- What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
- Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
- What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
- All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
Khawlah Abdulaziz Alswailem says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
According to ISACA, segregation of duties is the implementation of a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process. Make sure that personnel are performing only authorized duties relevant to their respective jobs and positions. It is a strong internal control used to mitigate the risk to defer and prevent one personnel from having all access to all steps to commit fraud.
I think the main two examples of IT roles that should be segregated are:
1. Application development vs. application maintenance
Initial application development should be segregated from maintenance of that application. Lack of SoD may present some risk that the application will not be properly documented since the group is do everything for all of the applications in that segment, also it provides more opportunity for someone to inject malicious without being detected, because the one writing initial code and inserting malicious code is also the same one reviewing and updating that code.
2. Information Security vs. Rest of IT Function
The person responsible for information security should be segregated from the rest of the IT function. The reason is that this person handles most of the settings, configuration, management and monitoring for security. Therefore, this person has sufficient knowledge to do significant harms.
Source: ISACA
http://www.isaca.org/Journal/archives/2012/Volume-6/Pages/What-Every-IT-Auditor-Should-Know-About-Proper-Segregation-of-Incompatible-IT-Activities.aspx
Andres Galarza says
Good point on bullet number two. I find that the issue you run into a lot is that some organizations don’t have the will or budget to properly segregate their information services, which can get them into trouble.
Khawlah Abdulaziz Alswailem says
3. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
An ERP system like SAP supports numerous variety of business processes. It has massive data where stored in very big database size. This stored data is classified across thousands of database tables. SAP has also given its customers a freedom to customize the software according to its business needs. All of this makes ERP complex, which makes it difficult to for the security personnel to protect the CIA of information in the software.
For me, the fuzziest area within the security aspect of an ERP system is access and authorization controls. The reason is that the biggest ERP security risk is the insider threat–people who have access to the system who are using it in the wrong way or with the wrong authorizations. Also, Since there are so many different t-codes in an ERP system, and so many different steps in a process, the many different accesses, and authorizations necessary to conduct a job role can easily become confusing; especially with a large and complex business. When assigning and segregating all the different steps, roles, accesses, and authorizations in a process for a company, an individual could accidentally be given enough access and authorization to find a way to commit fraud in a business. You need to find the right balance between how much trust you put into people in your organization and how many controls you employ based on their needs and requirements.
Andres Galarza says
I agree with your point about balancing the approach you take to address these concerns. I think someone in class brought up the idea of defaulting to “blacklisting” all privileges and slowly adding them based on the “job” or “role” approaches we also discussed in class.
The bottom line is that it takes work, and not an insignificant amount of it!
Jing Jiang says
Good point, Khawlah,
The access and authorization part is complex. As you mentioned, it requires so many balances and considerations to build a relative security environment. Segregation of duties on the SAP is a key to reduce frauds and errors, and how to segregate the roles properly among different functions and complex procedures would be a hard question which needs many practices, experiences, testings, and training. For me, the fuzziest part is there are so many functions in the SAP, there is a high possibility to operate wrongly for a new user. Enough educations and training would be necessary to address the issue.
M. Sarush Faruqi says
Khawlah,
Great points. Authorization and authentication is definitely one of the fuzziest aspects of SAP to me as well considering how large the system is. The idea of role based access makes sense and to only give enough access to users to complete the tasks required of their roles. However, I do think that users will still have access rights which could be exploited or abused for purposes other than completing work related tasks. Another fuzzy area to me is how SAP handles errors by users who have certain access rights and abuse them or make a mistake resulting in errors or negative impacts to other business processes. After all, SAP is a a system and it will only do what we humans tell it to do. I’m not sure if we can completely get rid of this step but put int controls to reduce the risk or impact of it happening.
Anonymous says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is an internal control that divides an activity or a set of activities to several people to avoid one person doing all job. With more than one people to complete a task will effectively reduce the potential frauds and unintentional errors. For example, an application or system designing work should be segregated from the inspection work. If a person who is responsible for the system development also responsible for reviewing the system, the potential errors during the development will be hard to be detected. And it also creates an opportunity for the person who wants to build in malicious code into the system for fraudulent activities.
Jing Jiang says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is an internal control that divides an activity or a set of activities to several people to avoid one person doing all job. With more than one people to complete a task will effectively reduce the potential frauds and unintentional errors. For example, an application or system designing work should be segregated from the inspection work. If a person who is responsible for the system development also responsible for reviewing the system, the potential errors during the development will be hard to be detected. And it also creates an opportunity for the person who wants to build in malicious code into the system for fraudulent activities.
Jing Jiang says
Sorry for duplicated comments, because I forgot to log in when writing comment.
Parneet Toor says
Good example Jing. Adding my point to your example System designing work is done by the developer in the SDLC and oversight or inspection of his/her code is done by the lead. Moreover , once code is approved and pushed to QA environment for validation/testing. This is another type of control to check the work of developer.
