Separation Of Duties

910 Words2 Pages

Separation of Duties Separation of Duties is a term defined as “a security principle that says no one person should be able to effect a breach of security” (Definition of: separation of duties, 2008). What this means, is that one person should not be, on the whole, responsible for both the design and implementation of security within an organization. The goal being that there is not one single point of failure where one person can subsequently take advantage of a process inside a company and benefit from ill-gotten gains. This principle is readily practiced in the area of finance and is becoming more popular within the Information Technology field. For example, within the area of finance, the Department of General Services of California has a section within its State Administrative Manual that quotes the requirements of the Financial Integrity and State Manager’s Accountability Act of 1983, which “…requires that the head of each State agency establish and maintain an adequate system of internal control within their agencies. A key element in a system of internal control is separation of duties” (Department of General Services of California, 2008). The manual then goes on to list explicitly how entities are designated, the actions they may take, the number of actions each entity may take, and the level of authorization for each duty. In general, Information technology takes the same approach, by following the same principle; that certain key duties should be performed by different individuals. Such duties may be the physical custody or access to certain assets; authorization or approval of transactions affecting those assets; recording transactions for those assets; control or review responsibility for those assets. (The University of British Columbia, 2006). By having these and other duties performed by separate individuals, there becomes a system of checks and balances that is established. This also creates a system of reducing errors and/or fraud from going undetected. The adage of John Emerich Edward Dalberg Acton’s “Power tends to corrupt, and absolute power corrupts absolutely,” is the core principle; making sure that no one person has total control of an asset. According to the SANS Technology Institute, “Intellectual property is the lifeblood of an organization and process should be designed to protect it,” (SANS Technology Institute, 2008) and Riordan would be well advised to take this into account as well. SANS goes on to outline several suggestions that are well advised, such as:

Open Document