- What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
- Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
- What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
- All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Sean Patrick Walsh says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is a method of risk control that separates roles, responsibilities, authorizations, etc. between separate personnel to separate the necessary steps needed to be taken to commit fraud in areas most susceptible to fraud. This method of control essentially takes key steps in processes, especially where money “changes hands,” and splits them up among different personnel to mitigate the risk of one person having access and authorization to all the steps necessary to commit and hide fraud.
In IT, two examples of roles that should be segregated would be software development and implementation, and database administration and logging access. If software developers were able to put their own code directly into development, they could cause damage to the production environment or create ways to bypass controls and allow fraud to happen intentionally or inadvertently. Giving a database administrator access and authorization to logs for the database can give the DBA’s the ability to conduct unauthorized activity within a database and then remove or alter the logs to hide their activity after doing so. Both of these scenarios are sources of risk for a business and should be prevented by SOD controls.
Brou Marie Joelle Alexandra Adje says
Right Sean, I want to add that segregation of duties is crucial to any organization and can help companies avoid the possibility of disastrous outcomes. I mean imagine what would happen if the keys, lock and code for a nuclear weapons system were all in the hands of one person? Scary right. Same applies to a software engineer who has the authority to move code into production without oversight, or access rights’ authentication. The idea is that companies shouldn’t give too much power to their employees.
Joshua Tarlow says
Definitely agree with your examples, especially the software engineer. The engineer may have good intentions, but could still cause cause damage and other issues. As mentioned above, they may not understand how the software may impact controls that are outside of their purview. Or the software may simply contain errors, which can cause a myriad of issues to any organization. Having a review process for new software and code from a separate party is vital for quality control
Wenlin Zhou says
I agree with you. Software developers should never have access to production systems. Production systems should not have compilers installed. A configuration management board or equivalent should be involved in the decision to place code that has been developed into a production environment. No code should ever be installed in a production environment that has not been approved. As a general principle development and production should always be separate with no crossover (at a minimum, the root/administrator password on development systems should not work on production systems.
Deepali Kochhar says
I agree with you Joshua. I think more than giving power to the employees it is about managing the services well. It is about assignment of right duties to the right person in a way that it should match with the capabilities of the employees. Also it creates multiple level of data review which helps in reducing errors.
For example in case of database management, one person with perform ETL, another will be responsible for managing admin rights(user roles who will access different database), other will be to monitor database performance to track time consuming SQL’s, and lastly a person will perform database backup and refresh across multiple database servers. This will help in managing all the processes of database services.
Sean Patrick Walsh says
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
I think the most fuzzy area within the security aspect of an ERP system is access and authorization controls. Since there are so many different t-codes in an ERP system, and so many different steps in a process, the many different accesses and authorizations necessary to conduct a job role can easily become confusing; especially with a large and complex business. When assigning and segregating all the different steps, roles, accesses, and authorizations in a process for a company, an individual could inadvertently be given enough access and authorization to find a way to commit fraud in a business. The confusion of all of this could easily “fly under the radar” of those assigned to monitor the checks and balances due simply to the complexity of the many different accesses, authorizations, and roles.
Brou Marie Joelle Alexandra Adje says
I agree with you Sean. SAP has 16000+ transaction code and is complex. The menu hierarchy itself is lengthy and can be confusing to navigate.
Magaly Perez says
Hey Sean,
I agree with your fuzzy part of ERP and its complexity . Today while working on assignment 3, my partner and I ran into a new control error, in fact the one that the Professor announced to the class that completely threw us off. At first, we thought we did something wrong since SAP is so complex, and we couldn’t figure it out whatsoever so, we reach out to the Professor. I think the ERP system is great however, due to its large scale of capabilities and efficiency it creates realms to become more confusing than others. Great post!
Joshua Tarlow says
You raise a good point about the large amount of controls and codes in SAP. I would imagine that it would be very easy for a code to be entered incorrectly, maybe only one digit difference. Which could then allow an employee to access data or processes that are restricted. No one is immune to human error and this would an error that anyone could be susceptible to.
Magaly Perez says
Josh, good point. I didn’t even think about the mistakes that could arise from the endless amount of codes in SAP. I agree with you that it most certainly can cause havoc due to how easy it is to incorrectly enter a code. I know that I most certainly have entered codes in wrong multiple times in SAP. But good point and yes, human error is definitely universal on SAP.
Said Ouedraogo says
Sean,
Very very true! However, I think in SAP there is a way to trace and find who made a specific transaction. I am not sure how, but I remember that in one of my internship my boss was able to find the author of a transaction. At first, he thought it was me. As I told him that I have never made the transaction, he went to the system and was able to come up with the username of the person who made the transaction.
Brou Marie Joelle Alexandra Adje says
There is definitely a way to trace user activity in SAP. I believe this can be done using transaction ST03N. not sure
Brou Marie Joelle Alexandra Adje says
1.What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task.
It involves breaking down tasks that might reasonably be completed by a single individual into multiple tasks so that no one person is solely in control. Segregation of duties improves security.
For instance, payroll management is an administrative area in which both fraud and error are risks. A good way to segregate duties for payroll is to have one employee responsible for the accounting portion of the job and someone else responsible for signing the checks.
Another example is that a department in a company that provide its own IT support, should not do its own security, programming and other critical IT duties, because it would increase risk associated with errors and sabotage.
Magaly Perez says
What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is a commonly used control because it helps manage conflict of interest. It restricts the amount of power held by any one individual. This segregation creates a barrier in which helps prevent fraud that could occur by an individual.
Two examples of IT roles that should be segregated are:
1. Software developers shouldn’t have access to production system; no code should ever be installed or entered into a production environment that has not been approved. Generally, development and production should always be separated.
2. Network and security and administrators should not report to managers who are directly responsible for the daily management of the servers. By not allowing that, ensures that their ability to maintain security controls is not influenced by those who are part of the process that is controlled.
Brou Marie Joelle Alexandra Adje says
Definitely Laly, segregation of duties limit the amount of power given to one person within an organization. When done properly it ensures that individuals don’t have conflicting responsibilities or are responsible for reporting on themselves or their superior. But, in your opinion, how does a company decide which duties should be segregated?
Magaly Perez says
Hey Alex,
Great question, I would say that its difficult at times to figure out what roles to limit; however more often in small businesses require their employees to wear many hats, which makes it hard to segregate duties. Generally, I would make sure that these functions are most definitely separated among employees:
– Inventory, assets, access to cash
– Record keeping and accounting
– Authorization of transactions
– And Reconciliation
Obviously, there a many other ways this could go depending on the business itself. However, I personally think that these duties should always be segregated.
Brou Marie Joelle Alexandra Adje says
Good point Laly. These are really key business function that should be segregated.
A good way to actually “test” segregation of duties is to question some key point. First, ask if any one person can alter or destroy the company financial data without being detected. Second, ask if there is any one person who can steal or alter sensitive information. Lastly, ask if any one person has influence over controls design, implementation and reporting of the effectiveness of the controls. If the answer to any of these questions is YES, then you need to take a hard look at the separation of duties.
Magaly Perez says
Alex, if only it were that easy. However, I think a good start to test SoD is to review the following:
– security/ IT policy and procedures
– security access
– organizational chart of duties and descriptions
– interview the key roles and players within the scope you are testing
– observe daily operations and the list can go on, depending on the organization and the scope.
Wenlin Zhou says
I agree with you. Even if you are a small business, we can help you protect your business with effective segregation of duties. To help ensure segregation of duties, we will thoroughly document your business process, match the process with the job description and ensure that software settings only allow employees to complete the tasks necessary to perform their jobs. We can test a wide variety of internal controls including things like: Control activities; Separate authorization, recordkeeping and custody of related assets; Online banking.
Deepali Kochhar says
This is a a good point Magaly. It is important to define the duties before implementation. But it is equally important to manage the errors during the implementation. The organisation chart if maintained can help in identifying the errors occurred during the implementation which can than be tracked and appropriate changes can be made.
Apart from it the most important point is to manage defining duties and role within in the system with minimum human errors one of which can be assignment of multiple roles to the users. It is important to maintain a sync between all multiple duties and roles.
Brou Marie Joelle Alexandra Adje says
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
User password is a good practice, although it can be cumbersome I can’t think of any better way for a user to secure their information. In fact, good password scheme/policy is one of the basic security measures to prevent unauthorized access. By good password scheme I mean one that would touch all the following aspect:
Password Aging-setting password aging policy enforce the user to change his/her password periodically.
Minimum Length: Enforce a minimum length of password to at least 6 characters for example.
