Introduction:
Information security is a critical aspect of any organization, and maintaining the security of sensitive data and systems is essential to ensure business continuity and protect against potential security breaches.
One of the fundamental principles of information security is segregation of duties, which involves separating critical duties or tasks to reduce the possibility of negligence, incompetence, and inappropriate activities.
The ISO/IEC 27001 standard includes a specific control (A.6.1.2) that requires organizations to identify and segregate operational duties that are critically important to information security.
In this article, we will discuss the importance of segregation of duties and provide a sample checklist that can be used to assess compliance with this control.
Sample Checklist:
- Identify critical operational duties or tasks that are important to information security.
- Determine the individuals or roles responsible for performing these duties.
- Assess the risks associated with these duties and determine whether segregation is necessary.
- Create a RACI-type matrix to identify who is responsible, accountable, consulted, or informed for each key task or duty.
- Ensure that network and system administration is separate from security administration.
- Prohibit access requesters from approving their own requests or creating their own login credentials.
- Ensure that access rights reconciliation is not done solely by system administrators.
- Prohibit application developers and testers from having routine access to production environments.
- Prohibit change requesters from having the authority to approve their own requests.
- Ensure that reviews of firewall rules are not done solely by network administrators.
- Prohibit IT professionals from using and reviewing security logs, incident reports, alarms, and alerts solely.
- Ensure that audits are performed by competent and independent auditors.
- Develop a policy covering segregation of duties.
- Determine the decision-making authority regarding segregation of duties.
- Review segregated duties periodically or when situations and risks change or incidents occur.
- Use compensating controls where segregation is impracticable or infeasible.
- Conduct regular monitoring of activities and audit trails.
- Ensure adequate management supervision, particularly for critical aspects.
Conclusion:
Segregation of duties is a fundamental principle of information security, and organizations must identify and segregate critical operational duties to reduce the possibility of inappropriate activities and potential security breaches.
The ISO/IEC 27001 standard includes a specific control (A.6.1.2) that requires organizations to identify and segregate operational duties that are critically important to information security.
By following the sample checklist provided in this article, organizations can assess their compliance with this control and ensure that appropriate measures are in place to maintain the security of sensitive data and systems.