- What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
- Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component?Explain
- What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful?Why?
- All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
Imran Jordan Kharabsheh says
1. The segregation of duties plays a fundamental role in ensuring the security of many of a company’s assets and liabilities from fraud or theft, including but not limited to sensitive information, financial instruments and consumer products. The best way I can find to define the segregation of duties is the enforced separation of responsibilities among employees who are part of a single business process, making people solely responsible for the portion of the process they are entrusted with. An example of roles you would want to give to separate employees are asset management and accounting, where someone who handles both might be tempted to swipe assets and later go on to hide the missing asset in the balance sheet. Another example of duties that need to be segregated are the roles of system administrator and the CEO, with the risk of the CEO tampering with information currently registered in the system to fool stakeholders.
2. If I had to choose which part of the security of an ERP system leaves me with the most questions, I would probably choose Authorization Objects because even after studying it up, I find myself questioning the intricacies of its functionality. From what I did understand, I can tell that an Authorization Object is a more general term for the security measures used upon login and can include more than one measure, should there be a need to do so. What I don’t understand,however, is how authority-check statements interact with Authorization Objects.
3. Among the top characteristics that someone responsible for security must have, I feel that the two most important ones are excellent communication skills and a deep knowledge of the company’s systems and the software associated with them. The communication skills play an essential role in enacting preventative measures, helping the person in charge of security with training other employees on safety precautions and regulations. Communication also plays a key role when dealing with a crisis by giving the person in charge of security the ability to better express what is going on and the measures being taken to solve it in a prompt fashion, helping prevent widespread panic. A thorough knowledge of a company’s systems takes time, but is a worthwhile investment for people placed in charge of security as it helps them to prepare IT disaster recovery plans ahead of time, and minimizes time needed to handle security issues.
4. After seeing the inner mechanisms of various security systems throughout my time interning and working for financial, educational, and healthcare organizations, I have come to the conclusion that there is no single all-protecting solution for information security. What are needed are multiple more specialized security solutions, some being better than others based on the size and needs of a company. Among my favorite of these solutions that happened to show positive results in securing a system is unique, tracked authenticators given and taken from those who are assuming certain roles that need specific privileges. Another security measure that has good synergy with the authenticators is required, yet subtle portrait shots taken every time a password is entered, which can either be used actively as an authentication method or passively as a log of pictures for every person who has used those credentials.
Imran Jordan Kharabsheh says
To add on to the first point I spoke of, one of my fellow classmates did an excellent presentation on an Indian company that had been trailblazing and made its way into the fortune 500. Unfortunately, due to there being a serious lack of segregation of duties, the top level executives were able to easily tamper with accounting sheets, artificially inflating their stock and reporting fake profits to stakeholders. It also leaked that the auditing company responsible for auditing the Indian company was also benefiting off of this fraud. This is an excellent example of why segregation of duties is a serious matter that needs to be practiced in all companies across all levels.
Deepa Kuppuswamy says
Hi Imran,
I too agree with your second point. When i was trying to understand SAP authorization concept I realized how important the authorization objects are and several system elements that are relied and to be protected form an authorization object. Authorization objects enable the complex checks with multiple conditions for an authorization that allows the user to perform an action and also it verifies for authority-check.
When AUTHORITY-CHECK is used in program, if you have a requirement where only specific users can have access to the program.then this could be achieved by using authority check.
Deepa Kuppuswamy says
1. Segregation of duties (SoD) is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the key process which is most vulnerable and the most mission critical elements of the business. It is the basic building block of sustainable risk management and internal controls for a business. SOD is a commonly used control because SoD ensures that there is oversight and review to catch errors and also helps to prevent fraud or theft because it requires two people to collude in order to hide a transaction.
Example of roles that should be segregated are as follows:
– Engineer who develops the queries for a report should not be the one who approves the logic or accuracy of those queries
– Authorization of Journal Entries cannot be carried out by the same person who posts journal entries from this report.
– Users with access to Accounting Software and Operational Systems Control should be segregated
– Revenue recognition Risk: SoD should be set in place between revenue and technical operations (Sales Processes)
2. From my point of view, one of the difficult to understand component in SAP is the “Transaction codes” because SAP has around 100,000 transaction codes and 2500 authorization objects as all the various components like HR, BI, IM, FM, Supply Chain management modules are linked to one another in ERP system. Most of the several transaction codes perform similar tasks and it is sometimes difficult for auditors to dig deep into SAP because security in SAP is complex.
Security within the SAP application is achieved through the authorization concept so from auditor perspective it very important for us to understand about some basic t-codes, auth objects and Z T-codes which are customized t-code created by company which is very important to consider during audits as these are very risky process and directly impacts financial statements.