Non-dictionary words: If the operating system supports this feature, user won’t be allowed to select any password as a word from standard dictionary. ·
Password Uniqueness: the password uniqueness setting would force users to create new password, every time, preventing them from using password previously used in the past.
Another good practice would be to document any change in the system configuration either hardware or software. This is very helpful in situations like disaster recovery, detection for an intruder, trouble-shooting etc. If a company has several System Administrators, it is more important to have everything documented and also maintain additional copy of the documentation on different machine or as a hard copy in case something happens.
Sean Patrick Walsh says
I agree with your recommendations for password requirements. I would also add criteria preventing the user from reusing previous passwords when creating a new password. Preventing users from using old passwords mitigates the risk associated with a password that has been cracked and the attacker is just waiting for the user to change the password back to the cracked one. I’d suggest a minimum number of old passwords of at least 6 to prevent the user from reusing a password from the past 18 months in an environment that requires password changes every 90 days.
Magaly Perez says
Great recommendations with the password requirements Alex. Sean you raise a great point with the reuse of previous passwords. I know we all revert back to reusing passwords because it is easier to remember and agree that it would mitigate risk if a control was implemented that prevented users from doing so. Great suggestion.
Binu Anna Eapen says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Ans: Segregation of duties means dividing the tasks so that different people are handling different tasks. No person should have more that one duty or authority to in business. This control is vital to reduce or eliminate fraud. The below processes needs to divided and performed by different people to avoid fraudulent activities:
1. Custody of assets
2. Authorization
3. Recording
4. Verification
5. Managerial Review
According to the principle of segregation of duties, the person who has the custody should not be the one authorizing the transaction or recording it. No person should have more than one responsibility.
Segregation of duties uses:
1. It reduces the risk of errors as it ensures cross check of responsibilities
2. it ensures accuracy of data, completeness and security of resources.
3. Manages conflict of interest
In smaller it may not be possible to have segregation of duties as the number of people in the organization would be less and division may not be feasible. In such cases mitigating controls- compensation controls should be in place.
Example of segregation of duties in IT:
1. Software Developers: A software developer should not have access to production system. And a production system should not have rights to compile. In most organization there will be Application Development team, Production team and a separate support team exists. This way if any change had to be made all three teams needs to be informed and decisions are made with many people involved reducing the risk of people changing or modifying the application.
2. AD Admin: In an organization, various team can have rights to reset a password, like call center, local technical support etc, but the right to disable to an account should not be given to them. In my previous company to disable an account or re enable an account would require the approval from manager and HR. And even then a call center person wouldn’t be able to disable/enable the account- the local tech support could with the approval. A local technician couldn’t create a new user. That was done by the recruiting HR team. Even AD team couldn’t create a new user without the user details being input in SAP records.
Yulun Song says
That is true Binu, A software developer should not have access to production system because he may have any programming code to change any sensitive data in the production system. This a really good example of segregation of duties.
Victoria A. Johnson says
What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties means that no one person should be responsible for doing everything. It is a commonly used control because it prevent errors or fraud from occurring.
Two roles that should be segregated are investments and treasury. Members of senior management should only be able to authorize the opening of new bank accounts. Treasury activities like opening bank accounts and authorizing signatories should not be performed by employees involved in daily cash activities. Employees entering investment activity into the GL shouldn’t be the same person that opened and authorized the transactions. Investments are to be maintained by someone who is not involved in the daily investment process. That process could be best suited for senior members because they are not directly involved in daily processing.
Said Ouedraogo says
What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties separates tasks that could be used together to produce an undesirable result, like fraud. The goal is to prevent one person to have sole control of a task or process.
It is a commonly used control because it lower risk of fraud/errors, and sometimes prevent fraud/errors from occurring.
Two IT roles that should be segregated are the Application development team (programmers) and the Maintenance team. There is a high risk of errors/fraud if the programmers are also the ones responsible to maintain the application. By implementing SoD, programmers would be responsible of developing the app and the maintenance team would be responsible to maintain and detect errors that the app may contain.
Yulun Song says
Great example Said. The Application development team has the programming code to change any sensitive data, and maintenance team should not know programming of the application. It prevents lots of frauds within an organization.
Yu Ming Keung says
What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
According to ISACA, segregation of duties is the implementation of a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process. Make sure that personnel are performing only authorized duties relevant to their respective jobs and positions. It is a strong internal control used to mitigate the risk to defer and prevent one personnel from having all access to all steps to commit fraud.
Below are two IT functions that should be segregated from rest of the IT functions
Information Security vs. Rest of IT Function
the person(s) responsible for information security is in a critical position and has “keys to the kingdom” thus, it should be segregated from the rest of the IT function. It is because this person is responsible for most of the settings, configuration, management and monitoring for security. Login credentials may also be assigned by this person, or they may be handled by human resources or an automated system. Therefore, this person has sufficient knowledge to do significant harm should he/she become so inclined. This risk is especially high for sabotage efforts.
Appdev vs. DBA and IT Operations
The development and maintenance of applications should be segregated from the operations of those applications and systems and the DBA. That is, those responsible for duties such as data entry, support, managing the IT infrastructure and other computer operations should be segregated from those developing, writing and maintaining the programs.
Source: ISACA
http://www.isaca.org/Journal/archives/2012/Volume-6/Pages/What-Every-IT-Auditor-Should-Know-About-Proper-Segregation-of-Incompatible-IT-Activities.aspx
Joshua Tarlow says
Information security is definitely an area that requires strong segregation of duties. Not only does the employee have this type of access, also understand the system vulnerabilities and security controls. It could be very easy for an employee to commit fraud and then conceal their actions. Especially be important for a terminated or disgruntled employee.
Yulun Song says
I like your first example of segregation of duties. An information security is one of the most important positions because it has the responsibilities of most settings, configuration, management and monitoring for security. However, for other IT functions, like programmers, database administrators, they should be segregated of duties from others because each of them is on the key position of a company.
However, what if this company is a small sized company? Should we still segregate those duties very detailed?
Paul Linkchorst says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is, as the names suggests, when roles and responsibilities are separated among different personnel. The purpose of this is to act as a control, which does this in two major ways; preventing fraud and reducing error. As we learned from earlier classes and in other courses, by separating duties it reduces the likelihood from individuals committing fraud since to commit it, one must collude with other members of a process. Without segregation of duties, one can commit fraud due to no other oversight or anyone reviewing their work.
Another by product that many don’t bring up is that by segregating duties you create responsibilities among different personnel, which creates an environment where errors are reduced. For example, in the procure to pay process we talked about three-way matching which matches the purchase order, with the order receipt and the vendor invoice. Now in a segregated environment, all three documents will be handled by different departments. However, in a non-segregated environment this might be done by the same person or small group. Looking away from fraud, I bet the actual performance of this 3-way control is little to non-existent within the non-segregated environment. The reason I say this because individuals are more likely to trust their work instead of the work of others. Therefore, segregation of duties has an impact on the accuracy of processes and holding others accountable.
Two roles that should be segregated which come to mind are sales and accounts receivables in the Order to Cash process. These duties are separated since you don’t want the individual creating a sales order to be able to receive the cash as well. If that was the case, I could create a sales order for sale $400 but send at an invoice to the customer for $500. When the money came in, I recorded it as a sale of $400 and pocketed the $100 without anyone knowing. In my Real-World Control Failure project, the company I researched had fraud due to a lack of segregation of duties between sales and accounts receivable. Essentially, the head of sales received all the information and payment from a sale then transferred it to the accounting department. Therefore, he was able to commit fraud up until he left the company.
Yu Ming Keung says
Hi Paul,
You have a very thoughtful response to the question, and I definitely agree with you. And I like how you compare segregation of duties to the 3-way match control in the procure to pay process. It is questionable and debatable that the three documents should be performed by one person or through three different departments. Having segregation of duties can let each departments check on others’ work because they don’t trust the others. I agree with you that in reality they will be done within an non-segregated environment due to limited time and resources.
Paul Linkchorst says
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
In my opinion, I think security in an ERP system like SAP is complex mostly because the program itself is complex. For most applications, if you want to only allow certain users to be able to access the application, then you require a username and password to access it. However, in SAP, it is essentially an application with a whole bunch of applications within itself that need to be properly separated among the entire user base. Separating these duties within SAP requires a certain understanding of the application since it requires knowing the role codes and transaction codes along with who should have access to what. However, I suppose what is fuzzy for myself and still have questions remaining on is how is SAP controlled in terms of monitoring as well as making sure the SAP system is configured properly and up to date. Is monitoring a function within the SAP system and if so, is it monitored by some central personnel or is it separated like the functions within SAP? I think I understand how identity and access management works within SAP, however, I think the other areas of security such as monitoring, encryption, data storage, etc is where I seem to be fuzzy on.
