Segregation Of Duties As A Corporate Philosophy
Updated: Dec 7, 2021
Have you ever witnessed abuse of power? What were the consequences? As practice shows, such incidents significantly impact the public and private sectors, causing damage. That is why each enterprise strives to prevent it, adhering to the separation of duties principle. Let's discover what it is and how it guarantees the business processes' quality.
What Is Segregation Of Duties: General Concepts
Segregation of duties definition
Segregation or separation of duties (SoD) is a concept of internal corporate control following what no specialist at the enterprise should be responsible for carrying out one process at all its stages. It supports the principle of least privilege. So an employee receives the defined scope of data and authority necessary for appropriate tasks performing.
In separating responsibilities, management should divide high-risk processes into four functions: documenting, storing, authorizing, and approving. Each of them a company should assign to different employees.
There are two SoD types: static and dynamic. In the first case, management assigns roles under approved rules. It reduces the number of conflicts and ensures an impartial attitude towards each team member.
By choosing a dynamic SoD, the company ties the distribution of obligations and access to data. So, here an employee can get several conflicting roles. But fulfilling any specific function, the specialist activates only one of them.
Among the principal SoD tasks and functions are the following:
creation of checks and balances system,
increasing the level of data security,
significantly reducing the conflicts of interest possibility,
preventing fraud.
Previously, only the banking and financial industries actively used this approach. However, now, any company, regardless of the domain, complies with it, carrying prosperity.
Examples of poor separation of duties
Each company feels the consequences of SoD ignoring at least once during the operation. But, sometimes, they reach cosmic proportions.
Take the Hawaii emergency alert system failure in 2018. An employee sent a false alert about a ballistic missile approaching by mistake. Instead of a real notification, he sent an easily-created template. The specialist had access to these functions, and unfortunately, he used them to provoke a general panic.
In this case, it would be worthwhile to use an individual separation when at least two persons must confirm the action.
Another blatant result of segregation of duties control lack was the Alberta Motor Association case. In 2016, the company discovered the loss of $ 8+ mln that arose after three years of fraud from the IT vice president's side. His powers allowed him to submit and approve fake invoices. Here, it would be better to apply a sequential separation - division one process into several stages and authorization of a few employees to support them. Moreover, it would not be superfluous to restrict the person's access to data, following the above principle of least privilege.
Segregation Of Duties In Software Development
Today, the IT industry actively uses the segregation of duties. Here it is especially needed because SoD provides a distribution of roles and a high level of cybersecurity. No developer would dream of launching malicious code or creating a loophole for illegal purposes. Of course, if a company met all SoD requirements.
How does the separation of duties help to ensure the quality of a product? Here, the separation of responsibility is principal. Each development cycle participant responsible for his piece of work. For the vendor, as for the workflow organizer, it is an undoubted advantage. For the client, first of all, it is the result on time. As seen, SoD also helps to deliver quality code and robust systems that are hard to break.
The IT development process obeys the separation of duties order. When creating a high-quality commercial proposal and project estimation, a vendor assigns roles. As a result, one specialist performs one process. For example:
the sales manager is responsible for communication with the client;
the IT manager performs authorization;
the developers are engaged in product creation;
the architect undertakes the final app check and approval.
It is arduous to maintain SoD when a company uses platform economy benefits. Each SaaS product has its designation of roles, powers, and so on. The ties turn out to be confusing. As a result, it is impossible to understand what data each employee owns and what he/she can control. Moreover, most software products do not have detailed access requirements. For example, two departments use one software module. When one of them needs some data does not mean that the other also requires it. But software often cannot provide multi-level, customized access. Thus, members of both departments will have the same access to information.
To support SoD, enterprises use ready-made products such as CreaSys, Oracle Risk Management Cloud, Fastpath, SAP Access Control, etc. They help to monitor the safety matters and segregation of duties correctness. However, companies should also conduct an external audit for greater confidence.