Jan 11 2013

Why SoD should be reviewed in every assessment

Category: Information Security,Security Risk AssessmentDISC @ 2:33 pm

Similar to other controls SoD (Segragation of Duties) plays an important role in reducing certain potential risk of an organization.

SoD minimize certail risks, by deviding a task so it will take more than one individual to complete a task or a critical process. SoD control has been traditionally used in accounting to minimize risk of collusion. For separation of duties we don’t want to give any individual so much control that they become a security risk without proper check and balance inplace. SoD is utilized to avoid unauthorized modification of data and to make sure critical data is available when needed by authorized personals, which includes but not limited to the availability of the services.

Separation of Duties (SoD) is not only an important principle of security but SoD control A10.1.3 of ISO 27001 wants organizations to implement this control.

Possible Controls to Implement SoD:

    * Separate the IT Dept from user function, meaning user should not be able to perform its own IT duties.
    * Separate the InfoSec and IT Dept. The individual responsible for the InfoSec has unique knowledge of organization security infrastructure, basically a knowledgeable InfoSec individual will have keys to the knigdom and should be segregated from the rest of the IT department. Also InfoSec individual should not be reporting to the IT director which is not only independence issue but conflict of interest. IT Dept is responsible for the avaiability of service whereas security professional is responsible for security (adding controls) to the same service.
    * The development and testing of application should be segregated. There should be a complete segregation of App development and App testing function. Also the person who put the App into production/operation and maintain should be a different individual.
    * Operation of IT should be seprate from maintenance of IT function in different teirs, meaning avaiability of the information should be separated from support & maintenance.
    * The database admin should be segregated from other IT function. DBA individuals are very knowledgeable super user and should not have any other IT duties.
    * Last but not the least about the main Uber user the Sys Admin (router, FW, Server, DT) should have a separate account when performing regular user function. These super users should be logged and audited on regular basis.

Related reference topics on DISC InfoSec

Related reference topics on eBay

Leave a Reply

You must be logged in to post a comment. Login now.