Organizations need to have definitions in place to support the segregation of control duties amongst internal personnel. Without these controls, personnel may pose an unnecessary risk due to the combined access permissions that are granted to a single user.
Examples of this may be an employee in Finance who is able to “approve” and “issue” checks, or an IT user that is able to “approve” and “create” a new, unmonitored account, which could be leveraged to perform nefarious activities. The segregation of control duties is the focus of pitfall #39 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Your organization should implement segregation of control duties for conflicting functions, or areas of responsibility, to reduce the opportunities for the unauthorized or unintentional modification, fraud, or misuse of information and information systems. Dual-control procedures, including a reconciliation process should be implemented for high-risk activities, wherever appropriate and possible.
You should ensure that appropriate mitigating controls are implemented if there are areas within your organization that present challenges or make it difficult to implement segregation of duties controls. Mitigating controls may include increased monitoring of activities, reviewing audit trails, or management supervision of high-risk functions. A system of dual controls (e.g., two individuals with separate responsibilities needing to work together to accomplish a single task) should be required and implemented whenever possible. Security or auditing activities should always remain independent. The monitoring, reviewing, or supervision of high-risk activities should not be performed by the same personnel that performed the original high-risk task or function.