Mention IT security to most people and they think of firewalls, intrusion detection systems, antivirus software, two-factor authentication and many other highly marketed security products. While these certainly all have a role in information assurance, so does the segregation of duties, a critical aspect of fraud prevention and detection. However, this vital security control is often overlooked, even though it is a fundamental element of effective internal control within an organisation.
Most end users are given far more privileges than they really need, often because it can be time consuming or politically difficult to give each person the exact permissions needed.
When it comes to segregation of duties, small business best practices are especially important. A lack of segregation of duties is a significant contributing factor in almost all occurrences of fraud, and is often found to be a weakness during post-analysis of system compromises. Segregation of duties means the steps in key processes are divided among two or more people so no one individual can act alone to subvert a process for his or her own gain or purposes. Clause 10.1 of ISO 27001 Annex A covers operational procedures and responsibilities, and control A.10.1.3, "Segregation of duties", states duties and areas of responsibility should be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of the organisation’s assets.
Any organisation that is ISO 27001 certified will know that segregation of duties is an area that comes under close scrutiny during compliance reviews, and if any processes aren’t well segregated, the auditors will then conduct thorough integrity checks on any affected systems. Thus, it makes sense to consider segregation of duties from the outset. Standard management reviews of employees’ work can catch improper activities, but they’ll never be as effective at preventing fraud and other malicious activities as well-documented, -implemented, and -enforced duty segregation for in-house and contracted personnel..
The two departments at the greatest risk from fraud within an organisation are accounting and IT. Money is often the motivating force behind attempted fraud, and even trusted employees under financial pressure may rationalise away their fraudulent activities: "The company can afford it,” “They don’t pay me enough." or, "It’s not doing anyone any personal harm," are a few such rationalisations. As more processes become paperless, less hard evidence is produced that employers could use to spot and prove fraud. Also, many off-the-shelf accounting software and network management product suites do not make it easy to implement proper duty segregation; their customizable workflows often make it easier for users to falsify accounting records, make illegal payments, and access and steal sensitive data.
Segregation of duties may be easier to achieve in larger organisations with bigger budgets and more comprehensive staffing; for smaller companies with limited personnel and resources, it can present a challenge. So let’s look at some potential compensating controls and other solutions and best practices for organisations struggling with segregation of duties, small business in particular.
Pre-employment screening is a fundamentally important element of a personnel security regime. The role of pre-employment screening is to establish that job applicants and contractors are who they claim to be, verify their credentials and check that they meet any preconditions of employment. These checks also establish whether applicants have concealed important information or misrepresented themselves, or if they present a possible security concern.
As with all aspects of security, checks on employees should be a continuous process; not as a one-off event that only occurs when somebody is hired. Once hired, employees can exploit their legitimate access to the organisation’s assets for a variety of purposes. Therefore, policies and procedures need to cover personnel security, not just at the point of hire, but as an ongoing activity to manage the risk of existing staff and contractors who may be looking to exploit their legitimate access to your premises, assets or data.
If staff know that personnel security doesn’t stop once they’ve been hired, it will discourage all but the most determined. Be aware that people and attitudes can change, either gradually or in response to particular events. Insider acts are often carried out by employees who had no malicious intent when joining the organisation, but whose loyalties and motives changed since recruitment.
Managers should know their staff well enough to recognise any changes in their habits and lifestyles that don’t have a valid explanation, such as increasingly illogical, secretive and nervous behaviour, or new designer clothes, an expensive new car or exotic holidays. Conversely, beware of employees who never take a day sick or have a holiday, in other words, people who are always at their desks. This devotion to their job could be because they need to stay on top of their fraudulent activities to avoid detection.
Although managers can’t control employees’ motivations for committing fraud, they can create an environment and establish procedures to reduce the number of opportunities to take advantage of their position within the company. Employers should let their employees know that checks, such as regular reviews of network logs and reconciliation of financial statements and records, are in place to prevent and detect fraud.
Where possible, implement assignment rotations for personnel and ensure employees are forced to take at least one two-week holiday a year. A mandatory vacation policy is a must, as system abuse can come to light if a cover worker notices irregularities in the vacationing person’s work. These types of practices will assist in identifying long-standing undesirable activities.
While care should be taken to avoid creating an atmosphere of distrust, the presence and active involvement of senior managers is sometimes enough to prevent many employees from attempting to defraud the company. These senior individuals should be instructed on the importance of segregation of duties, and be charged with ensuring no one individual in their business units has unchecked, unmonitored systems access. On the positive side, such malicious activity should be easier to detect within a smaller organisation, as its structure will generally be flatter and tightly interconnected. However, out of necessity, certain individuals, such as the personnel officer, accounts manager and the head of IT, will often have far-reaching rights and powerful privileges in order to get their jobs done. Therefore, certain checks and balances need to exist to ensure these privileges aren’t abused.
The person who opens the mail shouldn’t be preparing deposit slips and taking cheques to the bank. More than one person should always be involved in these types of financial processes to reduce the risk of collusion and fraud. Other activities that can be easily separated include:
- Mail receipt and distribution;
- Application development and verification;
- Application development and administration;
- Network administration and log analysis;
- Database administration, and bank or user account administration;
- Payments and payment authorisation.
Databases should be set up to support task and role segregation. Careful role creation should ensure only necessary privileges are granted to employees within each respective role to complete their jobs. Convenience often replaces security when it comes to assigning access privileges, particularly database privileges. Most end users are given far more privileges than they really need, often because it can be time consuming or politically difficult to give each person the exact permissions needed. Broad-brush database privileges can be misused by authorised but unethical employees. Implementing the principle of least privilege, which “gives the user no more privilege then is necessary to perform a task or job”, is even more important in situations where it is difficult to establish a complete separation of duties.
Generally nobody other than a system administrator will need access to every database and every application, and for administrators there should be additional measures, such as server rooms requiring paired access with sign-in and sign-out procedures. Given the in-depth knowledge admins have of an organisation’s IT operations team, they should have clearly defined operational task limitations and be held accountable for any unauthorised activities outside of those limitations.
Information security audits should be carried out on a regular basis with a particular regard for identifying possible fraudulent activities. Malicious activity is usually covert, so existing controls should be checked to see how well they prevent and detect fraud. In the same way that a company’s accounts are audited by an independent firm of accountants every year, so too should the work of system administrators; in fact, control A.6.1.8 of ISO 27001 requires an independent review of information security at planned intervals.
While not foolproof, duty segregation will help deter errors and irregularities by those developing, accessing or administering computer and accounting systems. It also makes information gathering harder for attackers, as they need to obtain information from a greater number of people. The critical point is to understand and appreciate the fraud environment factors that affect your particular organisation and implement mitigating controls where tasks can’t be fully segregated and there is a lack of paper evidence.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.
This was first published in December 2011