How to create checks and balances when organizing your IT network.
When many people think about IT security, the first things that come to mind are programs such as firewalls or malware detection software. However, security is as much about the organization systems and process your company has in place as anything else. Of those organizational structures, one of the most important is how companies assign responsibility for certain IT-related tasks. This is called Segregation of Duties.
Segregation of duties (SoD) means that no one person should be solely accountable for certain business operations. In fact, we see SoD used frequently to stabilize systems were there might otherwise be an imbalance of power.
SoD should already be familiar to anyone who has worked in finance or banking, as it is an important precaution against embezzlement, fraud, or other financial errors. For instance, imagine the person in charge of verifying time sheets is also the one responsible for cutting pay checks. Or what if one person was responsible for both approving and recouping business expenses. In such a circumstance, they could easily compensate themselves for expenses that either were not warranted, or never happened.
On the other hand, when these duties are properly separated, taking advantage of the system requires collusion among at least two employees. No single person can both close a client and handle the payment transaction, or approve a purchase order and pay the supplier.
Segregation of duties applies to IT in similar ways. While IT doesn’t usually involve direct monetary transactions, there are still ways in which a system without the appropriate checks and balances can lead to abuse and error. Let’s take a closer look.
In practice, a lot of SoD rests on the principle of least privilege. Least privilege means that individuals only have access to as much information as they need in order to execute their job correctly. For instance, if a company has a data base of access codes for client accounts, some of their employees might reasonably require access to some of these passwords in order to effectively manage the client account. But they should only have access to the codes they might conceivably need, rather than to the entire account.
In IT, privilege controls are usually restricted according to user role. For instance, one person might be granted read-only access to a folder, without permission to add or edit documents. They can also limit the kinds of files users are allowed to download from the Internet, or prohibit users of certain levels from installing programs onto a hard drive. Most critically, user privileges can control who is allowed to create and modify other user privileges.
Privilege controls also help contain the spread of an IT attack. If a malicious party gains access to the account of someone with editing but not administrative privileges, for instance, they can only go so far before the administrator shuts down or suspends that account. But if they gain control of an admin account, they could potentially shut a company out of their own network. This is one main reason why you should limit privileges to those who need them. The fewer accounts with high privilege levels you have, the fewer you have to protect.
Segregation of Duties in IT security.
In IT security, SoD is mostly for two things: avoiding conflicts of interest that could result in abuse or fraud, and preventing control failures that could result in data theft or security breaches. For instance, a conflict of interest would arise if the person responsible for system security also wrote and delivered their own performance reports. In theory, a person in that position could neglect their duties but continue reporting “all is well” with no oversight.
Similarly, if one individual is responsible for both developing and testing a security system, they are more likely to be blind to its weaknesses. Or, they might intentionally design a system loophole that they could exploit later, safe in the knowledge that no one else could test and find it.
To avoid these situations, different people must be responsible for these duties. Organizations should conduct internal audits that are run by individuals without a vested interest in those audits delivering a clean report. External audits conducted by a third party who report directly to the board of directors or CEO can also prevent potential mismanagement or false reporting.
Preventing employee error.
Of course, SoD isn’t only about preventing fraud. It also helps prevent large-scale errors from taking place. For instance, the recent false missile alert in Hawaii could have been avoided if the duties of creating and testing the missile alert system had been separated from those of sending out a live alert. The fact that a single employee could accidentally send out a false alert indicates an error in design of the security alert system. Hawaii has since changed their system so that two people are now required to send out a security alert.
This has other ramifications for IT security. While some lapses in security could be due to negligence of malign intent, others are simple error. In the design/testing scenario we mentioned earlier, an IT technician might easily fail to test for a security hole through honest oversight. SoD provides backup for you and your employees, while also leaving a clear audit trail so that organizations can understand what’s happening in their company from start to finish.
Understanding SoD for your business.
For any business, understanding the way your IT systems overlap and interlink can be complex. Because of this, it can help to have an outside company consult with your business to create a more secure environment. Increasingly, applying appropriate SoD best practices to your IT network will become critical—and perhaps even mandatory—to protect the security for your company.
If you would like help managing your IT security, we can help. We provide a free IT assessment to businesses to help them understand possible weaknesses in their network. Contact us today to get started.