- What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
- Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
- What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
- All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is ensuring that an activity can not be completed by solely by one person. It ensures that at least two people are needed to complete a task. For example, users should not have access to both development and production environments. This is necessary to prevent someone from writing code and then running that code in production.
Wow, great example Tamekia. That’s really thinking outside the box. So many stories of programmers writing a backdoor into code. This was a legitimate practice years ago, it was there in case they needed to get in for support to fix things. Then, like all things, people started to use this for malicious purposes. No matter how good the intention, someone will use a situation for bad.
Great example Tamekia. Kind of similar to what I posted my self. I think when we think segragation of duty the most common roles we think of almost immediately is development and production. It is not uncommon to see programmers write a backdoor into code which opens the door for all sorts of malicious activities. Like Scott mentioned this was a legitimate practice years ago which was there in case they needed to fix things. Then it started being used for malicious purposes.
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
The most difficult concept to understand is the provisioning of access to the system. This week’s reading mentions that there is a difference between access to the system and access within the system. Given all of the tasks that are possible within SAP, I am curious to how the roles within SAP are created. I would imagine that some roles come standard but it would be necessary for an organization to configure these roles as they see fit. How are these roles and corresponding users created from scratch.
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
The person responsible for security needs to have attention to detail. They must be able to identify segregation of duty issues and other security flaws. In addition, they need to have a sense of the upstream and downstream implications regarding security changes. For example, if an application is moving from individual user log in to single sign on, they must have a sense of the security protocols that need to be in place.
Great example of a competency required by a security person. Part of the skills sets of personnel working in IT governance is strategic analysis capabilities. Security folks must be able to traverse through processes to ensure the proper segregation of duties to manage controls in an effective manner.
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
It is essential for an organization to have a good on boarding / application request process. It is helpful for a manager to be able to request similar access rights as someone else within the organization because you are familiar with how the access of this user behaves.
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
Other best practices include appropriate recertification of user access on a periodic basis. Changes happen relatively quickly in an organization with users either accepting new roles or leaving the organization. It is important that these changes are process quickly and easily. It is also helpful when users are able to initiate the access request and have these items reviewed by their manager. This alleviates additional work for the reviewer.
HI Tamekia,
I agree that you need to update access pretty quick because not only do people leave a company people within the organization get promoted and have different responsibilities. I remembered at one point I was able to create and vendors and handle account payable. It took them forever to take the access away from me.
HI Tamekia
Absolutely. Great point. Indeed things keep changing in an organization and the IT department needs to keep up with all those changes and make the required access control configuration to cater to those changes. As you mentionned users initiating the request for a change when they are promoted or have a role change is a really good idea as it makes the job of the IT departmentt much easier as they don’t have to spend time looking for changes. Great post. Thanks for sharing
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is ensuring that one person is not responsible for critical aspects of a business from start to finish, it ensures more than 1 person is required to perform/complete a business process.
It is a commonly used control because it helps to deter deliberate fraud as this would require 2 or more people agreeing together to commit this fraud, it also helps to detect accidental fraud by having checks and balances in place to review errors
Some examples of segregated roles include;
– The person requesting a change cannot be the same person approving the change. (The person that enters a journal entry should not be the person approving/authorizing the journal entry)
– The person that approved a change cannot be the same person implementing the change to production.
– Software developers should not have access to the production environment
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is ensuring that one person is not responsible for critical aspects of a business from start to finish, it ensures more than 1 person is required to perform/complete a business process.
It is a commonly used control because it helps to deter deliberate fraud as this would require 2 or more people agreeing together to commit this fraud, it also helps to detect accidental fraud by having checks and balances in place to review errors
Some examples of segregated roles include;
– The person requesting a change cannot be the same person approving the change. (The person that enters a journal entry should not be the person approving/authorizing the journal entry)
– The person that approved a change cannot be the same person implementing the change to production.
– Software developers should not have access to the production environment
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is commonly used control that helps mitigate the risk that one individual has too much control over business processes and separates the responsibilities over multiple individuals. An example is change management where a company would ideally have separate individuals approving, developing, testing, approving, deploying, and implementing changes for an application or system.
