Segregation of Duties: A Cornerstone of Information Security and Audit

In the vast realm of information security, trust can be both a facilitator and a potential threat. It’s a delicate balance that, when tipped in the wrong direction, can create vulnerabilities that compromise the integrity of critical processes. This is where the concept of Segregation of Duties (SoD) comes into play, acting as a robust control mechanism to mitigate risks and ensure a more secure information landscape.

The principle of Separation of Duties (SoD) is not just a mundane concept – it embodies the essence of distributing critical tasks across diverse individuals or departments. This deliberate allocation of responsibilities is a strategic move, aimed at ensuring that no single person wields the unchecked authority to initiate, authorize, or conceal unauthorized activities concerning information systems or data. This approach stems from the fundamental belief in establishing a robust system of checks and balances, effectively minimizing the potential for fraud, errors, and security breaches.

The significance of SoD becomes evident when we consider its role in addressing key information security concerns. One of the primary benefits is the reduction of fraud risk. When an individual controls the entire transaction cycle – from initiation to approval and execution – opportunities for fraudulent manipulation increase. SoD acts as a deterrent by dispersing control, making it considerably harder for one person to commit and conceal illicit activities.

Another critical aspect is the enhancement of error detection. With multiple individuals involved in different stages of a process, discrepancies, mistakes, and even malicious actions are more likely to be identified. The principle here is simple – one person’s error can be caught by another, preventing potentially catastrophic consequences.

Furthermore, SoD contributes to improved accountability by fostering clear-cut responsibilities. Actions can be traced back to specific individuals, encouraging adherence to policies and procedures and deterring intentional misuse of information.

SoD doesn’t operate in isolation; it complements other security measures like access controls and logging. It adds an extra layer of protection, acting as a fail-safe that can mitigate the effectiveness of a compromised account or bypassed control.

Implementing SoD effectively requires a strategic approach. It involves careful planning and consideration of key factors:

1. Identify Critical Processes: Prioritize key workflows related to data access, system administration, financial transactions, and sensitive data handling.
2. Define Roles and Responsibilities: Clearly define responsibilities for each stage of critical processes, ensuring there is no overlap or conflicting duties.
3. Implement Least Privilege: Grant users only the access and permissions strictly necessary to fulfill their specific roles.
4. Conduct Regular Reviews: Periodically assess and adapt SoD implementation based on evolving threats, business needs, and personnel changes.

The application of Separation of Duties (SoD) is crucial in various real-world scenarios across different industries. It involves delving into the intricacies of role management and access control within an organization. One notable example is the necessity for compatible roles, such as a system administrator needing separate roles for user provisioning and access control. This showcases the importance of a clear delineation of duties, ensuring that each responsibility is allocated to the appropriate individual or team.

Conversely, incompatible roles present significant challenges. For instance, a financial manager who has the authority to approve payments while also possessing the ability to modify invoices inadvertently creates potential conflicts. These conflicts highlight the critical role of SoD in preventing unauthorized or erroneous activities that could result from overlapping responsibilities.

In practical terms, understanding the potential consequences of both compatible and incompatible roles is essential for implementing effective SoD measures. This awareness can drive the development of comprehensive policies and procedures that mitigate risks associated with unauthorized access, fraud, and errors in crucial business processes.

The balance between providing individuals with the necessary permissions to fulfill their responsibilities and safeguarding against potential misuse of authority is a key aspect of SoD. As organizations strive to fortify their internal controls and governance frameworks, the application of SoD becomes an indispensable tool in promoting accountability, transparency, and security within the operational landscape.

History provides us with valuable lessons on the impact of SoD. The Enron scandal serves as a stark example of the failure to implement SoD, allowing employees to manipulate financial records and ultimately leading to the company’s collapse. Conversely, the Sony PlayStation Network breach, despite its severity, demonstrated the success of robust SoD practices, preventing unauthorized access to critical financial data and minimizing damage.

It’s essential to recognize that SoD is not a one-time fix but an ongoing journey. Its implementation involves navigating through organizational structures, technology constraints, and human factors. As organizations evolve and threats change, adapting and strengthening SoD practices is crucial to maintaining a secure information fortress.