Sean Patrick Walsh says
Your response made me consider something else as you reminded me that SAP, as an ERP system, is essentially a centralized application that does the work of what was done by many different apps previously. This adds complexity because SAP/ERP handles many different business processes that are carried out in many different business functional areas. This complexity, although simplified from many apps down to just a single app, can become more complex since the access to the SAP system is managed from proper access granting policy and procedures within a business. If the right policies and procedures are not in place, or do not consult the correct personnel for approval, incorrect access and authorizations could be granted to personnel who should not have them which creates the perfect scenario for unscrupulous personnel to take advantage of through fraud.
Paul Linkchorst says
Hi Sean,
Agreed. It doesn’t make a difference if it is 20 separate applications or 1 application that does it all, you need to manage access properly based on what the application does and its respective users. Just need to keep a closer eye and have a deeper knowledge to manage the access in SAP.
Paul Linkchorst says
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
I think two key competencies that a security professionals within a company should have is the ability to identify and balance priorities as well as be a good decision maker. In today’s environment, it seems that security breaches can come from every which direction, however, some threats are more threatening than others. Likewise, some security vulnerabilities can be fixed easily while others might require a lot of time and resources. One can’t always just fix the “low hanging fruit” but you also can’t ignore huge projects that can fix a vulnerability. Therefore, it is important for a security professional to properly identify and prioritize the right security measurements and make correct decisions into how they should address that issue. This can also include the ability to shift priorities when new security vulnerabilities arise and require immediate action. By not correctly balancing priorities one can leave security gaps within a business environment which can result in security breaches or fraud.
Ming Hu says
Nice post Paul, I like what you mentioned “prioritization”. We’ve already known about how challenging the cyber security issues we’re facing, and there’s no an absolutely secure environment. So it is important for security officers to analyze potential threats and prioritize the right security measurements at the right time based on current resources to gain the maximum return on investment.
Paul Linkchorst says
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
Aside from the standard authentication processes that control who has access to a system, one of the best practices that I have seen during my IT audit internship was that of monthly or quarterly user access reviews performed by management. The company I audited had a high turnover rate and was also part of a more regulated market. To make sure that no one’s access wasn’t removed, it was the department’s head responsibility to review all the users who had access under their supervision. The Director of IT would send a list of users who still had access to the system to the department head. The department head would review the list, mark down any users who needed access removed, sign off on the review, and send it back to the Director of IT who would review if any changes were necessary. The purpose of this exercise is to be a supplementary control for the deprovisioning process. If for some reason, a user’s access was not removed when they were terminated, this process would identify that user and remove them properly. Due to the nature of this organization, this control was performed monthly. However, an organization can perform this bi-weekly, quarterly, or semi-annually depending on the number of users within a system and the risk the organization is willing to accept.
Abhay V Kshirsagar says
Good example, Paul.
In my company we had the problem of old-user accounts or as we used to call them as “orphaned” accounts, which had the ability to leave the entire enterprise security vulnerable. For instance, former employees could provide their old log-in information to a third-party, which could use these orphaned accounts to steal company data.
We used DSRAZOR for Windows to check of there were accounts of past employees that should have been disabled, if orphaned accounts still had privileged access to file systems and if user accounts with no expiration dates existed.
Joshua Tarlow says
Makes me remember when I had trouble setting up my voicemail during the second internship at the same company. After some investigation the IT help desk discovered that my account from the previous summer had not been terminated. In addition, the voicemail that I had been using was actually assigned to a previous female employee. I was told this type of issue wasn’t uncommon, although I had just assumed they deleted my accounts when I had left.
Paul Linkchorst says
Hi Abhay and Joshua,
That is a pretty significant security vulnerability. You can have an in-depth security policy but if someone has legitimate access that isn’t removed, then those security policies might be meaningless. I think one of the reasons why maybe my example isn’t executed often is because it requires several department personnel to make it effective. Generally, when an employee is terminated, HR should send a ticket to IT for that individual’s access to be removed. Likewise, if a monthly user access review is performed it requires time out of each departments day to review who is on that list and who isn’t. Depending on the nature of the environment, some might see this as unnecessary, especially from the business end.
In your experiences Abhay and Joshua, what do you think the reason was for them not removing these users in a timely manner?
Abhay V Kshirsagar says
Paul,
Two reasons that struck me are, first, the organization is either underestimating or is unaware about the risk such accounts can carry and they haven’t realized how these accounts are exposing their enterprise for various forms of attacks. Second, organizations probably have policies in place for old user accounts, they haven’t followed the policy as they should.
Paul Linkchorst says
Abhay,
It is unfortunate that is the case. Hopefully they will soon see the risk they are bringing upon themselves by not properly removing this access.
Mansi Paun says
Hi Paul,
Your post made me recall a project that I worked on where a similar process was followed for deprovisioning – the Staffing Manager would share an updated list of employees supporting the project which was verified by the line managers. In case any employee had moved to a different role or out of the organization, the line manager was required to inform the PMO, Staffing manager and the User admin team post which user access would be revoked as per process. While this worked most of the times, there were times when there would be misses due to human error in case the PMO or line manager was out of office or had other pressing issues to attend to. The best way to avoid de-provisioning related issues would be to have the access linked to the employee id and have an automated process that checks the employee status and role within the organization and verifies it with the access that the employee can have.
Such a process was in place for a Biotechnology client which had all access tied to an employee’s employee number, his/her training records and specific role within a specific team. So if you were a Windows admin, you would be granted access to the Windows servers only post successful completion of the trainings and tests for specific Windows servers. If you were to move to another team and another role, you would not be granted new system access till the management had verified whether your current access was to be revoked or kept. Although this kind of system access would have costed a lot for set-up and maintenance, it was practically fool-proof.
Paul Linkchorst says
Mansi,
I have not had too many experiences where the deprovisioning process was automated but it does seem like it would be a good way to decrease the number of accounts that were not removed. While it might be practically fool-proof, you might still want to perform some type of user access review to make sure that the system is working appropriately and that there are no outliers. Since the process is automated, the risk is much lower and therefore the performance of the control could switch from monthly/quarterly to quarterly/semi-annually. From a control testing standpoint, the control will likely need to be tested less and require a smaller sample to test the effectiveness of the deprovisioning process and the control.
Abhay V Kshirsagar says
What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of Duties or SoD is a key concept of internal controls. It is ensuring that right people have right access but not enough access to bypass any other controls.
Most of the large regulatory rules like SOX, J-SOX, BASEL, etc. they all deal with this issue of segregation of duties.
In the context of IT, the employee who is responsible for designing a software and implementing security on that same software cannot be also performing the testing security of that particular software or performing security audits, monitoring and reporting.
The personnel who is responsible for information security or performing a security audit should also not report directly to the CIO of the organization.
Another role is that of Database Administrators. This is a tricky position to control. Ideally, DBAs should only have authority related to DBA; they should never have root privileges. Furthermore, the elevated privileges should always be logged and daily reviewed by an independent party.
Abhay V Kshirsagar says
Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
Any ERP exists to solve complex business issues and to serve various types of users. An ERP system like SAP supports numerous variety of business processes. It has significant data volumes where database size can go up to terabytes. This stored data is classified across thousands of database tables. SAP has also given its customers a liberty to customize the software according to its business needs. All of this makes ERP complex, which makes it difficult to for the security personnel to protect the CIA of information in the software.
For me, it took me a lot of time to understand the lock concept in SAP. I think the reason is the number of components that go in that concept. The lock concept comprises of certain components like authorization objects. In an authorization object you can have one or more “cylinders,” which are authorization checks and within those checks, there are various individual authorization fields. Authorization values are assigned to the user for them to log on using the key.
In the case of General Ledger, authorization for ledger is authorization object. Activity, Company Code, Record Type, etc. are authorization fields. Any transactions or program that will run will have authorization objects in them, and based upon fields value you have defined, the user will be match against them. If the user logs on and doesn’t have the object on the key ring, user will be unable to log in. If the user has the object, it will match object on the key with the fields of the authorization object.
Mansi Paun says
Excellently put, Abhay. I agree with you that authorizations in SAP ERP are very complex. Although the SAP security can be explained and understood with ease, what is tricky is the configuration of the security controls that are to be put. As SAP is extremely customizable, it leaves a lot of room for the business to configure the system in a way that probably might not be the best way for the business. It could happen that a configuration miss is discovered much later in a system that is not configured well. Ofcourse having experienced SAP consultants on the team should ideally rule out such an issue but with the businesses getting more complex everyday, one can’t rule out the probability of misses.
