Home PCI DSS Requirement 6 What is the Separation of Duties Principle and How Is It Implemented?

What is the Separation of Duties Principle and How Is It Implemented?

Separation of Duties Principle
Separation of Duties Principle

The Separation of Duties Principle (SoD) is the division of the duties of approval, implementation, recording, and control of activities and financial decisions and transactions to reduce the risks of error, deficiency, inaccuracy, irregularity, and corruption among personnel.

Different people should be assigned the approval, implementation, recording, and control of each activity, a financial decision, or transaction to apply this principle.

Separation of duties refers to applications in which the information or privileges required to complete a process are divided among multiple users so that no single person can perform or control it.

See Also: What Does the Separation of Duties and Needs-to-Know Principles Stand for for the PCI Requirement 7

The main reason for the practice of separation of duties is to prevent the processing and concealment of cheating and error in the ordinary course of activities because performing a task by more than one person minimizes the possibility of doing wrong and increases the chance of detecting it, as well as unintentional errors, are seen more quickly.

The principles applicable to the separation of duties are:

  • Sequential separation, dividing activity into steps performed by different people. (e.g., request, authorize, approve and enforce access rights)
  • An individual separation can be applied when two people need to approve before an activity is completed.
  • Spatial separation application when different activities are carried out in other places. (e.g., places to pick up and store raw materials)
  • Factorial separation is applied when several factors contribute to the completion of the activity. (For example, two-factor access authentication).

Depending on the protection a company needs to protect its activities, these policies may be used individually, or in combination.

How is the Separation of Duties Principle Applied?

So how is the separation of duties implemented? As part of a risk strategy, those steps should be followed:

  • Defining functions that are indispensable to the organization’s operations and potentially subject to abuse, taking into account business drivers or legal compliance
  • Dividing the function into separate steps, taking into account the information required for the process to work or the privileges that enable this function’s abuse.
  • Description of one or more of the principles of segregation to be applied to functions. Examples of function and separation principles to be applied are:
    • Authorization function (for example, two persons need to authorize a payment)
    • Documentation function (for example, one person creates a document and the other confirms)
    • Preservation of assets (for example, creating backup media and storing in different sites)
    • Reconciliation or control (for example, one person takes the inventory and the other verifies it)

Separation of duties is undoubtedly essential for corporate security and compliance. It ensures that human error or fraud does not cause various problems in your organization.

You can ensure the segregation of duties in your organization by streamlining access and using security solutions to deal with the segregation of duties. With multiple authentications, roles, applications, and access requests, an identity and access management solution can help manage them all.

  • Define policies and processes clearly. Implementing effective identity management solutions involves focusing on defining these policies for the smooth functioning of identity lifecycles. Moreover, setting net access policies in many applications allows the right people with the proper access to be authorized, making it easier to separate tasks.
  • Establish a streamlined access tracking structure. The access tracking structure ensures that you always know the overview of the access in your organization. Businesses today are having trouble managing access. That’s why it’s so essential to monitor app access from an ordinary place. Multiple dashboards are inefficient. Dashboards provide you with the following data:
    • It gives data on who has access to which application.
    • You can find out if there are any unwanted access permissions.
    • You can collect data of accounts with incorrect authorization.
  • Workflows for access requests that provide a clear structure for approvals. Every access in an organization should only be provided after it has been approved. Therefore, it is essential to define these endorsements. Identity management solutions that allow you to create multi-level approval workflows easily will enable you to maintain separation of duties without difficulty.
  • Provide role-based access. Every role in an organization should be clearly defined. Also, these roles must qualify for specific applications. Assigning these authorizations provides clear guidance for approving access. Automating these procedures is the most convenient way of doing this. Therefore, when there is new recruitment, the rightsholder access is automatically provided without request. Automation of access dramatically reduces human error.
  • IT and HR collaboration is a must. IT and HR collaboration ensure that roles are adequately defined from the outset to avoid inequality throughout their life cycle. These roles should be determined by the approval of managers and information about the role of new employees.
  • Identity Management with risk engines. With the burgeoning cybercrime, there is no room for manual errors. In addition to automating access approvals, smart solutions should also be included. An efficient and versatile risk engine will continuously monitor all access within your organization and assign points to each access. So much so that when access gets a high-risk score due to various parameters, manual intervention or stepwise authentication can decide whether access is allowed or not.

Separation of duties is necessary to ensure PCI compliance, stay secure and ensure that your employees’ access is not prone to conflicts. A strict separation of responsibilities plan is imperative.

Separation of Duties in terms of PCI DSS

When tasks are appropriately separated, no one can complete a job without the help of one or more people. The separation of duties has emerged from the requirements of the finance and accounting sectors, where it is necessary to include as many individuals as possible to reduce the risk of fraud.

See Also: Which Privileged Accounts You Should Manage and Keep Safe

The first important lesson of the separation of duties is that it does not eliminate fraud; it only minimizes the possibility. If individuals decide to work together to commit fraud, separation of duties will not stop such activities.

However, the group will need to work together. The deterrent comes in; it will be more challenging to hide a scam with a group of people.

There are several areas of PCI compliance that require a separation of duties. Most of these are related to change control. The reason change control involves the separation of duties is to minimize human error. The idea is that the more people are involved, the less likely it will be that human error will occur, and hence security will be preserved.

In PCI DSS requirement 6.4.2, the duties must be separated between the personnel assigned to the development/test environments and the personnel assigned to the production environment.

So, in a change control environment with proper separation of duties, you would have the following simplified process.

  1. Bob makes changes to a program based on the requirements specified in the change request.
  2. Sally conducts change testing to make sure the change is working as expected.
  3. Sally reviews the change and performs integrated testing of the change to make sure it works as expected across the entire system. If the test fails, Sally documents the failure and sends the request back to Bob for further study and testing.
  4. If the test is successful, Sally transmits the test results to manager Mark. If the test was successful, Mark confirms the change to go into production, and an implementation schedule is decided for the change to be implemented. If Mark believes there were no documented changes to the change request, he will reject the change and send the request back to Bob for further study.
  5. If the change is approved, Sally moves the change from the test to the production environment.

As you can see in the above example, only three persons, two staff members, and a manager are engaged in the change process. Staff can close who initiated the change and change test user roles, but the administrator will always be a validator. In larger organizations, there may be more steps and more people at each step.

The main goal is always the same, to minimize the potential for human error in the process. The idea is that with more people involved in reviewing the process and results, the likelihood of an error occurring is reduced.

See Also: How to Perform User Access Review

Duties and responsibilities should be separated to reduce opportunities for unauthorized or unwitting alteration or misuse of the organization’s assets.

To reduce opportunities for authorization and unintentional alteration or abuse within the organization; It is helpful to take precautions regarding access to, modification, and use of an asset.

Applying the separation of duties can create various difficulties, especially in organizations with relatively few employees. However, it should not be ignored that the separation of duties will benefit the institution as much as possible. In order to avoid accidental or intentional abuse of properties, separation of duties should be defined as an approach used.

See Also: ISACA Implementing Segregation of Duties: A Practical Experience Based on Best Practices