Jing Jiang says
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
The person who is responsible for the security of a company should firstly be detailed orientated. If the person doesn’t pay attention to details, it will hard to find weaknesses during the processes and provide proper mitigations in time to control risks.
Communication skills are also one important competency for people who are responsible for the company’s security. Once the person identifies an existing problem or predicts a potential risk, he needs to present out to higher executives or related employees in a persuasive way, so that he can enhance awareness of the risks and solve the problem in time to secure the company.
Parneet Toor says
Jing, I agree that Security person should have good communication skills that help in communicating the security controls throughout the organization in explaining the importunate of having controls in the processes, systems. I think he/she must be observant, detail oriented as well as eager to learn and update skills in terms of latest technology and vulnerabilities helps in identifying risks.
Khawlah Abdulaziz Alswailem says
Jing,
You mentioned two very critical skills that security personal need to have. Adding to your points, I think the flexibility and adaptability to change is also an important skills for security professional.
Technology is constantly evolving, and so is the information security threats. Criminals are always figuring out new ways to deceive companies / people by being creative. The only way to be preventative, is to be pro-active. As criminal activity evolves, security personnel must be willing to change and adapt to the new environment.
Andres Galarza says
Like others have said, your point on communication is key. I have a friend who lamented that what she feels this eventually turns into is, “creating PowerPoint” slide decks rather than the more technical work involved in information security.
Michelangelo C. Collura says
One possible addition to your answer is that a detail-oriented security person should know when to delegate and assign staff with the necessary skills to follow up on identified risks or system access concerns. Since one person cannot do everything, they must be able to identify issues quickly and get people to handle them.
Candace Nelson says
In addition to all of the good traits mentioned above, I think a key competency that someone responsible for security must possess is integrity, which is often defined as doing the right thing even when no one is around. My definition of integrity is walking the talk, or doing as I do (vs. doing as I say). Credibility is another key competency that is fundamental to someone in a position of trust and authority. In my experience, these competencies go hand in hand.
Jing Jiang says
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
To manage the dynamic system users and their access, my recommendations are:
1. Identify the users’ purpose for using the system.
2. Encrypt sensitive information.
3. Strong authentication and password management. (e.g. signing contract, temporary passwords, password length, special characters requirement, changing the password periodically…)
4. Restrict the accessing period and area. (e.g. stop the assess when the people, service or transaction is terminated or changed; only allow to assess the area where the people’s work needed…)
5. Proper employee training. (e.g. conduct necessary procedures before using the systems…)
6. Keep access log and review log periodically. (e.g. log the User ID, date and time of log on and log off, changes to system configurations and etc.)
Khawlah Abdulaziz Alswailem says
Jing, regarding the employee training point, I found a recent study discovered that 66 percent of companies identified their company’s staff as the weakest link when it comes to IT security. Furthermore, 55 percent already experienced a security incident caused by either a malicious or negligent employee.
Inattentive staff, or employees not familiar with basic IT security best practices can create countless opportunities for hackers to compromise the company’s security. So, comprehensive security awareness training is really an effective way to reduce the chance of errors and mistakes,
http://www.workplaceanswers.com/resources/blog/why-is-security-awareness-training-important/
Parneet Toor says
What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
SOD is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control. It is commonly intended to prevent fraud and error. SOD provide increased protection from fraud and errors must be balanced with the increased cost or effort required.
In essence, SOD implements an appropriate level of checks and balances upon the activities of individuals.
Example: In IT software Development Lifecycle, Programmers cannot release their own code in production. Reason behind is that programmer is the one who code/develop application and knows inner code algorithm, if they push the code into production without involvement of release manager is bypassing SOD. There is a chance they could alter code.
Khawlah Abdulaziz Alswailem says
I agree with you, Parneet.
The individual who develops the code should not be able to move it to production. Without someone else involved in this process, it would be easy for the developer to slip in malicious code or have unintentional mistakes pass through without check.There will be a high risk of errors/fraud if the programmers are also the ones responsible to maintain the application. By implementing SoD, programmers would be responsible of developing the app and the maintenance team would be responsible to maintain and detect errors that the app may contain.
Binju Gaire says
Great points, Pareneet. Segregation of duties (SOD) refers to control where more than one employee is involved to complete one task. It is an effective control that prevents fraud in an organization. I was not aware about the SOD in IT software Development Lifecycle. Programmers not releasing their own code in production makes sense and connects to the integrity principle of the IT system.
M. Sarush Faruqi says
Parneet,
Great points. From a Software Development Life Cycle perspective, SOD is indeed very important. Your example about pushing programmers being able to push code into production makes a lot sense. In addition to what you have stated, I would like to add that SOD is important so programmers don’t make code changes in production which could break other parts of an application. This could hurt the company as the production environment could go down and essentially bring clients or end user down as well. The release manager should understand what is going into Production and make sure nobody has the right to alter code in production. Production access should be given to a few people and only them to make changes when necessary.