Abhay V Kshirsagar says
What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
ERP systems are complex. The security professionals should have good communication skills and be observant and get to know the functional users that are involved in the particular business process. They also need to gain an understanding of how that business process work; this will help to identify the relevant parts in the ERP system rather than searching for them manually.
Further, learning about trace functions (tools for monitoring) or “ST12 – tracing function modules” in the case of SAP, is also helpful to understand how the ERP works in depth. In the context of a test system, different “switches” that are responsible to turn-on different levels of tracing should be reviewed.
Binu Anna Eapen says
Nice point Abhay. Of course good communication skills help in communicating the need for security through out the firm. Along with being observant, a security professional should be analytical. They should always be eager to learn new things and keep themselves updated with the latest technologies and threats/risks in the market to be able to detect risks and develop means to mitigate them.
Abhay V Kshirsagar says
All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
Generally, a system manager has two main types of users that are employees and vendors (external).
Suppose, a vendor requires domain admin rights for service accounts in order to test and deploy products, the additional privileges provided to service accounts can be dangerous; if the intention is to escalate rights on the network. The admin user should ensure to monitor the rights given to the domain admin. These privileges should also have an expiration date, which should reflect on the contract as well. Once the contract expires or the contract obligations are met, the admin user should ensure that the domain admin rights have been terminated.
In another instance, one of the biggest risks with any managing new system access control is to make sure that default passwords are changed. These default passwords are given by manufacturers and in some organizations not changed. The risk is that attackers can enter into the system by using unchanged default passwords. User Account Control Policy should define proper handling of default passwords and make sure that they are changed upon setting up of a user account.
Joshua Tarlow says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is a type of internal control that restricts the amount of control any one person has over a specific operation/function to prevent fraud and errors It essentially breaks up tasks that can typically be completed by one person into more tasks which are assigned to different people. If more than more person are responsible for a given tasks and can only complete part of it, it is more difficult to prevent fraud. To commit fraud, all parties would need to be involved, requiring collusion between parties. It also mitigates fraud through an extra layer of scrutiny. Fraud will more likely be noticed with involved parties checking one another’s work. This also helps to reduce errors as well. One downside is that it can be costly and time intensive to implement so it is usually reserved for sensitive functions such as payroll or financial transactions.
One example would be an employee who authorizes financial transactions but is also responsible for reconciliations for his department. If the employee authorizes fraudulent transactions for himself, it may be possible to conceal or obfuscate the transaction through the reconciliation process. Instead of another employee reviewing the transactions and discovering the fraud, the employee would be reviewing themself.
Another example would be a network administration or security and log analysis. If the network administer were to compromise the security, steal data, or any other nefarious activity a log analysis is an effective detection control. However, if this same person performs both functions, may be able to alter the log to erase any evidence. Separating these duties allows an independent party to perform the log analysis and ensure the integrity of the logs.
Sean Patrick Walsh says
Both of your examples of SOD make me wonder if conducting and hiding fraud is easier in a small business or a large business. A small business might be just a few employees or a lot of employees, but it may more than likely be housed in one single location. One centralized location where all employees conduct all facets of a company could definitely facilitate those personnel who have separate duties to collaborate to conduct and hide fraud much easier than a business that expands many geographic locations with the separation of duties in processes spread over those same locations. Kind of just makes me think that when it comes to conducting and hiding fraud that there are pros and cons to small versus large organizations.
Said Ouedraogo says
Sean,
I think the smaller the organization is, the easier it is to commit fraud in that organization. In fact, in small businesses one person can have many roles and responsibilities. The same person who makes financial transaction is the same person that reconciles the accounts. In that case it is easy for that person to commit fraud. Also, in small businesses everyone knows everyone. Even if there is a SoD in place, people can collude to commit fraud.
Mansi Paun says
Very well explained, Joshua. I especially liked the example you shared and the downside that you mentioned for SOD. Sean put forth an excellent point about the probability of fraud still being possible in a small company where employees could be co-located, creating an environment and an opportunity which is favorable for committing fraud. In that scenario, there would be more of a supervisory or accountability.
Mansi Paun says
*In that scenario, the controls would be more of a supervisory or accountability nature.
Yu Ming Keung says
Well put Joshua, I have never thought of the downside of segregation of duties. Instead of having one person doing all the things, you have to have two or more people performing different tasks, just for mitigating the risk of frauds or errors. I think that in small companies, who don’t have the ability to build a segregated environment, can educate employees about what behaviors are unacceptable and how to report suspicions of fraud. also by conducting background check before hiring can mitigate the risk of frauds in small companies.
Said Ouedraogo says
After reading your post. I realized that SoD is only effective at the bottom of the chain. When you think about it, upper management has access to almost facets of the system. For example, a CFO would have access to all transactions in SAP. He/she can post or change a transaction in the system as he/she want. What controls are used to prevent fraud in this case?
Seunghyun (Daniel) Min says
Q1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties (SoD) is an internal control that is created to prevent error or fraud by making sure that one individual does not have a full-access to every portion of a task. That is, at least two individuals are responsible for the separate parts of any task.
The concept of this control is not only simple but powerful as well. For that reason, many organizations are utilizing this SoD to prevent error or fraud in their entities. For example, in an accounting department, one person can be responsible for creating pay subs for employees; however, another person should be responsible for the signing the checks. In that example, the first person is restricted to committing a fraud by manipulating the amount of the check since he is not the one signing/approving the check.
Seunghyun (Daniel) Min says
Q2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
Security in an ERP system is very complex because the system per se is complex. Many different parts of the system need to be evaluated and assessed to make sure there are no security issues. To me, the most fuzzy or difficult to understand security issue is an access control in an ERP system. I am wondering how an ERP system is designed to give an individual which level of access privilege. For example, a single SAP platform has more than 200,000 tables that are interacted with each other. Of those extreme numbers of the tables, some might contain significantly confidential and classified information or require higher authorization to enter/amend the data. Thus, in my opinion, it will be tricky to secure those information data within that complex setting in an ERP system.
Paul Linkchorst says
Hi Daniel,
After reading your post one of the things I realized was that to protect the SAP system, a company must protect the SAP source code. Since there are about 200,000 tables and the application is so big, it could be easy for a change to go unnoticed if access to the code was available and that changes weren’t monitored. However, after doing some research I found that SAP does not reveal the source code for their products. From a buyer standpoint, this is a huge plus since it is one less aspect that the buyer must worry about controlling within their business environment. With that being said, if SAP were to ever release their source code than that could potentially become a security vulnerability in itself.
Sources:
http://venturebeat.com/2014/07/30/sorry-russia-apple-and-sap-arent-revealing-their-source-code/
http://www.theregister.co.uk/2014/07/31/russia_to_sap_apple_hand_over_source_code_to_prove_youre_not_spies/
Seunghyun (Daniel) Min says
Q3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
1. Curiosity: I believe curiosity is number one competency for the person responsible in a company for security. That is, the ability to pick up/capture any suspicious or abnormal activities.
2. Data Analytic: Besides curiosity, the person should carry well-developed data analytic skills. Most of the time, security personnel will be required to use a data analytic tool to populate what is going on within an organization. If the personnel have a strong data analytic skill, any possible security incident will be caught ahead of time.
Wenlin Zhou says
I agree with you. The data analytic is a useful way to protect company security. Big data analytics tools have the ability to accurately discover devices on a network. In some cases, a configuration management database can supplement and improve the quality of automatically collected data. Integration with third-party security tools as well as integration with LDAP or Active Directory servers are other must-have features of big data analytics. Support for incident response workflows varies among SIEM tools, but are essential when working with big data volumes of logs and other sources of security event data.
Wen Ting Lu says
You are right that big data has become very powerful. Big data security analysis tools usually span two functional categories: SIEM, and performance and availability monitoring (PAM). Analysts have a strong ability to focus on what’s important and this is a important skill desired in any employee or team member. A person should be able to pick out what is obviously true or obviously false almost instantly when presented information with well developed data analytical skills.
Wenlin Zhou says
Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
Outdated, unsupported software can lead to crashes and integration issues. The risk is that companies often seem to be ignored is the risk of running outdated, unsupported software systems. Why does this matter? Because older software versions will not be compatible with and won’t integrate with newer products. Even servers and browsers can be adversely affected. And if the software is no longer supported, where will you go for help when (not if) your system crashes? Staying up to date means upgrading to the newest versions of the software you currently use, or, moving to a new software system altogether.
http://www.erpsoftwareblog.com/2013/10/5-erp-security-risks-to-be-aware-of/
Wenlin Zhou says
What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Separation of duties is a classic security method to manage conflict of interest, the appearance of conflict of interest, and fraud. It restricts the amount of power held by any one individual. It puts a barrier in place to prevent fraud that may be perpetrated by one individual.
