Separation of Duties (SoD) is not only an important principle of security but SoD control A10.1.3 of ISO 27001 wants organizations to implement this control.
For separation of duties we don’t want to give any individual so much control that they become a security risk without proper check and balance inplace. SoD is utilized to avoid unauthorized modification of data and to make sure critical data is available when needed by authorized personals, which includes but not limited to the availability of the services.
SoD has been used very frequently in financial organizations, but use of SoD control for other organizations should be risk based approach. If Risk assessment concludes that there’s a risk of collusion to commit a fraud and the risk is above the level of an organization risk threshold which will require an organization to minimize the risk of collusion by implementing SoD control and by usually splitting a process or a job to be completed by more than one individual. One person will have a management authorization to make a decision and other will execute or implement it.
Depending on the risk there is an urgent need to maintain and monitor this control which includes but not limited to audit trails. SoD control need to be audited on regular basis by independent party.
Related articles
- ISO 27001 Securing offices and facilities (deurainfosec.com)
- HR controls during employment and ISO 27001 (deurainfosec.com)
- Build resilience into your management system (deurainfosec.com)
- Professional steps to ensure proper information security in organizations (techi.com)