Michelangelo C. Collura says
Good example. For the programmer to release like that, it could mean the firm is issuing deliverables not totally tied to the scope, since that programmer may not quite understand client concerns. This could be a security risk, or it could be a blow to reputation, as the firm is seen lacking control of their development life cycle and not adequately addressing client needs. This just goes to show how SoD can have an impact in ways beyond simple data security.
Mengting Li says
What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of Duties (SOD) is a basic building block of sustainable risk management and internal controls for a business. The principle of SOD is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. Without this separation in key processes, fraud and error risks are far less manageable.
One of the key concepts in placing internal controls over a company’s assets is segregation of duties. Segregation of duties serves two key purposes:
1. It ensures that there are oversight and review to catch errors
2. It helps to prevent fraud or theft because it requires two people to collude in order to hide a transaction
Segregation of duties involves separating three main functions and having them conducted by different employees:
1. Having custody of assets
2. Being able to authorize the use of assets
3. Recordkeeping of assets
This segregation of duties is often difficult to achieve in small businesses but should be implemented as much as possible. In some cases, it may result in an employee from another department is responsible for one of the functions.
Mengting Li says
Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
Insufficient reporting capability can lead to external reporting and a loss of data control
One of the main reasons for driving new ERP purchases is the lack of functionality that allows users to access and analyze data using the tools available in their systems, so users can use more “user friendly” tools such as Excel and Access to create ERP system, and often retains critical information that is only available in it.With these extended times within the organization, management will lose the scope and location of the “user system”, not part of the regular system backup, So if the employee leaves or dissatisfied, the data may be permanently lost.
Michelangelo C. Collura says
Nicely said. Though many firms use some ERP system, it tends to be only the big guys, and I have indeed seen smaller firms stick to Office or some freeware for ERP tasks. This is almost entirely a cost concern, but it also relates to the ‘user friendly’ aspect you mentioned. SAP and other ERP systems require training and expertise, and that require a lot of time and lost productivity for small firms – things they may not have or be willing to sacrifice.
Parneet Toor says
All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
User password is a good practice, although it can be unmanageable. I think this is the best way for a user to secure their information. In fact, good password combination. Policy is one of the basic security measure to prevent unauthorized access. By good password combination would take different aspects:
Password Lock out policy: when user enter 3 times and get locked.
Minimum length: It would enforce user to have 8 characters with combination of numbers, alpha numeric, lower case, and uppercase letters.
No First name or last name used as password.
Password expiration policy: Passwords must be renewed after every 3 months/periodically.
Andres Galarza says
Parneet, I agree with your points. One wrinkle I’ve seen in password policies is when an organization uses single sign-on for all, or many, of their business applications. Once that is in place, you have to cater to the lowest denominator, meaning that if a single sign-on system doesn’t support special characters (ludicrous, I know, but I’ve seen it happen) then password policies have to be weakened a bit.
M. Sarush Faruqi says
Parneet,
Great post. You bring up some salients points about utilizing proper passwords in order to reduce the risk of unauthorized access. I agree that a strong password policy needs to be in place in order to develop a standard of how to manage user passwords. In my experience, I’ve seen some strong policies and weak policies. Passwords should definitely be hard to guess and should be changed at a certain period of time. I wanted to add that the policy should also restrict users from writing their passwords down for others to see. I’ve seen this in the work place before especially from people who have complex passwords. A user should set a password that is hard to guess but also one that they can remember. Sharing of passwords should also be restricted. This might be hard to monitor at times even with event logs but there should be a tone within the organization that puts security at the top.
Matthew J. Dampf says
“User password is a good practice, although it can be unmanageable. ”
Managing passwords over the years has certainly gotten better, as I recently spoke to some vendors about this issue at Microsoft’s Ignite conference last month. There are systems in place that can identify privileged accounts and how often they’re used, automatically change passwords on these accounts, and alert the proper people when these accounts are used. One such system can be seen here: https://liebsoft.com/red-identity-management/. I don’t work for them or even use their products, but it is something I was looking at while at the conference and thought it was relevant to pass along in light of your comment.
Mengting Li says
What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
I think two key competencies a person responsible for security needs are and integrity and curiosity. Integrity is about being honest. it’s important that this person won’t get involved with fraudulent and illegal activities. For example, don’t fix the system vulnerabilities by purpose. Also, they should follow all policies and procedures.
Curiosity is about good at discovering vulnerabilities and risks that might occur in the system. Even a small vulnerability in the system may be put the system in a dangerous status.
Andres Galarza says
I like that you brought up integrity. I wonder what you think about how many companies (even outside of the defense sector) seem to equate integrity with “has a security clearance”.
Binju Gaire says
These are great competencies, Mengting. It is true that the security professional must be honest and not indulge himself/herself in any kind of fraudulent activities. Also, he/she should be always aware about the vulnerabilities and risks and work towards mitigating them.
