Segregation of duties in your ISMS according to ISO 27001 A.6.1.2
Today’s automated solutions and information and communication technologies allow a few people to handle a great deal of information and processes (e.g., stock exchange operators and air traffic controllers).
While this is good to improve productivity, a potential side effect is that these few people may end up gathering excessive knowledge and/or privilege over the operating environment and, in case they are absent or have malicious intent, this can prove to be an unacceptable risk, which must be handled.
This article will present a widely used concept to approach this situation, the segregation of duties, and how ISO 27001 considers it in an ISMS to minimize the risk that a single position may have the opportunity to compromise an organization’s activities.
Segregation of duties general definition, purpose, and principles
Segregation of duties refers to practices where the knowledge and/or privileges needed to complete a process are broken up and divided among multiple users so that no single one is capable of performing or controlling it by himself.
The main reason to apply segregation of duties is to prevent the perpetration and concealment of fraud and error in the normal course of the activities, since having more than one person to perform a task minimizes the opportunity of wrongdoing and increases the chances to detect it, as well as to detect unintentional errors.
The principles that can be applicable to segregation of duties are:
- sequential separation, when an activity is broken into steps performed by different persons (e.g., solicitation, authorization and implementation of access rights)
- individual separation, when at least two persons must approve an activity before it is done (e.g., contractor payment)
- spatial separation, when different activities are performed in different locations (e.g., locations to receive and store raw material)
- factorial separation, when several factors contribute to activity completion (e.g., two-factor access authentication).
You may note that these principles can be used in isolation or together, depending upon the security an organization requires to protect its processes.
ISO 27001 series objectives and guidance on segregation of duties
ISO 27001 considers segregation of duties to be one of the potential controls to be applicable to control implementation and operation of information security within the organization (control A.6.1.2 from Annex A).
The standard control requires conflicting duties and areas of responsibilities to be segregated in order to reduce the risk of an asset’s unauthorized or unintentional modification or misuse. The determination of whether the control is applicable and which duties and areas should be under A.6.1.2 must be made according the results of a risk assessment.
Since the segregation of duties concept is straightforward, ISO 27002, the standard that provides practices for information security controls, does not provide much additional orientation other than that previously presented, besides for two points:
- control design must consider the possibility of collusion (when two or more parties agree to commit fraud or gain unfair advantage by compromising a process execution)
- when segregation of duties is difficult or impossible to achieve, compensating controls should be applied (detailed information will be presented in further in this article)
Implementing segregation of duties
But, how is segregation of duties implemented? Basically, these steps should be followed as part of a risk treatment plan:
- Identification of functions that are indispensable to the organization’s activities, and potentially subject to abuse, considering either business drivers or regulatory compliance (e.g., SOX)
- Division of the function into separate steps, either considering the knowledge necessary for the function to work or the privileges that enable that function to be abused
- Definition of one or more segregation principles to be applied to the functions. Examples of functions and segregation principles to be applied are:
- authorization function (e.g., two people need to authorize a payment)
- documentation function (e.g., one person creates a document and another approves it)
- custody of assets (e.g., backup media creation and storage in different sites)
- reconciliation or audit (e.g., one person takes inventory and another validates it )
For more information about documenting responsibilities, see: How to document roles and responsibilities according to ISO 27001.
Alternatives to segregation of duties
Sometimes the segregation of duties is impractical because the organization is too small to designate functions to different persons. In other cases, breaking down tasks can reduce business efficiency and increase costs, complexity, and staffing requirements.
In these situations, compensating controls should be in place to ensure that even without segregation of duties the identified risks are properly handled. Examples of compensating controls are:
- Monitoring activities: these allow activities to be supervised while in progress, as a way to ensure they are being properly performed. For more information, see: Logging and monitoring according ISO 27001 A.12.4.
- Audit trails: these enable the organization to recreate the actual events from the starting point to its current status (e.g., who initiated the event, the time of day and date, etc.). For more information about how to determine the information to be tracked see: How to make an Internal Audit checklist for ISO 27001 / ISO 22301.
- Management supervision: this allows the proper and timely evaluation and handling of exceptional situations.
Sometimes, having all your eggs in one basket is not a good idea
Wrongdoing requires three factors to be possible: means, motive, and opportunity. Extremely lean processes increase the risk of wrongdoing by concentrating means and opportunity (access to and privileges over the process). By implementing segregation of duties, an organization minimizes the risk by splitting knowledge and privileges.
However, the benefits of segregation of duties to security must be balanced with the increased cost/effort required. By using the ISO 27001 requirements for risk assessment, an organization can identify the most vulnerable and the most mission-critical elements of the business to which segregation of duties will represent real added value to the business and other interested parties.
To learn more about segregation of duties according ISO 27001, try our free online ISO 27001:2013 Foundations Course.