Backups are important and we want to encourage backups, but not everyone that has administrator or super user privilege should be allowed to create backups since this gives them a copy of all of the intellectual property. Approved backup operators should be identified in writing with the appropriate procedures. In general, it is far safer to use disk replication to an alternate site. Backups made to small tapes that easily fit in a pocket or briefcase are the highest risk. Backup tapes may need to be produced for regulatory compliance and should be protected in a manner consistent with the sensitivity of the information.
http://www.sans.edu/research/security-laboratory/article/it-separation-duties
Deepali Kochhar says
1. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
In my point of view, the most difficult to understand security component in SAP is Authorization. This includes managing user ID to the roles and profiles. This is designed to protect system availability, integrity and privacy.
Authorization process includes providing:
• Logon with password
• Secure network communication (Single sign on)
• SAP logon tickets
The challenges involved are:
• Multiple users need multiple transactions which becomes difficult to manage.
• Users should be given access to only specific data in display and maintenance mode.
• Managing multiple roles for a user along with details such as what and where is a complex task
• Change management is a complex task in SAP
Wenlin Zhou says
I agree with you. The Authorization in SAP is the difficult part. Roles and Authorizations allow the users to access SAP Standard as well as custom Transactions in a secure way. SAP provides certain set of generic Standard roles for different modules and different scenarios. We can also define user defined roles:
Master Roles – With Transactions, Authorization Objects and with all organizational level management.
Derived Roles –With organizational level management and Transactions and Authorization Object copied from Master Role.
Deepali Kochhar says
What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error.
It is the primary internal control intended to prevent or decrease the risk of errors or irregularities, identify problems, and ensure corrective action is taken.
In SAP the general categories of duties:
• Authorization
• Custody
• Record keeping
• Reconciliation
SoD involves breaking down tasks that might reasonably be completed by a single individual into multiple tasks so that no one person is solely in control.
An example of two roles that should be segregated is:
Payroll management: It is an administrative area in which both fraud and error are risks. A common segregation of duties for payroll is to have one employee responsible for the accounting portion of the job and someone else responsible for signing the checks.
Annamarie Filippone says
Q1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties (SOD) is the principle of sharing responsibilities of key processes by dividing critical functions of those processes to more than one person. This is a commonly used control because it is one of the simpler controls to mitigate the risk of fraud or human error.
One role that obviously should be segregated is within software. The individual that develops the code should not be able to move it to production. Without someone else involved in this process, it would be easy for the developer to slip in malicious code or have unintentional mistakes pass through without check.
Another role that should be segregated is account usage of administrators. These individuals should have two accounts, one with normal user rights and one with elevated rights. The account with elevated rights should be used to perform activities requiring administrator-level access only. All other general work activities should be performed with the normal account.
Sean Patrick Walsh says
Your second example of an administrator’s two different user accounts is a great example. A business that allows admins to share a root-user logon for use whenever needed loses the ability to track who made what changes to a system or network since any number of users who have access to the logon ID could be responsible. By mandating that a root-user ID be issued for each admin there is a level of deterrence created as well since the user’s individual activities and actions can be traced back to them afterward.
Annamarie Filippone says
Q2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain.
An ERP system by itself has the capabilities of many applications put together, which creates complexity for an organization. Specifically, I think determining access controls would be a difficult process. With thousands of transaction codes to manage, there is the risk of users having access to functions they should not or, on the flip side, users being unable to access the functions they need. While the former can potentially lead to fraudulent activity, the latter can keep individuals from completing necessary job operations. Access administration for an ERP system can be a time-consuming and cumbersome process for an organization.
Annamarie Filippone says
Q3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
I think two key competencies an individual responsible for security needs are the ability to prioritize, as well as communicate. Not all security threats are created equal, and each has its own likelihood and impact. A security professional must understand this, and be able to make decisions regarding what level of security controls each system/process in the organization will have. Communication is also an important skill for a security professional. Security is an organization-wide issue, not just IT, so an individual responsible for security must be able to talk about security problems and solutions with varying degrees of technicality, so everyone in the organization can understand.
Said Ouedraogo says
Annemarie,
I agree that the person responsible for security must be able to talk a language that everyone can understand. Generally, managers do not understand security terminology. They need someone who is able to translate that complex language in a business language. It is really important that that person has the capability to talk to everyone in the company with “varying degrees of technicality”. If managers do not understand what the person is talking about they may just not approve the person solutions to security problems in the company.
Mansi Paun says
Great point about Prioritization, Annamarie. Now-a-days, with increasing number of security related incidents and greater emphasis on reducing the workforce, employees are often time-crunched. Therefore it is extremely important that the individual responsible for security can identify and differentiate a critical incident from a non-critical incident and act depending on the nature of the incident.
Another useful competency I can think of is being able to learn, think and act fast. Being in charge of security could mean frequently facing vastly different situations that are tricky and time-sensitive so being able to grasp new information quickly, thinking on your feet and taking the right decisions quickly would be a very desirable trait that would make one more successful in their role.
Annamarie Filippone says
Q4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
In regards to security access, every company I have worked for has utilized the principle of least privilege. This ensures that users have access to only the systems they need to complete their job functions, and nothing more. In addition, user access should be regularly recertified to ensure that continued access to different systems is still required. An organization should evaluate systems to understand their criticality and sensitivity when deciding how often recertification should take place. For example, one company I worked for determined that access to data centers must be recertified every six months.
Wenlin Zhou says
I agree with you. To reduce the risk of deleterious access to valuable assets such as equipment, money, data and intellectual property. There is no reason for a person not employed by, contracted with, patronizing, or otherwise not desiring a conducive relationship with a business location to be able to gain access to it. Nothing should be lost by restricting access to these unrelated parties.
Said Ouedraogo says
That reminds me of a company I have worked for. In fact, I was an intern for 3 months. At the beginning of my internship, they created my profile on SAP. And depending of my tasks, I was able to make just a certain type of transactions. My username and password were scheduled to expire 24 hours after the end of my internship.
Wen Ting Lu says
Hi, Said.
Thanks for sharing! I found this website has a great check list of what an IT administrator should do when an employee is terminated:
1.Retrieve or disable all company-owned physical assets.
2.Disable all internal user accounts to which the employee had access.
3.Change any shared passwords the employee knew.
4.Disable access to the employee’s company email account.
5.Disable access to the employee’s phone and voicemail account.
6.Terminate VPN and remote-desktop access.
7.Change door codes or PINs to disable physical access to the company’s premises.
8.Perform a complete back up of the employee’s hard drive
Source:
https://www.auvik.com/media/blog/employee-termination-checklist/
From my experience when I was working at Greyhound bus lines, every time when someone get terminated, they will change the pass code for the door to keep physical secure.
For my current job, I don’t think the management did a good job on secure the company’s information. For example, it didn’t disable access to the employee’s company email account when the prior employee resigned. In addition, it didn’t change the share password that everyone knows.
Binu Anna Eapen says
I agree with you Annamarie. The principle of least privilege is one of the most commonly used and most important control after the segregation of duties. Limiting access to minimal level and ensuring the normal functioning of business with those privileges results in fewer security incidents, reduced support cost, simplified path to compliance, productive environment and easily manageable IT. It also helps in identifying flaws if any in a system.
Deepali Kochhar says
Great point Annamarie. One of the examples can be VPN access rights. Since it is a very important to monitor the activities happening over the VPN. Users should be given least privileges. There should be session time out policy towards the use of VPN and also the renew process should be frequent in a way that employees should not be given the access to VPN for a longer time. It should be renewed in small period of time and the need should be analysed before approving it. It can be a case that employee may need it to perform only one function and still he might hold the access rights for a longer duration. To avoid such events, implementation of least privileges is important.
Mansi Paun says
Segregation of duties means separation of duties or the idea of requiring more than one person assigned to complete a specific task in a business process. It is a commonly used control as sharing of responsibilities to complete a task helps prevent fraud and errors due to oversight. Two IT roles that should be segregated would be PO creator and PO Approver or Buyer and Approver. This ensures that the person who is creating a Purchase order, does not have the authority to approve it or an Approver cannot create a purchase order and approve it himself. Having both purchase order creator and approver privileges would make it a favorable opportunity to commit fraud.
Ming Hu says
What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of Duties (SoD) is an important component of internal controls, it shares responsibilities of a key process that disperses the critical functions of that process to more than one person or department. It restricts the amount of power held by any one individual and puts a barrier in place to prevent fraud that may be perpetrated by one individual.