M. Sarush Faruqi says
Mengting,
Great points. I like your point about curiosity. Security professionals must be curious when it comes to finding vulnerabilities. Their job must be to break the system from a security standpoint. They must think like hackers because in most instances, hackers are curious about finding and exploiting vulnerabilities. From an integrity standpoint, it is very important that the individual is honest because they have the most exposure to the security environment. They know what controls are weak and strong. If they are not honest, fraud will be committed, the system will not become any more secure, and the company will be at risk for additional vulnerabilities.
Mengting Li says
All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
I would recommend access control and terminate the former employees’ access are very important for every company. Classify the user groups means people have the different authorities to access different data. It can make sure employees or vendors won’t get information and data they don’t need to view. In addition, it is very significant that make sure the organization to terminate the right of the employee to view the system information and data when they left.
Parneet Toor says
I agree with you Mengting, that termination of former employee’s access very important also, when employee is moved from one project to another or one department to another.In my recent company, my job role was to support production of our project.later they moved me to different project with in the company but didn’t terminate my access to production.
Khawlah Abdulaziz Alswailem says
Great point, Mengting, It is very important to utilize the principle of least privilege. This ensures that users have access to only the systems they need to complete their job functions, and nothing more. In an IT environment, adhering to the principle of least privilege reduces the risk of attackers gaining access to critical systems or sensitive data by compromising a low-level user account, device, or application.
Xiaomin Dong says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of Duties (SOD) is a basic building block of sustainable risk management and internal controls for a business. The principle of SOD is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. Without this separation in key processes, fraud and error risks are far less manageable.
An example of two roles that should be segregated: in the accounting department of an organization, to prevent the fraud in financial statements, usually there are more than one staff engage the accounting process. Within an accounting process, someone will take the role to gather the initial invoice, someone input the data to the accounting information systems, and one the other take the responsibility to go over the journal entries to ensure the data is correct.
Xiaomin Dong says
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
First of all, the size of the ERP system is huge, it almost covers every function in the business processes of an organization, which means the entry level staff and new users need to spend a lot of time in learning how to operate the ERP system, this usually requires the employee trainings. The most fuzzy and difficult to understand component is the ERP system itself. A big difficulty with the ERP space is that it’s just too big. A lonely startup might be able to build a better product, but the hard part is getting a company to stake their future on it. Companies shopping for ERPs value stability of the company as much as quality of the product. The last thing a company wants is to install an ERP from a company that may go out of business in 5-10yrs.
Michelangelo C. Collura says
Very good points. Small firms simply can’t afford buying an ERP system and losing money during the training and integration period. It’s also a question of how urgent a firm feels about it. In a large firm measuring a minute’s productivity in millions of dollars, an ERP system is an obvious business need. In a firm not making millions in an entire month, the question is more difficult to answer, and the learning curve just makes it even worse.
Qiyu Chen says
I agree with you xiaoming. ERP system stores an organization’s sensitive information, information security has become the major concern for companies that implementing ERP system. Someways to secure ERP system include limiting data access, keeping user activity logs, maintaining firewalls and encryption. In addition, by implementing two-factor authentication such as by tying a second factor to your personal phone, users can secure their accounts with another layer of security, protecting against potential social engineering or phishing attacks.
Matthew J. Dampf says
“The most fuzzy and difficult to understand component is the ERP system itself. ”
This is perfectly put. The ERP is so all encompassing that you truly have to understand the entire business to secure it correctly. It’s less IT focused than I would have thought and more business process focused than I would have thought. As a traditional IT guy securing an ERP seems so difficult to me because I just don’t know enough about how every other department should be operating.
Xiaomin Dong says
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
As far as I am concerned, the key competencies do the person responsible in a company for security need to have to be successful are integrity & communication skill. It’s significant that this personnel is honest and make sure that the given process is following the policy. Also, it’s important that this person don’t get involved with fraudulent activities such as accept cash or other benefit for not reporting suspicious or abnormal activities. Communication is also an important skill for a security professional. Security is an organization-wide issue, not just IT, so an individual responsible for security must be able to talk about security problems and solutions with varying degrees of technicality, so everyone in the organization can understand.
Parneet Toor says
I agree with you that security is an organisation -wide issue not just IT ,so i think along with the competency of identifying security problems, he/she must be able to prioritize the security vulnerabilities & solutions .another competency is good decision maker in to address the security issues.
Xiaomin Dong says
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
I don’t have much experiences about the managing system users and their related security access. But, I do have some recommendations for it:
The three fundamental principles of security are availability, integrity, and confidentiality and are commonly referred to as CIA triad which also form the main objective of any security program. The level of security required to accomplish these principles differs per company, because each has its own unique combination of business and security goals and requirements. All security controls, mechanisms, and safeguards are implemented to provide one or more of these principles. All risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all the CIA principles.
1) Encrypting data as it is stored and transmitted.
2) By using network padding
3) Implementing strict access control mechanisms and data classification
4) Training personnel on proper procedures.