3. I could think of following two important competency which are essential for successful information security personnel:
– Problem solving capability: Information Security personnel should have ability to link information security issues to the overall organizational strategy. For example: In the event of a security breach or disaster recovery, h/she should know who is point of contact, what is the preplanned business continuity plan in place in order to continue after severe interruptions and disasters.
– Communications skills to ‘sell’ why information security is important to the other members of management
4. Some of the best practice that I would recommend for managing system users and their related security access are as follows:
– Company should have good access control solution. IT infrastructure security should be set strong by ensuring the best authentication and authorization protocols
– User access provisioning and de-provisioning should be properly managed. We should ensure that the creation of accounts and access to software and data is consistent and simple to administer
– Segregation of duties should be managed by segregating conflicting roles and responsibilities.
– Well-designed User Access review should be set in place in order to ensure that unauthorized users do not continue to have the access to unprivileged roles.
Rouying Tang says
Nice points and examples. Thank you for your sharing. I agree with you that the communications skill is critical for information security personnel, but I thought about the preparation process, while your points provide a new angle, which is pretty thoughtful for me.
Penghui Ai says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
SoD involves breaking down tasks that might reasonably be completed by a single individual into multiple tasks so that no one person is solely in control. Dividing these duties is necessary to ensure the company is not a victim of theft of its assets and records or fraud which is a deliberate attempt to deceive others for personal gain. One example of SoD is to have one employee responsible for the accounting portion of the job and someone else responsible for signing the checks.
2. Security in an ERP system (e.g. SAP) is complex. What is the fuzziest, difficult to understand component? Explain
The fuzziest to understand for me is the Financial and Accounting component. I guess it was the most difficult for me because of the mistakes an employee may make. The security control in an ERP system eliminates the ability to delete saved, processed, executed, etc. This control is good to keep the integrity of the data and system. However, I know I have made mistakes and would assume other new SAP users would make similar mistakes.
I do understand the component and understand why all security components are in place, but it makes things frustrating when you make a mistake and must figure out a solution to your mistake, without the option of “starting over”. I like the “start over” option.
3. What key (1-2) competencies do the person responsible in a company for security (e.g. for a given process) need Risk Management
Risk Management: As a frontline cybersecurity practitioner, you may not see the value in having competency in risk management, but the risk is the driving force behind all security operations. In other words, you do some security task to, one way or another, respond to a risk that your company faces.
Networking Basics: The company network forms the backbone of its computing environments, and without adequate knowledge of basic networking principles, your security operations will rarely get off the ground. A skill set that includes both theoretical and practical knowledge of TCP/IP is a must-have according to employers.
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
Separate the concept of user identity and user account: Users are not an email address, not a phone number. Users are the culmination of their unique, personalized data and experience within your service. A well-designed user management system has low coupling and high cohesion between different parts of a user’s profile. Keeping the concepts of user account and credentials separate will greatly simplify the process of implementing third-party identity providers, allowing users to change their username and linking multiple identities to a single user account.
Haitao Huang says
It is important for an organization to conduct account management reviews ensure that users only retain authorized permissions and that unauthorized modifications do not occur. Account management reviews may be a function of information security management personnel or internal auditors. One way to perform account management is to conduct a full review of all accounts. This is typically done only for highly privileged accounts because of the amount of time consumed.
Deepa Kuppuswamy says
I really liked your points for Question 3. Risk Management and Networking basics is an important competency for security professionals. It helps to maintain systems security and knowledge of what’s running on company’s network and RM helps to ensure that business is focused on achieving its objectives and that significant risks are identified and mitigated to the extent possible.
Haitao Huang says
1. The goal of segregation of duties is to ensure that individuals do not have excessive system access that may result in a conflict of interest. When duties are properly segregated, no single employee will have the ability to commit fraud or make a mistake and have the ability to cover it up. A segregation of duties policy is highly relevant for any company that must abide by the Sarbanes–Oxley Act (SOX) of 2002 because SOX specifically requires it. For example, personnel responsible for auditing, monitoring, and reviewing security do not have other operational duties related to what they are auditing, monitoring, and reviewing.
2. An ERP system is software which consists of different modules like human resources, sales, finance and productions. These modules support business processes of organizations. he most significant benefit of an ERP system is the integration of these business processes. Another significant benefit is the possibility for organizations for replacement of largely fragmented information systems. Unfortunately, precisely this integration of these business processes and built-in standardization of these business processes, also cause problems when an organization implements an ERP system. Often an ERP system will replace own software. In most cases, implementation of an ERP system in an organization causes significant changes throughout the organization. An ERP implementation severely influences how an organization handles its business. Therefore, the implementation process itself is of complex nature and has to be handled with care.
3. Security personnel should have comprehensive understanding of systems or processes that they are responsible for protection in order to effectively identify, analyze, and mitigate related risks. Risk management is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk. The overall process of risk management is used to develop and implement information security strategies. The goal of these strategies is to reduce risk and to support the mission of the organization.