Data administrator vs. rest of it function
The Database administrator (DBA) almost knows everything about data, database structure and database management system, considering the inherent ability of DBAs to access anything, change anything, and delete anything in relevant database, DBAs should be segregated from everything except what they must have to perform their duties, i.e., the DBA should be an island – no other function reporting to DBA and no responsibilities or interactions with programming, security or computer operations.
New application development vs. application maintenance
Initial application development should be segregated from maintenance of that application. Lack of SoD may present some risk that the application will not be properly documented since the group is do everything for all of the applications in that segment, also it provides more opportunity for someone to inject malicious without being detected, because the one writing initial code and inserting malicious code is also the same one reviewing and updating that code.
Vu Do says
Segregation of duties is a control that splits up task in a business so that not one person is responsible for everything. It prevents fraud and error from occurring. It makes it easier for individuals since they are only responsible for one thing only.
1. Access control should be separated, for example an individual should not have the power to give themselves access to databases in which they do not operate. They must put in a request for permission and get approval if they want to access a certain database.
2. Application developers should not have access to implement a program into production. That role must be separated since the wrong data could be put into production and cause errors and problems for the company. They program must get approval and get looked at before getting put into production.
Fred Zajac says
Vu,
You bring up a great point about Application developers and the segregation of duties within the IT department. Many times, having one person perform multiple IT functions increases fraud risks. Not only does this pertain to internal employees, which is obvious but it also pertains to 3rd party vendors. Having one vendor providing all of the products / services could make the company more vulnerable to the demands of the provider, and increases the chances of fraud.
It is always a good idea to use multiple vendors and / or outsource to multiple companies. I get that it is much easier and many time cheaper to use one company as a “turn-key” provider, but it may put you in a difficult position.
Vu Do says
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
While working as an Associate Application Developer for Highmark BlueCross BlueShield for a little over a year, I was always required to request security access to databases in which I did not have access to. It always took a while for the security guys to give me access since I had to put it through the proper channels and it would have to go through three different layers of approval before they are able to grant me access. My Team manager would be the first layer to approve my access and then it was the manager and lastly, the higher ups have to give it the okay. I thought that was a good way of approving access for users requested them. Managers and high ups are able to see what they are approving so there is no miscommunication as to why a certain user was granted access to something they were not suppose to. The security guys are not allow to proceed to give the user permission until they see that all the higher up people within the organization responsible for the certain users give them the yes to proceed. So overall I think this is a good process for granting user security access.
Binu Anna Eapen says
Nice example Vu Do. Approvals for access is a great way to manage system users.
In my previous company, the access to imaging lab was limited and the access was provided to the IT Technicians by the executive manager only after a written mail communication was send with justification as to why one needed access. And this security measure was very important as the lab would have 300-400 laptops most of the time and it would have been very easy for anyone to sneak out with a laptop. This ensured that each technician were accountable for the assets during the time of access.
Priya Prasad Pataskar says
Nice example Vu Do. But sometimes approvals come in he way of time management. I have had experiences where few managers were on leave and hence approval went pending for a week, which means delay of a week to start my work.
Another point that occurs to my mind is the documentation of approvals. It is necessary to keep the records of approvals safely for the purpose of audit. When people send approvals over email, generally they get lost in the systems and archives. Organizations can use ticketing systems like remedy to save the approval emails.
Yulun Song says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is a security method to manage conflict of interest, the appearance of conflict of interest, and fraud. It helps restrict the amount of power helped by any one individual. It prevents fraud that may be perpetrated by one individual.
1) The first example of segregation of duties would be that a company requires that if one person writes checks, recording amounts in the company’s general ledger must require another person to do.
2) The database administrator should be segregated of duties that no other function reporting to the database administrator and no responsibilities or interaction with any programming, security or computer operations related filed.
Priya Prasad Pataskar says
Great point about conflict on interest. I agree with you.
Separation of duties is a fundamental principle of many regulatory mandates such as Sarbanes-Oxley and the Gramm-Leach-Bliley Act. SOD is an internal control requirement focusing on 2 primary objectives:
1. prevention of conflict of interest
2. detection of control failures that include security breaches
It is also important for key admin staff to take leave from time to time with their jobs being completed by others in their absence.
Fangzhou Hou says
Good examples Yulun. Segregation is very important to prevent the potential fraud and error especially in financial and accounting processes. From my previous experience, the accounting department usually has one staff in gathering the invoice, and entering data into the accounting information systems. One the other will double check the journal entries and accounting flows to ensure the data is correct. Only after he or she confirm the correctively of the data, the approval will be made.
Yulun Song says
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
I think two key competencies a person responsible for security needs are skepticism and communications skills. All people should be skepticism for the security of a company because some detailed parts that an IT auditor or a CIO may ignore, so this is our responsibility to think about and ask questions about somewhere that we think is not secure. On the other hand, we still need communication skills because when we find some problems within the company, and we need to have good communication skills to let upper management and CIO know and understand.
Yu Ming Keung says
Yulun, I also similiar competencies in my own response for this question. It is crucial for the security person in the company because you cannot assume that the security is enough to protect the company’s information. You always have to have a questioning mind and be curious of what can go wrong in IT security. People without skepticism tend to be more inactive and they may ignore any small or important issues.
Vu Do says
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
They have to have an understanding and correct thinking to be good at security for say approving users security access. They must know what they are doing and know that the certain user requesting permission for access has a reason to go into that certain database. They can’t be users in the billing department asking for permission to access the accounting database. That could be potential for fraud to occur and the security personnel would be looked upon for granting them access. The security personel must question the user asking for permission and get an understanding of why they are asking to access a certain database. It could be reason as to they are new to a team and need the access to work in certain areas. Security personnel plays a huge role into making sure there is no fraud occurring by making sure the right users have access to what they are suppose to.
Vu Do says
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
Permission component, users must have the required access control to access certain parts of the system and to submit materials. You could be working on something and then at the end realized you do not the required permission to submit what you spend the whole time entering in. So knowing if you have permission or not is a huge issue. There must be a way beforehand to know if you have the right access. You could be able to view and enter into columns but being able to submit or make changes may not be on the list of things your able to do. So permission or access controls are an issue and not knowing if you have the required access before you being working is a huge problem.
Priya Prasad Pataskar says
That must definitely be troublesome. What do you think is a solution for this?
Basically ERP softwares must grey out the text boxes where data cannot be entered, they should not be editable if the access does not allow editing.
I think organizations should maintain Access Control Lists and must hand out a copy to respective individuals defining their roles responsibilities and accesses. I believe now a days in all software applications automated access list can be generated. Organizations should benefit from the access matrix.
Ming Hu says
What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
Adaptability to change
Technology is constantly evolving, and so is the information security threats, even those well-known, successful companies like Yahoo and Target can’t survive from data breach. As a security officer, it’s important to adapt easily to change, simply speaking, always being a student and learning is a must.
Flexibility
Flexibility is important too because of the variety of tasks, jobs and locations the professional security officer has to be trained for and deal with. For example, one client might require at a warehouse, shipping center, or industrial site, that might be very different from what is required at a retail business, neighborhood, or public venue. The tasks associated with each security job is different, and specifications from clients vary considerably. A good security officer will recognize the differences between the various environments they operate in and pay careful attention to the specific needs of the client and those who they protect and keep secure.
Priya Prasad Pataskar says
Great points Ming Hu. I would like to add to your list.
A person responsible for security must be a good observer and must take active interest in learning about each and every process in the organization. Organization’s functions are so closely bound and interdependent that a person responsible for security must be a scholar in the organizations internal workflows. He should have the enthusiasm to know how work is carried out even though it might not be his primary department.
Ming Hu says
Thank you for adding details. Your post just reminded me that accounting knowledge as a necessity when I came to learn SAP. IT is a powerful tools leveraged by different departments, HR, finance, accounting, etc. So as a security guard, it’s not unusual for you need to learn cross-field knowledge to carry out your work.
Deepali Kochhar says
Also to add to your point, I would say analysis of critical issue is also important To this one can be a preventive way where analysis should be performed to identify what all security controls should be in place to avoid any unwanted event and other can be corrective where an already occurred scenario should be analysed so as to find the root cause and it should be made sure that such event doesn’t occur again.
So every time analysis of all the security controls and functions should be performed by the security personnel.
Binu Anna Eapen says
Great post Ming Hu. I guess adaptability to change is the most important characteristics and is also the most difficult competency for a security professional. As technology keeps changing one must be always updated with latest technological changes to be able to make better decisions for the firm.
I also think the security professional should be persuasive and convincing to be able to convince the business why they need the changes and how it can be effective/efficient for the company and should be able to negotiate with them.