5) Strict Access Control
6) Intrusion Detection
7) Hashing
8) Maintaining backups to replace the failed system
9) IDS to monitor the network traffic and host system activities
10) Use of certain firewall and router configurations
Binju Gaire says
Well said, Xiaomin. I like how all the recommendations are related to CIA principle. All these recommendations are will prove to effective management of system users and their related security access.
Andres Galarza says
Q1: What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is the idea that more than more person should accomplish a task. It’s a commonly used control because it can help address problems like fraud.
The example I’ve always heard (from an IT perspective) is that the database administrator should not have the privileges of modifying or disabling access logs for the database he or she is responsible for. This addresses the concern that a database administrator could do something malicious and then “cover up” his or her tracks by modifying or deleting logs.
Binju Gaire says
I agree with you, Andres. SoD is an important control to prevent fraudulent activities in an organization. Database administrator’s role should be properly segregated in order to adhere with the integrity of the system. The database administrator should not be allowed to modify the data he/she enters. The other employee should be involved to approve or change the data if required.
Candace Nelson says
I am reminded of questions from the past few quizzes that address the best way to prevent database administrators from modifying access logs. If I recall correctly, the correct answer was to send log information to a remote storage location either in lieu of – or in addition to – writing it to the file system or a database. In the former example, the DBA’s do not have access to the files that are stored remotely. In the latter case, the local files can be compared against the files that are stored remotely so modifications are able to be detected.
Andres Galarza says
Q2: Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
Perhaps it’s not the most difficult component to understand, but I really gravitate towards the example we saw in our guest lecture: Threat Mapping. The reason why I think it can get fuzzy is that you absolutely need to include subject matter experts from both the security side, the technical side and (maybe most critically) the lines of business. Threat Maps must be generated collaboratively.
Andres Galarza says
Left out a chunk of my response!
“The above is important because a Threat Map identifies the areas of focus for the organization. Again, using the guest lecture as an example: if a likely threat is insiders committing financial theft or fraud, then perhaps you worry less about boundary defense and more on the “layers” of security that can more closely monitor actors in areas like warehouses, etc.”
Andres Galarza says
Q3: What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
I like this question because I get to trot out a piece of advice that’s stuck with me. I asked a mentor what he thought made for a good professional background for an information security person. He said that there were really three domains needed for “mastery” of current information security.
The first was having a networking background. We’ve spent a fair amount of time talking about this in class already. You have to know how a network functions in order to secure it.
The second domain was development. Having the ability to look at code and understand what’s going on, how development cycles work, etc. is important.
Lastly was the category of “business/governance”. This area is where I spend the most time in, since it stresses ensuring that the work from the other two domains is aligned to the requirements of the business. This can be done through policies, standards, audits, etc.
Yijiang Li says
Good conclusion, Andres. I agree with your first point that networking background is a key competency a security employee should have. I would say a IT background is a key competency a security staff should have. Initially, a security staff has to know the overall networking infrstructure within an organziation, because network security is always important for the company. Second, knowledge of encryption is essential for a security staff, becuase the company has to keep its infromation and data safe.
Andres Galarza says
Q4: All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
My wife and I had dinner with another couple who work in audit and IT a few days ago. Our friends are from India and their descriptions of their workplaces (catering to mainly North American companies in the financial services industry) was fascinating. They said they weren’t allowed to bring their personal cell phones into their work areas because of security protocols that were mandated by their clients in the U.S. This resonated with me because I’ve worked in highly secure environments where I had to do the same thing (leave my phone in a lockbox outside of certain rooms/areas). I get the sense that many people here in the U.S. would pitch a fit if they were required to do the same thing, though.
Yijiang Li says
Hi, Andres. Based on my understanding, you are talking about a physical control. It is a simple and effective method to mitigate some specific risks. Other examples of physical control are video surveillance systems, gates and barricades, the use of guards or other personnel to govern access to an office, and remote backup facilities. Although physical control can mitigate a specific risk, it still needs to work with other control measures to achieve a maximized effect.
Binju Gaire says
What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
The key competencies the person responsible in a company for security (e.g. for a given process) need to have to be successful are as following:
Management: It is important that IT security professional must have management skills to coordinate multiple projects related to IT. Effective coordination is required for smooth operation of an organization.
Communication: It is given that IT security person has a technical skills, but to be successful it is important that the person communicates with other employees in an effective manner. Technical skills should be communicated in a comprehensible manner.
Yijiang Li says
I agree with you, Binju. Communication is always important when a person deals with a job which needs different departments to work together. Security issues usually reuqires all employees to pay attention to, and security staff should coordinate the benefits of different departments to achieve a maximized effect for the whole organization.
M. Sarush Faruqi says
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
From my experience, there are a few simple but effective practices I would recommend when it comes to users and their security access.