This overview only scratches the surface of SoD’s depth and complexity. For those seeking a deeper understanding, exploring resources such as NIST Special Publication 800-161 “Supply Chain Risk Management Practices for Federal Information Systems and Organizations” and ISACA CISA Certification materials can provide valuable insights.

Embracing SoD as a cornerstone of any information security strategy is a continuous effort to build and reinforce the walls that protect valuable assets. In the ever-evolving landscape of information security, embracing SoD is not just a best practice; it’s a necessity.

IT Security From The Eyes Of Data Scientists

Enterprises will increasingly employ data science experts to help drive security analytics and risk mitigation

 As IT security leaders try to base more of their day-to-day decisions on statistical analysis of relevant data coming from IT infrastructure and business processes, they’re running into a skills and resource gap. Often security teams have lots of specialists with deep technical knowledge of attack techniques and trends, but they frequently lack the skills to aggregate and manipulate data in order to draw meaningful conclusions from statistical trends.

Read on…

90% of passwords are vulnerable to hack

Deloitte warns over 90% of user-generated passwords will be vulnerable to hacking this year

Deloitte has claimed that over 90 per cent of user-generated passwords will be vulnerable to hacking in 2013, which it says could result in billions of dollars of loss, declining confidence in internet transactions and loss in trust of the businesses who fall victim.

Jolyon Barker, global lead for Deloitte’s technology, media and telecommunications industry, said “Whilst moving to stronger, longer passwords means greater levels of security, people understandably find these harder to remember.”

He added that so-called ‘two-factor authetication’, using additional methods, could improve security. “Instead an additional bit of identification can be used. It could be a password sent to a cell phone or smartphone, a physical device that plugs into a USB slot, or possibly be a biometric feature of the user,” Mr Barker said.

Deloitte said inadequate password protection may result in billions of dollars of losses, declining confidence in internet transactions and significant damage to the reputations of the companies compromised by attacks. As the value of the information protected by passwords continues to grow, attracting more hack attempts, high-value sites will likely require additional forms of authentication.

Security software developer Splashdata has its annual list of the worst — and most common — passwords used on the web in 2012. Worryingly, very little has changed from 2011, where “password”, “123456” and “12345678” are still in the top spots.

In addition, several new arrivals in the top 25 awful passwords are “jesus”, “welcome”, “mustang”, and sadly “ninja”.

According to PC World, the data is based on file dumps from online hacking campaigns, which include high-profile security breaches suffered at Yahoo, LinkedIn, eHarmony, and Last.fm. Here is the complete list, including places going up or down:

1 password Unchanged
2 123456 Unchanged
3 12345678 Unchanged

4 abc123 Up 1
5 qwerty Down 1
6 monkey Unchanged
7 letmein Up 1
8 dragon Up 2
9 111111 Up 3
10 baseball Up 1
11 iloveyou Up 2
12 trustno1 Down 3
13 1234567 Down 6
14 sunshine Up 1
15 master Down 1
16 123123 Up 4
17 welcome New
18 shadow Up 1
19 ashley Down 3
20 football Up 5
21 jesus New
22 michael Up 2
23 ninja New
24 mustang New
25 password1 New

According to research from Norton, nearly half of Internet users do not use a complex password and over 25 percent of adults online have been notified to change their password when an account has been compromised. In addition, 46 percent of users aged between 18 and 64 don’t use a password that combines phrases, letters, numbers, symbols and caps or lowercase — which are more difficult to infiltrate.

The simple fact of the matter is that if you choose a password which follows a simple pattern or is an obvious word, not only will it be easy for you to remember, but it will also be easy for simple attacks to breach your personal security.

In order to create a secure password, you should consider avoiding easy keyboard patterns — such as ‘qwerty’ or ‘123’, mix capital and lower-case letters, and keep them varied. A difficult-to-guess memorable word, such as a book character or favorite food would work better than ‘password’ or ‘letmein’, and switching word orders will boost the security of your online accounts further.