamic SoD is where the business process itself maintains transaction state records. Hence a user‘s account may have input and approval privileges, but the process itself prevents them being used in the same transaction.
UCLAiv illustrates some useful examples of segregation of duties rules:
- The person who requisitions the purchase of goods or services should not be the person who approves the purchase.
- The person who approves the purchase of goods or services should not be the person who reconciles the monthly financial reports.
- The person who approves the purchase of goods or services should not be able to obtain custody of checks.
- The person who maintains and reconciles the accounting records should not be able to obtain custody of checks.
- The person who opens the mail and prepares a listing of checks received should not be the person who makes the deposit.
- The person who opens the mail and prepares a listing of checks received should not be the person who maintains the accounts receivable records.
No one person should be able to:
- Initiate a transaction
- Approve a transaction
- Record a transaction
- Reconcile balances
- Handle assets
- Review reports
An example SoD checklist can be found here: -
Probably the most famous and dramatic example of poor SoD practice was the collapse of Barings Bank, which crashed in 1995 under reported losses in trading of £827 million by Nick Leeson. Leeson effectively held dual roles at Barings as Floor Manager trading on the Singapore International Monetary Exchange and Head of Settlement Operations reporting back to London. It was these conflicting roles that allowed Leeson to cover and indeed increase his losses over a period of time.
Leeson’s losses pale into insignificance when compared with Jerome Kerviel at Societe General where losses reported at £4 billion were incurred. As a result, the bank was fined €4 million in 2010 by French regulators for failing to implement proper controls, and Kerviel landed himself a three year jail term.
Such losses are not confined to the Financial Services industry. In 2008, former bookkeeper and then Chief Financial Officer, Annette Yeomans, was found guilty of defrauding $9.9 million from Quality Woodworks over several years. Just how can that happen? Living in San Marcos and living the Imelda Marcos lifestyle Yeomans was reported to have spent $240,000 on shoes, $300,000 on designer clothes and $320,000 on bags over a seven-year period.
Examples of employee theft are more common than we would like to believe. The FBI has identified employee theft as “the fastest growing crime in America!” caused largely due to the recent tough economic climate.
Organizations face huge challenges in implementing, retaining and managing their Separation of Duties controls. Pressure to streamline processes and generate profits can mean that essential management controls like separation of duty are often forgotten about, particularly with changes of personnel, outsourcing, business acquisitions, mergers, etc.
Users often accumulate access over time and can inadvertently be given access that breaches static SoD controls either accidentally, or from poorly implemented access control. Dynamic SoD controls can easily be bypassed when users are given secondary user accounts to access systems. Often this occurs because both users and administrators fail to understand the separation of duty controls as they have been implemented.
In my next blog entry, I will explore how IBM Tivoli Identity Manager (ITIM) and Pirean Risk Manager (PRM) can be used to manage Separation of Duty controls effectively and safeguard your organisation, whilst allowing the business the flexibility to achieve its goals.
i Patterns of Integrity -- Separation of Duties, Nick Szabo
ii Separation of duties for access control enforcement in workflow environments, R. A. Botha &
J. H. P. Eloff IBM Systems Journal