1. Access Based on ‘Concept of Least Privilege’: Provide access to certain applications or modules based on only what is required to complete tasks related to role
2. Computer lock before leaving work station: Locking computer before leaving work station especially if application module is on screen
3. Password Strength: Passwords should not be easily guessed and should contain a variety of upper case, lower case, number, and special characters
4. Writing passwords: Do not write passwords down and leave at work station for others to see
5. Implement 2 Factor Authentication: User should only be able to login once they have completed a two factor authentication process
6. Masking PII: Personally Identifiable Information such as Social Security Numbers should be masked at the application level
7. Password Sharing: User should not share user id/password combinations with anyone
8. Change password frequently: Passwords should be changed after a certain period of time. This is usually established according to policy
Yijiang Li says
Thank you for your detailed answer, Sarush. I agree with you that access granted should be based on “Least Privilege” principle. When a data owner or system administrator needs to provide accees to someone, they have to confirm the following two things. 1). What kinds of authority they require? 2) How long they need this access? A data owner or system administrator should just provide the access which exactly matches someone’s requirement at a least time period.
Kevin Berg says
1.What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is a control process used in businesses to limit error and fraud. One example of segregation is in accounts payable. Purchasing makes a PO, receiving enters the amount received and a/p processes the invoice. This way there is a three way check for what was purchased, how many were received and how much needs to be paid.
A second control is quotes, orders and credit. A salesmen generates a quote, a customer order entry person enters and order and A/r processes the cash receipt. If credit limits are hit then orders can be held.
Kevin Berg says
2.Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
Table level data security is the most complex to me. All of the access keys and controls that one must know and understand is overwhelmingly complex. That is the nature of table level data storing structures. When you have 20000+ tables where some tables have certain information that people need and others don’t is where the complexity becomes really complex. Creating views to see certain columns in a table is one thing but when you need modify access you need to be very careful.
Michelangelo C. Collura says
What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
In short, SoD ensures that no one person can complete a given task. IT is common because it is a simple concept to apply to controls, reducing the risk of fraud or error by ensuring that at least two pairs of eyes are on a given process/task. In IT, it’s often used for security and compliance requirements, especially since the adoption of Sarbanes-Oxley. A few examples would be using another person, or even an external auditor, to assess controls designed within the firm. Another would be the very straightforward hiring of a CISO to handle security concerns on behalf of the Board, without their being able to affect the policies and controls.
Kevin Berg says
3.What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
As I set security for people at my work, the main competency I need is to understand the table structures and what information is in them. The second competency is knowing the role of the person who requires permission. For instance, if a shipping guy wants access to customer cards then bells should go off. However if a shipper wants access to ship-to addresses then maybe they have a legitimate need to access them.
Michelangelo C. Collura says
2.
I would say that roles vs. profiles can be confusing at times. A role in SAP is one element of authorization, and it allows assignment of transactions to specific users. Profiles are automatically created for roles, and they in turn act as an element of authorization, with authorization objects and values. These profiles can then be assigned to users in order to let people complete assigned tasks in SAP. Since SAP doesn’t allow direct assignment of profiles, it means that the roles themselves must be clearly defined; one cannot create one and fit it into a role later. This feels a bit constricted to me, and I don’t entirely understand why SAP can’t allow users to to create profiles for specific roles, rather than being automated as it is.
Michelangelo C. Collura says
What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
Attention to detail and an ability to communicate well (in this case, explaining IS to non-technical personnel) so that they understand the importance of it. In terms of a given process, security personnel must understand how to identify the required tasks of a given user and lay them out in a risk assessment matrix of some kind, determining the risk associated with each task being compromised. This would sync up with existing business needs defined by executive leadership. In the end, we want to know what a user should be allowed to do without compromising other aspects of the business. We then assign roles accordingly, with only the minimal system access they need to complete tasks. This is likely unpopular in most firms, as it feels like security staff are being difficult without reason, so they must be able to maintain composure and determination (in a calm and reasonable way) to ensure staff don’t circumvent them in some way.
Michelangelo C. Collura says
All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
I would definitely provide minimal access, so that users can only do what they’ve been assigned. Anything further would require manual approval from higher levels in the firm. I would also ensure that some form of oversight exists for all roles, with someone reviewing permissions and access on a regular basis, updating and revising as needs change. I think SoD is very important, and so part of oversight would be to ensure that adequate SoD exists, particularly when dealing with finances or customer PII.
Lezlie Jiles says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
SoD is a control that was created to prevent errors or fraud. It works by separating one particular function between two or more people. The premise of this idea is to prevent one person from having access to the entire process. IT utilizes SoD so that no one person has the ability to corrupt the system by implementing malicious code without going undetected. SoD is achieved by separating the functional duties of any given project into different tasks and assigning those tasks to different employees to complete the project as a whole.