4. Many organizations perform periodic access reviews and audit to ensure that object access and account management practices support the security policy. These audits verify that users do not have excessive privileges and that accounts are managed appropriately. They ensure that secures processes and procedures are in place, that personnel are following them, and that these processes and procedures are working as expected. When examining account management practices, an access review audit will ensure that accounts are disabled and deleted in accordance with best practices and security policies. For example, accounts should be disabled as soon as possible if an employee is terminated.
Penghui Ai says
Hi Haitao,
I like your answers, especially the key competencies of the person responsible in a company for security, I agree that the person needs an understanding of systems or processes. However, I would like to add risk management skill as one important skill for a security personnel because the risk is the driving force behind all security operations.
Rouying Tang says
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Separation of duties (SoD) is an critical internal control designed to have more than one person to be in charge of single task. It includes custody of assets authorization, and recording transactions. It can effectively prevent fraudulent and malicious acts. An example is the system analyst is not supposed to be Help desk and support manager.
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
I think it would be a good practice on granting authorization and restricting the accesses. How to set up the configurations according to the roles and responsibilities to ensure the separation of duties with the minimum access permission and prevent the possibilities of frauds and error to complete the business process and fulfill the business functions.
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
Good Communication Skills: because he person responsible in a company for security has to be familiar with the business process and function from the whole viewpoint of a company. To better understand the criterial, the good communication skills are necessary.
Confidentialities: because the one who responsible for security would have access to confidential data in produce process, so the confidentialities are necessary.
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
I would recommend for managing system users and their related security access the principle of least privilege which allow the minimum access to the employees who in need. The access authorizations should be signed according to their responsibilities. Besides the segregation of duties should be concerned to preventing the fraud and errors.
Yuan Liu says
1. Separation of duties is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error. The concept is alternatively called segregation of duties or, in the political realm, separation of powers. In democracies, the separation of legislation from administration serves a similar purpose. The concept is addressed in technical systems and in information technology equivalently and generally addressed as redundancy. For example, in the order to cash process, accounts work on the invoice tracking and shipping department works on tracking the package.
2. ERP Security is a wide range of measures aimed at protecting Enterprise resource planning (ERP) systems from illicit access ensuring accessibility and integrity of system data. ERP system is a computer software that serves to unify the information intended to manage the company including Production, Supply Chain Management, Financial Management, Human Resource Management, Customer Relationship Management, Enterprise Performance Management. In my opinion, human resource is the most difficult to understanding, because personal attitude is individually unique. Management should focus on each person and make a plan for each one to push their motivation.
3. My example is security officer. He should be able to:
Ensure the security, safety and well-being of all personnel, visitors and the premises
Provide excellent customer service
Adhere to all company service and operating standards
Remain in compliance with local, state and federal regulations
Immediately respond to emergencies to provide necessary assistance to employees and customers
Protect the company’s assets relative to theft, assault, fire and other safety issues
Follow procedures for various initiatives, including fire prevention, property patrol, traffic control and accident investigations
4. My recommendation is Employ a process for resource proprietor to grant access to covered systems based on legitimate business need. All application access requests should be reviewed by the resource proprietor or his/her designated delegate. Any decisions to approve or reject access requests by the resource proprietor or delegate should be documented. Employ a process for resource proprietor or his/her delegate to review access to systems when a user changes job function and update access to reflect user’s new job function. Develop a process to immediately revoke access to accounts after a user leaves the campus unless documented business requirements permit an extended grace period in which departed users are allow access to covered systems.
Yuan Liu says
The description of security officer: the Security Officer will periodically tour the assigned facility to identify any irregularities, observe protection and fire control equipment, uphold order, and enforce regulations for the facility in regards to the premises, personnel and visitors.
Yuan Liu says
Examples of security officer:
Security Officer
Security Officer (5+ Years’ Experience)
Armed Security Officer
Security Officer (Full-Time)
Security Guard
Peiran Liu says
1. Segregation of duties is a way to separate a position to different positions according to the multiple duties it has. The reason why it is a commonly used control is that if there are too many duties combined in one position, the person in that position could use all of the duties he has and create a loop to fraud, which does harm to the organization. For example, for software development, the duty to develop the software and the duty to make sure the final version is stable should not be one person’s duty.
2. For me, the most difficult component to understand is how to keep the system secure as well as convenience. How to balance the impact on a unsecure access and the benefit from convenience like fast login is the part I am difficult to understand.
3. The most key competency for the person who is responsible for security needed to be successful is well trained. Only when the person is well trained, the random security problems can be solved easily. And also, compared to an untrained person for security, a well trained person can also make more logical and organized security check.
4. My recommendation for managing system users and their related security access is providing the less access for those who need that, as for the people who need them, the access should be as convenience as possible.