Fred Zajac says
Ming Hu,
Remaining a “student” for your entire life is what makes a person wise. It is important to keep up to date on all of the latest industry best practices to remain relevant in any business environment.
One way for us to stay current is to keep up with industry association certifications. Take a look at ISACA’s latest event in Blue Bell, PA. It was a week long event that covered many aspects of our entire program, so far. The multi-day event included several seminars, worth credits toward ISACA’s yearly accreditation. ISACA does a great job at keeping current on industry trends and best practices. By attending the events, you will be in a position to make better decisions for the company.
Here is the link to this years ISACA event. Very similar to our classes in this program. Would say the ISACA event is a watered down version of our classes.
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
Since company turnover, switching vendors, and changing systems are things every company will experience, it is important to implement security specific best practices by understanding the rights and responsibilities for everyone who has accessed the system.
Specific access should be granted based on the user group. Employees, Vendors, ect. Each user within the specific group should also have specific permission set to insure the integrity of the system.
The user groups should have specific procedures in place, outlining how each user will be handled, from the time they are considered for access to the system, until they are eliminated from access.
You should never deviate from the procedures, user group access, and individual user rights, unless approved upon by the governing board / management.
http://www.cvent.com/events/isaca-philadelphia-2016-fall-conference/agenda-74d292e952a841bf8bff41b87ff8af42.aspx
Fred Zajac says
Ming Hu,
Remaining a “student” for your entire life is what makes a person wise. It is important to keep up to date on all of the latest industry best practices to remain relevant in any business environment.
One way for us to stay current is to keep up with industry association certifications. Take a look at ISACA’s latest event in Blue Bell, PA. It was a week long event that covered many aspects of our entire program, so far. The multi-day event included several seminars, worth credits toward ISACA’s yearly accreditation. ISACA does a great job at keeping current on industry trends and best practices. By attending the events, you will be in a position to make better decisions for the company.
Here is the link to this years ISACA event. Very similar to our classes in this program. Would say the ISACA event is a watered down version of our classes.
http://www.cvent.com/events/isaca-philadelphia-2016-fall-conference/agenda-74d292e952a841bf8bff41b87ff8af42.aspx
Priya Prasad Pataskar says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties results in most important function, protection of company assets.
Purpose – Basically it prevents internal fraud and errors. To ensure that there is control over a process separation is done at the right point so that errors can be determined. When multiple people are involved in a task it is easy to keep them bound to ethical behavior. And in case of any unethical behavior the action can be flagged by other person with whom duty is shared. Segregation of duties plays a crucial role in risk mitigation. It is important to put these controls in open from the start to discourage fraud.
The fraud triangle speaks about opportunity, pressure, rationalization. Segregation of duties negates or tries to negate opportunity.
In accounting separation of task is done to segregate
1. custody of assets
2. authorization for use of assets
3. record keeping of assets.
4. reconciliation
Examples of SOD in IT company,
1. The person who has admin access will not have access to database must not be the one who is auditing the database. If he has both the rights, this person can approve whatever changes he is willing to make. There would be no authority over him to see is he has correctly use his admin privileges or exploited them.
2. The network team and incident management team must be separate. In occurrence of an network or security incident the incident management team should highlight the incident, create a ticket for the incident and assign to network team. The incident response team can only mark the status of incident as resolved after the network team completes their job. If the network team had access to resolve the incident, that would rise the opportunity area in fraud triangle.
Ming Hu says
Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
SAP itself is very complex, it has about 1000 parameters, and most of them can affect security. When you install an SAP System, it goes with 20+ different services, each of them uses its own proprietary protocol and a set of configurations. And it’s only for NetWeaver ABAP Application Server, besides SAP provides at least five other platforms with a completely different set of functions, services, protocols, and even access control systems.
Taking authorization for example, authorizations in SAP are like a small portion of functionality you can execute. There are thousands of them; each authorization has an activity, field, and value. For example, there is an authorization to get access to tables, and this authorization can be associated with different types of activities such as read or write. Also, there are different types of access such as access to a particular number of tables, say, system tables or material tables. When you configure this one small part of access, it will be called authorization, then a set of authorizations is combined into a role, and a role is combined with a composite role and then the role is assigned to a user. But it is not the end; roles can be assigned to a profile and profile can be assigned to a user, as well. And above that system, we also have different types of users. For instance, reference users take access rights from real users but don’t store the information about access rights in their profile. Once again, it’s only about ABAP system. For other systems or even modules, you have other role models.
Just imagine how many vulnerabilities can be found in this multipart system, and even a tiny level of compromise can generate devastating effects.
Source: http://resources.infosecinstitute.com/sap-security-think-different/
Yu Ming Keung says
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
I think the most important competencies for security people are professional skepticism and decision making ability. Skepticism is the attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence. With that being said, this is a very import competency for a person responsible in a company for security because we are not only talking about physical security but information security. The person needs to be able to identify any security challenge by having a questioning mind. Decision making is also one of the important competencies because this competency is very critical for the person responsible for security, who needs to take immediately action to react for any security issues, not only making the right decision but in a timely manner.
Yulun Song says
Yes, I agree with those two abilities that a person needs to have for a company’s security. That a person is skepticism will help company dig small and detailed areas, and something that is really easy to be ignored. And being alert to any conditions will help company investigate any possible misstatement and anyone within the organization that can be a small “IT auditor” to help prevent frauds and errors.
Fred Zajac says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is assigning different employees to handle the activities of a business process. Segregation of duties is a common control in many businesses because of the potential of fraud. By giving one employee control, a business opens itself up to serval vulnerabilities.
Two Examples:
Procure To Pay Process – This separation is something I had spoken about in previous discussions. It is important to separate the purchasing manager from goods receipt. When the purchaser of supplies makes and order, it is important to have another person accept delivery of the supplies and verifying the contents of the package, with the purchase order. Having one person make orders and receive packages allows for fraudulent purchases.
Order To Cash Process – It is important to separate the marketing / sales function with the finance function. A business wouldn’t want one person influencing the sales cycle & finance cycle because of the fraud possibilities. The multi-responsibility employee can fraudulently misrepresent the numbers, making things look much better.
Fred Zajac says
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
The most fuzzy and difficult to understand for me is the FI (Financial / Accounting) component. I guess it was the most fuzzy for me because of the mistakes an employee may make. The security control in an ERP system eliminates the ability to delete saved / processed / executed / ect. Items. This control is good to keep the integrity of the data / system. However, I know I have made mistakes and would assume other new SAP users would make similar mistakes.
I do understand the component, and understand why all security components are in place, but it makes things frustrating when you make a mistake and must figure out a solution to your mistake, without the option of “starting over”. I like the “start over” option.
Fred Zajac says
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
The two most important competencies a security person needs to have are:
Integrity:
Integrity revolves around trust. As a business owner, I would want to know my security person shares accurate information to increase security effectiveness. Always do the right thing, and adhere to all policies and procedures.
Adaptability:
Criminals are always figuring out new ways to deceive companies / people by being creative. It is a cat and mouse game. Whenever the cat figures out a way to protect the cheese, the mouse will get creative and figure a way around the security measure. The only way to be preventative, is to be pro-active. As criminal activity evolves, security personnel must be willing to change and adapt to the new environment.
Fred Zajac says
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
Since company turnover, switching vendors, and changing systems are things every company will experience, it is important to implement security specific best practices by understanding the rights and responsibilities for everyone who has accessed the system.
Specific access should be granted based on the user group. Employees, Vendors, ect. Each user within the specific group should also have specific permission set to insure the integrity of the system.
The user groups should have specific procedures in place, outlining how each user will be handled, from the time they are considered for access to the system, until they are eliminated from access.
You should never deviate from the procedures, user group access, and individual user rights, unless approved upon by the governing board / management.
Yu Ming Keung says
I agree with you Fred, user access to the system is a big concern when it comes to company turnover, switching vendors. It would be a big risk for system integrity if access still remains for the ones with expired permission. Having a clear access policy for employees to follow is a must to ensure the permission access is granted to the right person at the right time as well as removal of access.
Tiesha Christian says
Fred Zajac – I agree with your method of managing system users. I would also suggest maybe having a more formal check. Depending on the sensitivity of the system. If it is one that is highly data sensitive or produces financial statements. Maybe a monthly check where management check each users access to validate appropriateness. This should be performed for contractors/ consultants as well as employees.
Tiesha Christian says
Priya Prasad Pataskar – You make such valid points. It is such a critical topic but yet many companies fail at performing this vital task. I have heard of many instances where and admin also has access to a database and is performing task out of scope for their role. Which can pose serious threats.