The ISACA article titled “What Every IT Auditor Should Know About Proper Segregation of Incompatible IT Activities” points out a few duties that must be segregated, which includes IT Duties vs. User Departments and Database Administrator vs. Rest of IT Function. Tommie Singleton points out that the IT duties vs. User department are the most “basic” of SoD. Under this SoD, the user department can not/should not perform IT duties related to their department. Such as “security, programming, and other critical IT duties”. Mr. Singleton also stresses that a Database Admin. is a “critical position that requires a high level of SoD”. The reason for this is because these positions have the “keys to the kingdom”. They know (or should know) every facet of the system which is risky within the IT functions. Therefore it is vital that SoD is implemented thereby providing the DBA only the required functions to perform their duties and nothing more.
Lezlie Jiles says
2. Security in an ERP system (e.g. SAP) is complex. What is the fuzziest, difficult to understand component? Explain
Yes, the security system is very complex, but I understanding the need for it. The issues that are most fuzzy for me are maneuvering within the system itself. I know that eventually I will get to know and understand it once I’ve had an opportunity to really dive deep. I was able to figure out the create, change, and display features in the system before it was explained, so I am confident that I will eventually learn the system’s components.
Lezlie Jiles says
3. What key (1-2) competencies do the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
The two competencies (but not limited to) a person responsible for a company’s security system needs to have is integrity, deep knowledge of the system/functions, and the ability to communicate. I believe integrity is at the forefront of this topic because someone with the ability and knowledge to oversee and manipulate an organization’s system would definitely know and understand the organization’s weaknesses. Therefore, someone would have to overlook the temptation of fraud. As for knowledge of the system, this is extremely important because it is important to know what and where to give access to. Not having a deep knowledge of the entire system could lead to given out access to an employee that was not needed which could further lead to opening the door to fraud.
Matthew J. Dampf says
“integrity, deep knowledge of the system/functions, and the ability to communicate. ”
I absolutely agree, Lezlie, but one of those things is harder to evaluate than the other two. I think that communication and deep knowledge can be objectively evaluated when hiring, but integrity has more of a “feel” to it, and is much more difficult to prove or disprove. I think you have to try to make that evaluation, but it’s the biggest challenge area.
Lezlie Jiles says
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
Although the frequency of password resets are a pain to my sole(!!!) I agree with it. My organization requires us to reset our password every 6 months, and in the beginning, it was difficult because we did not have a single sign-in system. Therefore, every system had its own unique password and short of making them all the same, or writing them down it was cumbersome. The one feature that we have is when an employee that is no longer with the company still has access (limited) to the system for 90days. And, in some of our systems if the department does not notify the admin department the users access could remain for some of the offset systems. To combat this issue I would make it a point to check-in with the department on bi-annual bases to confirm access is still needed.
Candace Nelson says
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
In my experience as an employee, access has been granted to me based on that which my colleagues had. There was a formal process whereby a form needed to be completed and signed by my Supervisor and submitted to HR for secondary approval before being presented to IT. While this was an effective method, there were associated risks. For example, as an internal auditor it is quite possible that “special” access had been assigned to my colleagues (e.g. access to systems with sensitive information during a payroll audit) that may not have been removed when the audit was completed. If that was overlooked, it is feasible that such access would have been granted to me. A better approach would have been to have role based access defined whereby a standard Senior Manager, Internal Audit profile was created and granted to me when I was hired, with adjustments being made based on special circumstances.
Another risk associated with task based access is when an employee transfers to a different function but access to previous systems is not revoked. Let’s say I transferred from accounting into internal audit, and in accounting I was authorized to add accounts, approve journal entries, and open and close periods. As an internal auditor, read only access would be appropriate. However, if my edit access had not been removed I could potentially create accounts and conspire with someone to input and approve unauthorized journal entries in closed accounting periods that may go undetected. Not that I would…
As an auditor, I have encountered situations where task based access was granted to employees who ended up being able to access confidential information. In this instance, an Accounting Manager was mistakenly granted access to internal audit shared drive folders. Hence, they could see the results of audit and SOX compliance work being performed on their department and modify actions, accordingly. In case you are wondering how this was detected, an IT Auditor in the Internal Audit department performed a shared drive access review which brought this situation to light. Needless to say, the access was immediately removed!
Matthew J. Dampf says
1.) What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is a control that ensures that one person does not perform two roles that are ideally used as a check against each other. These separate roles can be used to prevent fraud or unintentional human error. It is commonly used because it is relatively easy to implement, as these are standard industry positions and ERP systems are designed around these roles being segregated.
In the IT world two duties that are commonly segregated are application development and the publishing of code into production systems. Using a separate role to check the code and subsequently publish helps prevent malicious or exceptionally buggy code from entering production.
Another possible segregation of IT roles can be IT security vs IT operations. IT security accounts can have access to a substantial percentage of the company data, so it’s important that they not be involved in IT operations where their superuser credentials can be used to commit fraud.
Qiyu Chen says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is the concept of having more than one person required to complete a task. It is commonly used control because It ensures that there is oversight and review to catch errors. It helps to prevent fraud or theft because it requires two people to collude in order to hide a transaction.
For example when a company implements the SAP system, a staff who enter accounts payable invoices into the system are not allowed to then approve them as well.
