Segregation of Duties
Segregation of duties, and specifically segregation of cybersecurity management duties, is a practice that helps mitigate risks that integrated IT/security staffing can fail to reduce or even enable in the first place. The concept of segregating duties as risk management is already in place in some areas in financial institutions. For example, the chief lending officer would not be the person approving loans, nor would one person alone be in charge of outgoing wires. This practice can and should be extended into a financial institution’s cybersecurity operations, but it is common in IT to see one person responsible for both setting up and monitoring the email system or to be responsible for both the network and penetration testing.
The first step in using this concept to protect your network is to identify the risks you face. These include potential fraud, security breaches, information theft, circumvention of security controls, and human error. In fact, in 2016, roughly 80% of breaches were tied to human error. It is clear that reducing the risk associated with employee error (or intentional malfeasance) and organizational structure is important.
The overarching goal of segregation is to take away the ability for individuals to have conflicting duties or to be in a position to be in charge of reporting on themselves or their superiors. In a cybersecurity operation, can any one person alter, destroy or steal data without being detected? Does any one person have influence over controls design, implementation, and reporting of effectiveness of those same controls? If so, segregation of duties must be considered to mitigate risk, prevent harmful acts, and ensure a complete understanding and awareness of the security operation by all stakeholders.
The importance of segregation of duties is bolstered by the frequent attention given by the FFIEC guidelines. Governance, risk, and compliance are specifically highlighted at the corporate leadership level and again at the IT management level. Deficiencies in the area of segregating duties are often called out in audits.
If the goal is to have segregation of duties, how does an organization begin to move towards that goal? An individual should be designated as responsible for each of your security processes. Information security reports should be brought to the board of directors by a designated CISO. The CISO should also report to the audit committee, provided the committee doesn’t report to the CFO. A third party should be engaged to conduct audits and testing, and potentially even to monitor security.
Chris Johnson, onShore’s Security Compliance Strategist, can answer any questions you might have about segregation of duties. To reach him, call onShore at 312-850-5200.