23) Does your organisation segregate duties to prevent unauthorised disclosure or access to information?
Answer yes if your organisation has identified and segregated relevant duties to help reduce errors and to prevent fraud. Please give an example of such segregation in the notes.
What is it?
Segregating duties can help reduce avenues for mistakes and opportunities for fraud. If multiple individuals are needed to complete a particular function, it becomes impossible for a single individual to do so maliciously or erroneously. It also means any fraudulent or erroneous action is more likely to be caught.
It can involve structuring activities sequentially or factorially in a verifiable fashion, separating the work activities themselves, or adding a final approval gate requiring a secondary approval.
Why should I have it?
Segregation of duties helps limit exposure to data and systems and the use of excessive privileges by a single individual.
For example, separate individuals could process data that, on its own, is of little value, but when combined is of high value. For example, by having one person process names and another person process address information, no one person can create a personally identifiable record which would have required both pieces of information.
Alternatively, any activity like an infrastructure change may need to be approved before it can be implemented.
Having the people administering backups not be the same than those who administer the production systems is yet another example, as an individual could only alter one of two sets of data, leaving evidence of the abuse on the other set.
In a nutshell, segregation of duties significantly reduces the likelihood of deviation from established processes by limiting what any one individual can do, which naturally provides increased assurance for your organisation and your clients’.
How to implement the control
Implementing segregation of duties is a complex task. It is difficult to implement completely due to resource not being infinite and the need to have extensive privileges in certain positions, especially hierarchically.
Ideally, each business and IT process should be reviewed and areas where a single individual could introduce significant risk identified. Those areas should then be considered and separation of duties applied where possible and effective against those risks.
One of the simplest ways is to implement an approval process where an operation cannot be performed without the approval of at least one more party.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and process that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