Another example is at the gas station or other retails, the person who handles cash cannot be the same person that records cash amounts in the company’s ledgers.
Qiyu Chen says
Q2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
Security in an ERP system is very complex because the system per se is complex. Many different parts of the system need to be evaluated and assessed to make sure there are no security issues. To me, the most fuzzy or difficult to understand security issue is an access control in an ERP system. I am wondering how an ERP system is designed to give an individual which level of access privilege. For example, a single SAP platform has more than 200,000 tables that are interacted with each other. Of those extreme numbers of the tables, some might contain significantly confidential and classified information or require higher authorization to enter/amend the data. Thus, in my opinion, it will be tricky to secure those information data within that complex setting in an ERP system.
Candace Nelson says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
It is commonly known that the responsibility for application development should be segregated from the responsibility of maintaining that application. Associated risks include the possibility that if the same person writes and maintains code, it is less likely that errors will be detected. Additionally, if these incompatible functions are not adequately segregated, developers could inject malicious code that would not be detected, resulting in fraud.
The risk of having Chief Information Security Officer’s (CISO’s) report to the CIO – or to anyone in the IT department for that matter – is an evolving risk. The associated risks are that the CISO has access to critical functions that could be easily exploited, and the CIO may not be able to be objective regarding security issues that could impede other IT initiatives.
The article titled Eight Reasons the CISO Should Report to the CEO and not the CIO recommends segregating the information security function from the rest of IT since:
1. A CISO’s job is to protect the overall business, not just IT.
2. According to a PwC study, organizations whose CISO reports to the CIO have 14% more downtime due to security incidents.
3. The same PwC study determined that organizations whose CISO reports to the CIO have 46% higher financial losses.
4. If security concerns threatened to stall an IT project, the CIO could overrule it.
5. The CIO could stall security projects that might hinder IT productivity.
6. The CIO could divert funds allocated to security to other IT projects.
7. The positions would be more equal if both the CIO and CISO reported to the CEO.
8. Some regulators are beginning to mandate CISOs report to the CEO, including Israel (where there are laws dictating that CISOs report directly to the CEO).
https://www.cio.co.uk/it-security/eight-reasons-ciso-should-report-ceo-not-cio-3634350/
Qiyu Chen says
Q3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
1.Curiosity: I believe curiosity is number one competency for the person responsible in a company for security. That is, the ability to pick up/capture any suspicious or abnormal activities. 2.Data Analytic: Besides curiosity, the person should carry well-developed data analytic skills. Most of the time, security personnel will be required to use a data analytic tool to populate what is going on within an organization. If the personnel have a strong data analytic skill, any possible security incident will be caught ahead of time.
Qiyu Chen says
Q4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
I would recommend every dynamic entity needs to ensure the data integrity by having clear and easy to follow policies, especially for password policies and remote access control policies. For password, employees needs to follow to rule on how to setup password with certain length, upper and lowercase, how sequent he or she should change the password in a period of time. How to remember the password. For remote access, I think it is extremely important to able to grand and remove any rights and responsibilities for everyone who has accessed the system. Access to the database/system should be removed when deployment of employees or finished jobs of vendors. Otherwise, it would be a big threat for data integrity because someone not privileged can access to your system, steal the client information or modify data.
Yijiang Li says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
According to the AICPA’s definition, Segregation of Duties (SOD) is a basic building block of sustainable risk management and internal controls for a business. SOD is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. Without SOD in key processes, fraud and error risks are far less manageable. Therefore, SOD is not only considered as an essential component of risk management to mitigate fraud but also an effective measure in internal control process of an organization, so SOD is considered as commonly used control.
There are two examples of IT roles that should be segregated. (1) Database administrators (DBAs). DBAs should only have DBA authority. For a special event, such as database deleting activity logs, it should be performed by a different person. (2) Software developers. It is a general principle development and production should always be segregated. Software developers should never have access to production systems.
Candace Nelson says
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
Enterprise resource planning systems integrate all departments and functions throughout an organization into a single IT system (or integrated set of IT systems) so management can make informed decisions based on enterprise wide information from all business operations. Core ERP components include Finance and Accounting, Production and Materials Management, and Human Resources. Extended ERP components include Business Intelligence, Customer Relationship Management, Supplier Relationship Management, and Ebusiness.
I believe the most difficult or “fuzziest” security factor associated with an ERP environment is ensuring that cross functional duties are adequately segregated. This includes determination of task vs. role based access, as well as the compatibility of functions across all components. For instance, it is feasible that a Finance employee (Analyst) would provide support to the HR function, and that they would be responsible for producing periodic performance reports for their client (e.g. monthly and quarterly budget vs. actual expense analyses). This could require that the Analyst have the ability to drill down on transactions to identify variances. However, it would not be appropriate if such access permitted the Analyst to view confidential or proprietary information, such as wages, personally identifiable information (birth dates, social security numbers), etc.