It’s no secret that organizations today face a constant onslaught of identity-related access risks within the current threat landscape. One of the most critical and potentially damaging access risks that can exist under the surface of an organization is the lack of controls to ensure adequate segregation of duties (SoD). Throughout this blog, we will examine what it means to segregate duties within an organization, why insufficient SoD policies are so dangerous, and how identity governance tools can ensure the proper internal controls are in place to reduce adverse impact to the organization.
What Is Segregation of Duties (SoD)?
Segregation of duties, or separation of duties as it is sometimes called, is the set of controls within an organization requiring that multiple people are needed to perform a single task or critical steps within a task to avoid fraud or error. Typically, an SoD policy is set up around preventing combinations of access or transaction rights that would jeopardize the financial integrity of an organization. While these are often in place within any given application, it is also necessary that these span across multiple systems and applications. When appropriate segregation of duties do not exist, individuals may have the ability to cause damage to the business.
CSO Online reports that ‘the concept of SoD became more relevant to the IT organization when regulatory mandates, such as Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA) were enacted. A very high portion of SOX internal control issues, for example, come from or rely on IT. This forced IT organizations to place greater emphasis on SoD across all IT functions, especially security.’ With intensifying regulatory compliance during the last two decades, now including GDPR, the need for effective SoD policies has increased dramatically and should be a primary focus for organizations as it relates to security.
Why Is Segregation of Duties Necessary?
In order to highlight why an effective SoD policy is necessary, consider the following scenario. Imagine a junior accountant in your organization has created a purchase order that has been requested last minute by the marketing department. While a more senior accountant would normally take time to review the purchase order, she is unexpectedly out of office. Wanting to keep the purchase order moving, the junior account goes into the financial system and approves the purchase order himself. In this example, the ability of the junior accountant to both create and approve a purchase order indicates that an essential SoD policy has not been established to prevent account abuse.
So what makes segregation of duties so important? Simply put, having an SoD policy serves as an internal control to prevent toxic combinations of access within an organization that can lead to fraud, abuse or error.
The same CSO Online article indicates that SoD has two primary objectives. ‘The first is the prevention of conflict of interest (real or apparent), wrongful acts, fraud, abuse and errors. The second is the detection of control failures that include security breaches, information theft and circumvention of security controls.’ In other words, effective SoD controls decrease the risks of fraud or abuse within an organization by putting in place checks and balances to separate what individuals can—and cannot do—within a given task.
Another benefit of implementing proper segregation of duties is to reduce the risk of error associated with individual responsibilities. For example, if you only have one person responsible for completing financial reporting, there is a chance that honest mistakes can be made and errors can occur. Having multiple people in the financial reporting chain helps ensure that these critical errors are avoided.
How Does Identity Governance Support Effective SoD Policies and Controls?
Organizations that view segregation of duties as an essential internal control turn to identity governance and administration (IGA) to help them centralize, monitor, manage, and review access continuously. IGA solutions not only ensure access to information like financial data is strictly controlled, but also enable organizations to prove they are taking actions to meet compliance requirements.
Conducting Access Reviews
Within the climate of regulatory compliance, especially increasing auditor demands, it is imperative for organizations to review user access periodically. Conducting frequent access reviews or certifications is a key area within identity governance. An access certification, also called an attestation, occurs when a manager reviews a user’s access and validates that the user still requires—or no longer requires—access to an application, system, or platform. If access is considered unnecessary, then it should be removed.
While no one looks forward to these periodic review processes, access certification is made easier by using a solution that improves accuracy and avoids the use of web-based text lists or spreadsheets. It also enables managers to understand which users have access to specific systems, and which users are outliers when compared to their peers. This leads to greater access review accuracy across the organization because reviewers have an increased understanding of what they are reviewing. Organizations seeking to streamline the access review process should ensure an automated certification process empowers them to:
- Easily identify and manage access rights for applications
- Conduct access certifications to applications and file shares
- Remediate inappropriate or high-risk access
- Respond to compliance audit demands
Checking for SoD Conflicts at the Time of Request
Identity governance also helps identify and support any conflicts in segregation of duties at the time access requests are made. While it is relatively easy to identify when access is requested for two areas that conflict directly, it is more difficult to reveal access that conflicts with another item a person already has access to. What’s most difficult to see is when access is requested that conflicts with an item an individual has access to already, but is done so indirectly or is inherited. An effective identity governance solution enables organizations to reveal and check for these types of SoD conflicts, specifically at the time of request, ensuring SoD policies are not violated.
Another key area for organizations to consider as part of their review process and broader IGA program is micro-certifications. Since the time between new provisioning and the next audit or review process can be fairly lengthy, it is important to have a set of controls that can quickly identify anomalous access, especially when that access violates an important segregation of duties policy. This can be done through the use of micro-certifications.
Micro-certifications allow managers within the organization to be alerted when an employee may have new or updated access and entitlements other than what is expected, or if staff gain access through an outside process, commonly referred to as ‘out of band’. This alert allows the approver to perform an immediate access review associated with the event, significantly reducing any chance of insider threats within the system. Micro-certifications go hand-in-hand with access risk intelligence solutions, which identify, prioritize, and manage risk in your organization.
Do You Have Effective SoD Policies in Place?
Ensuring you have the proper SoD policies and internal controls in your organization requires you to know who and what is most vulnerable in your environment. And that takes both intelligence and action—revealing any inappropriate access that exists in your organization. Remember, you can only manage what you can see. So don’t ignore the importance of dealing with access risks—especially segregation of duties violations—that could pose a real threat to your organization.