For modern-day businesses, segregation of duties (SoD) is a primary requirement to demonstrate compliance with various laws, regulations, and standards. SoD helps ensure that an individual does not have total control over a process or an asset that may result in risk realization. For effective risk management programs, SoD is a must. With the help of segregation of duties, an organization breaks up a process among multiple employees for better checks and balances. In this article, we look at how you can approach an SoD exercise for your business.
How To Segregate Duties?
There are multiple ways to segregate duties within an organization. However, for this article, we will be focussing on two popular approaches. The first approach states that there can be four ways to segregate duties: sequential, individual, spatial, and factorial.
- Sequential separation: when you divide an activity into a series of steps performed by different individuals. A suitable example is the authorization of a new employee.
- Individual separation: when your organization requires that two individuals must approve an activity before it takes place. A suitable example is invoice payments for contractors.
- Spatial separation: when multiple team members perform different activities at different locations. A suitable example is separate locations for receiving and storing the raw material.
- Factorial separation: when multiple factors contribute to completing an activity. An example can be two-factor authentication.
LIFARS Compliance Advisory is designed to understand your compliance needs, ascertain current status, provide remediation guidance, and conduct a post-remediation assessment to ensure compliance with regulatory mandates such as GDPR, CCPA, PIPEDA, FFIEC, NYDFS, HIPAA, HITRUST, PCI DSS, and SOX.
The second approach proposes three types of segregation: by individuals, organizational units, and companies.
- Individual-level SoD: At this level, an organization assigns different duties to different individuals. This is similar to sequential separation. For example, requiring the manager’s authorization for making the payments to the clerks.
- Unit-level SoD: This level requires that different teams within your organization perform separate duties. For example, the sales team sends a quotation, and the customer relationship team completes the onboarding process.
- Company-level SoD: This is a high level of segregation that comes into picture when a company has one or multiple subsidiaries. For example, if a subsidiary company wishes to invest, they may need to receive its parent company’s approval.
What Does ISO 27001 Say About Segregation Of Duties?
ISO 27001 has a dedicated control A.6.1.2 that covers segregation of duties. The standard expects that organizations should segregate conflicting areas of responsibilities for reducing security risks. ISO 27002 that provides implementation guidance for ISO 27001 controls does not provide any detailed information. It mentions that:
SoD should prevent the possibility of collusion that can lead to either unfair gain or advantage, or compromise a process. When an organization can not segregate duties, it should implement compensating controls.
Our Experts’ Take On Implementing Segregation Of Duties
- The first step should be the identification of business functions that are crucial to your operations.
- Divide these functions into multiple steps and identify who is responsible for what.
- Check if the steps of any given function have overlapping responsibilities. In addition, verify if any particular individual has total control over a process or its execution.
- Document how you have segregated the duties. You can use either of the approaches that we discussed earlier.
Common Issues During The Implementation Of SoD
- Organizations have different documents for processes and roles & responsibilities. Often, these documents generate confusion as they do not match each other. Your process descriptions should match your SoD documentation.
- Avoid incompatibility between individual roles for avoiding conflicts. Use visual depiction of processes for building activity matrix.
- An improperly conducted risk assessment will affect your SoD. Ensure that a competent team of individuals is performing the risk assessment for your organization.
- After you define SoD, ensure that individual access rights are not excessive.
Segregation of Duties as a security control helps prevent the concentration of responsibilities on a single individual. Organizations should make necessary investments for regular analysis of their processes and procedures. Otherwise, they should explore implementing a compensating control for managing the risk if their SoD cannot address the existing risks. Ideally, SoD will increase resource requirements due to an increase in the number of steps or individuals involved in completing a process. An organization must seek to maintain a balance between SoD and required costs/efforts.