Yu Ming Keung says
Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
To me, the most fuzzy, difficult to understand component is the security of ERP systems itself because the system is complex. There are authorization process when the users log in to the system. There are concepts of authorization objects, authorization checks, authorization field and authorization values. Those components work with each others for users to access to SAP functions. I wonder how an individual is given the access privilege to perform certain tasks. How can we make sure that each user has the right privilege by ERP? How to monitor the user access by ERP? Do we have a access report of user assessing to ERP? It is very tricky and needs ERP experts to understand all the components of ERP and managing the authorization problem.
Fangzhou Hou says
Exactly Yu-Ming, I totally agree with you that the ERP SAP itself it’s complex for the entry level users. Because the SAP system includes most processes of the business like financial, marketing, accounting, etc. there are tons of works to do for the new users. But still, the SAP system is a powerful tool for the organization to manage different business processes and better help the decision makers.
Wen Ting Lu says
Hi, Yu Ming
You brought up some very good questions in regard of the security concerns with the ERP system. By doing some research online I found that ERP system can leverage the current system to continuously monitor and
improve their internal controls through periodic or on demand controls or specialized reports. For example, there are SAP control reports, conflicting abilities of individual profiles, contents of a detailed conflicting ability analysis, etc. These reports easily can be created from an ERP system, and they can help alert managers and supervisors about authorization or user access violations. ERP systems allow segregation of duties via user authorizations. User profiles determine the type of access and authority each user has within the system. A user profile should not allow any user to have incompatible duties.
Source:
https://www.imanet.org/-/media/55d63b2e7e194d358c66594bc6afe2c8.ashx
Fangzhou Hou says
What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
The segregation of duties requires that there must have more than one person to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control to prevent potential fraud and error.
For example, in the accounting department of an organization, to prevent the fraud in financial statements, usually there are more than one staff engage the accounting process. Within an accounting process, someone will take the role to gather the initial invoice, someone input the data to the accounting information systems, and one the other take the responsibility to go over the journal entries to ensure the data is correct.
Fangzhou Hou says
Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
First of all, the size of the ERP system is huge, it almost covers every functions in the business processes of an organization, which means the entry level staff and new users need to spend a lot of time in learning how to operate the ERP SAP system, this usually requires the employee trainings. In addition, attackers can quickly identify internet-accessible SAP systems, and process and consume data from SAP systems via the Remote Function Call interface. Therefore, the information security of SAP has been growing exponentially in recent years. Because the ERP SAP system usually stores huge number of sensitive information of the organization, if attacker access in the SAP system, the data leakage may cause the damage of confidential information.
Tiesha Christian says
Fangzhou Hou – SInce hackers are becoming more sophisticated and can identify certain vulnerabilities within SAP. You mentioned that SAP has been growing substantially. What are some measures that you recommend to keep the bad guys away or at least un armed? SAP is such a hugh component of the ERP eco system.
Wen Ting Lu says
I agree with you Fangzhou.
ERP system stores an organization’s sensitive information, information security has become the major concern for companies that implementing ERP system. Someways to secure ERP system include limiting data access, keeping user activity logs, maintaining firewalls and encryption. In addition, by implementing two-factor authentication such as by tying a second factor to your personal phone, users can secure their accounts with another layer of security, protecting against potential social engineering or phishing attacks.
Paul M. Dooley says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is a commonly used control across all organizations because the inherent nature of SOD is to minimize the opportunity to commit fraud. SOD is the principle of separating the individual tasks or steps of a necessary business process or role between multiple users to eliminate the ability to do things like issue payments to oneself or to a particular party where a prior agreement was arranged for kickbacks etc. One example is that an administrator of a database or application should not be one responsible for auditing the database or program. Another example of SOD that should be in place from an IT function is that the network security team should not share responsibilities of network administration functions.
Wen Ting Lu says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Separation of duties is a classic security method to manage conflict of interest, the appearance of conflict of interest, and fraud. It is commonly used control because it restricts the amount of power held by any one individual. It puts a barrier in place to prevent fraud that may be perpetrated by one individual.
Examples of roles that should be segregated:
– An employee who define supplier, should be segregated from someone who pay invoice. It prevent a user from setting up and paying a fictitious vendor for personal gain.
– The person who wrote the code is also the person who maintains the code, there is some probability that an error will occur and not be caught by the programming function. Therefore, segregate the initial AppDev from the maintenance of that application is needed to mitigated the risk.
– The person responsible for information security should be segregated from the rest of the IT function. The reason is that this person handles most of the settings, configuration, management and monitoring for security. Therefore, this person has sufficient knowledge to do significant harms.
Source:
http://www.sans.edu/research/security-laboratory/article/it-separation-duties
http://www.isaca.org/Journal/archives/2012/Volume-6/Pages/What-Every-IT-Auditor-Should-Know-About-Proper-Segregation-of-Incompatible-IT-Activities.aspx
Jianhui Chen says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is the concept of having more than one person required to complete a task. It is commonly used control because It ensures that there is oversight and review to catch errors. It helps to prevent fraud or theft because it requires two people to collude in order to hide a transaction.
For example when a company implements the SAP system, a staff who enter accounts payable invoices into the system are not allowed to then approve them as well.
Another example is at the gas station or other retails, the person who handles cash cannot be the same person that records cash amounts in the company’s ledgers.
Wen Ting Lu says
Just want to add in what you mentioned, separation of duties is a classic security method to manage conflict of interest, the appearance of conflict of interest, and fraud. I agree with you that it’s important to segregate the person who handles the cash from who records the cash in the accounting system. This reduces the risk that cash will be hide from the company and put into his own packet. It’s very important especially when handling with money, whoever give or accept the money should not be the same person that records the transactions.
Tiesha Christian says
What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated? Segregation of duties is when you have more than one person to complete a task for security reasons. For example. If someone has access to move code to production that very person cannot complete signoffs and attestations on appropriate access. It causes a conflict of interest. Which is the reason why companies have controls in place to avoid this.
Jaspreet K. Badesha says
Tiesha, this is very true. In my company when code needs to be moved to production it needs to be approved by QA (after thorough testing) as well as through User Acceptance Testing by the business when applicable. Otherwise the code cannot be moved to production. Also once the code is moved to production it needs to be thoroughly tested by QA and then they are required to provide sign off at that time as well.
Jaspreet K. Badesha says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is when a job function that could be performed by one person is split into something that is performed by multiple people to avoid giving to much control to one person. Therefore, preventing fraud and other control issues. For example, several people in the IT department schedule back ups for their systems and applications however a DBA is the one who maintains the records or reviews the records of the backups on the system. If a backup is deleted or manipulated they will have a record of who did it. If a developer or whoever else is responsible for the data and back ups was in charge of auditing the records they could easily manipulate a backup and then delete the audit record of them touching it therefore leaving no proof where in this case of segregation of duties it prevents that from happening.
Jaspreet K. Badesha says
job function meaning a specific task is broken into multiple roles.
Jaspreet K. Badesha says
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
ERP systems can be large and complex. The most ‘fuzzy’ portion of that is how to ensure security over the entirety of the system itself when you are most likely not aware of each component of the system and all of the vulnerabilities it may contain.
Seunghyun (Daniel) Min says
Q4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
In my church, I work there as an Information Technology Support. Recently, I help the IT department to implement Box.com, a cloud-base share folder, in the church. My main duty was to decide the level of access between the key users, such as Pastors, Office employees, Media team, etc. I had to grant the access privilege depending on their roles and tasks. In order to do so, I had to talk to a number of people in the church to get a right information.
Yu Ming Keung says
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
I would recommend every dynamic entity needs to ensure the data integrity by having clear and easy to follow policies, especially for password policies and remote access control policies. For password, employees needs to follow to rule on how to setup password with certain length, upper and lowercase, how sequent he or she should change the password in a period of time. How to remember the password. For remote access, I think it is extremely important to able to grand and remove any rights and responsibilities for everyone who has accessed the system. Access to the database/system should be removed when deployment of employees or finished jobs of vendors. Otherwise, it would be a big threat for data integrity because someone not privileged can access to your system, steal the client information or modify data.
Wen Ting Lu says
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
I think one of the most important competencies the person responsible in a company for security need to have to be successful is having integrity & honesty. It’s significant that this personnel is honest and make sure that the given process is following the policy. Also, it’s important that this person don’t get involved with fraudulent activities such as accept cash or other benefit for not reporting suspicious or abnormal activities. In addition, for someone to be successful in responsible for company’s security need to be a very careful observer. This person must obtain some basic knowledge of how each department functions. It will be very helpful if this personnel is able to quickly identify any security issues that might occurred.