[ 18 ]
Information Management &
Computer Security
5/1 [
1997
] 18–19
MCB University Press
[
ISSN 0968-5227
]
Part of the foundation for secure systems:
separation of duties policy
Charles Cresson Wood
Independent Information Security Consultant based in Sausalito, California, USA
Discusses the assets of busi-
ness now and how these can
be information, information
systems or other factors.
Looks at ways of centralizing
systems and making them
more secure. Decides that
networks challenge abilities
of individuals to come up with
answers regarding duties.
One of the most important principles of inter-
nal control is the “separation of duties”. It
holds that people who authorize transactions
should be different from people who have
custody of assets, who in turn should be dif-
ferent from people who have accountability
for assets. In this context, “assets” could be
information itself, information systems, or
any other factor of production such as raw
materials.
In many organizations, the computeriza-
tion of business processes has eroded the
separation of duties found in the manual
(paper-based) environment. Consider an
inventory of calculators in the traditional
manual world. Custody for the inventory
would be the responsibility of the warehouse
department, while accounting for the inven-
tory would be the responsibility of the receiv-
ing department. Transactions to replenish
inventory would be authorized by those in the
purchasing department.
Continuing with the same example, con-
sider what happens if this environment is
computerized. Perpetual inventory record-
keeping software would be likely to share
information with software that calculates
reorder levels, economic order quantities,
and vendor delivery performance statistics.
Such a convenient centralized inventory
system could even print purchase orders to
replenish inventory. Under these circum-
stances, the people who operate the computer
may have taken on both the record-keeping
(maintaining perpetual inventory figures)
and the authorization (making decisions
about reordering) functions.
So what could happen if separation of
duties has been eroded by computerization?
In the illustration mentioned above, it may be
considerably easier for the computer opera-
tor to steal inventory and cover up the evi-
dence. Without a proper separation of duties,
an organization increases the risk of: sabo-
tage, terrorism, fraud and embezzlement,
extortion, industrial espionage, errors and
omissions, service interruption, equipment
theft, and privacy violation. Structuring
computerized information systems with the
notion of separation of duties will help safe-
guard assets, provide efficiency through
specialization, allow cross-checks on the
reliability of records, and deter many types of
manipulations.
Separation of duties can be seen as a spe-
cific instance of the old adage, “Don’t put all
your eggs in one basket”. For instance, a
single person should not design, program,
implement and test an application system.
Not only are important bugs likely to go unde-
tected, but trap-doors and other generally
unknown short-cuts may compromise the
system’s security. As another example, it
would be unwise for the information security
function to report to the EDP audit director.
This arrangement would prevent the EDP
audit department from performing an
unbiased review of the work done by the
information security group.
Separation of duties is especially problem-
atic in small organizations, in microcom-
puter environments, and on computer net-
works. For example, if a small firm has only
two people for all accounting, treasury and
finance functions, then structuring opera-
tions so that a proper separation of duties
exists will be challenging. Similarly, if a sin-
gle individual uses a microcomputer to han-
dle either many aspects of a project or an
entire organizational function, then separa-
tion of duties will be eroded. While the power
and versatility of microcomputers have
allowed individuals to accomplish many
things, the price paid for this productivity is
often a compromise of separation of duties.
Networks are challenging our ability to
come up with new computerized manifesta-
tions of separation of duties. For example,
shared databases implemented on a local area
network server could pose significant separa-
tion of duties problems. Care must be taken to
positively identify each user individually, and
also to rigorously apply the access control
functions found in database management
systems. The more records are centralized,
the more centralized records can be accessed
by remote workers, and the more tasks previ-
ously performed by people are delegated to a
computer, the more important it is to have
separation of duties.
Generally speaking, data-processing people
have not been trained about the separation of
duties. Nonetheless, the notion is a critical
underpinning for all information security