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
System access is very difficult to determine for ERP. As there is general access to the system itself and a multitude of roles with varying levels of access (privileged and other) that must be understood. The business process and organizational structure must be understood in order for appropriate role based access and least privilege to be organized. There would likely be minimum level of roles to appropriately meet segregation of duties requirements, however, based on the size or structure of the organization, there may be additional layers of access that is needed.
I concur; navigating through the available user roles and privileges capabilities is a daunting task. Seems like individuals need in-depth hands-on experience within SAP in order to understand the security related to access controls within the software/tools. From a high-level view, the SAP security configuration entities seem understandable; however, when actually working within SAP, gaining expertise in the area of security can be more challenging.
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
1-2 competencies the accountable security person should include access control and and threat management. A strong understanding and background in access control is essential as it is often the first set of controls that help protect an organization’s assets, applications, and systems. Without appropriate access controls in place, there is a significant risk that external and internal threats can easily gain access to corporate networks affecting the confidentiality, integrity and availability of data. If there is a lack of strong threat management, or there is an inability to protect, identify/detect, monitor, and respond to threats, a company’s data and systems are at significant risk of breaches.
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
First and foremost there should be a segmented network that allows guest users and internal users. This basic control would initially reduce the likelihood or hinder the ability of a threat actor to gain access to sensitive or critical data or systems within an internal network.
Additionally, there should be appropriately strong access controls based on least privileged for all areas of the network and systems. Single sign on can greatly increase efficiency in an IT organization managing access across the enterprise by limiting the amount of user IDs and passwords needed for the various applications and systems that are potentially accessible through the internal network.
Finally, good mitigating controls such as regular and periodic user and privileged access reviews help reduce the likelihood that insider threats could compromise internal systems and data. A great example is a periodic review of an organization’s leavers to ensure access to key systems are revoked and deactivated appropriately and within an adequate amount of time after and employee’s severance.
Nathan,
Thanks for sharing.Great point regardingg ood mitigating controls such as regular and periodic user and privileged access reviews help reduce the likelihood that insider threats could compromise internal systems and data. I think this is a very important part of a framework that should be in place to guide the management of computer systems.
Question 1: What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties means that no two critical parts of a job function are performed by the same person in the process. This division of duties prohibits an individual from commiting fraud. For instance, the person creating PO’s, should not be the person approving the PO’s. This could allow for fraud to happen in the PO process. With proper segregation of duties in place, if a person entered an fraudulent PO, then the approver would be the second check on this transaction to detect the fraud.
Question 2: Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
Good practice in granting access or rights to a system usually involves a principle of least privilege. This means giving the least rights needed to complete one’s job function. For me, working in SAP, it seems a bit overwhelming. There are so many processes and functions of the system. For me, just trying to figure out what a user actually needs access rights to is one of the biggest tasks. I have not worked extensively with SAP, I have seen/worked with it a little over the years, but this class is by far the most I’ve used it.
Question 4: All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
One of the best practices that I have seen in my career is a solid work flow between HR and IT for the hiring, position change and terminating of employees. I think it’s imperative that HR and IT work closely to ensure that access to accounts are setup correctly and more importantly, terminated when employees leave. Too often, I see employees leave a company and IT is unaware. Accounts are left, and old employees still have access. Often too, employees change positions within an organization, and prior access rights are not changed/removed. A regular audit of staff and security rights is also a good idea, to ensure that no users have been missed.
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
The most difficult to understand might be in terms of keeping data integrity and making sure access is appropriate.
The textbook AGAS chapter 8.4 explains how important the ‘company code’ is. Some important settings for financial accounting (like assignment for the chart of accounts, the fiscal year variant, maximum exchange rate deviation etc ) are made at company code level. As such, access to certain specific functions as well as generally to the configuration and direct table maintenance – must be handled restrictively. The “productive indicator” in the company code is required above all to protect data relevant for accounting.
Also, some transactions require special protection due to high associated risks. This affects transactions that change, delete or reverse important data in FI en-masse, and also transactions known for changing periods or resetting company codes.
Access to the system needs to be properly controlled. Segregation of Duties should be properly implemented to ensure that roles/rights are not conflicting. Access rights and permissions should be on a ‘need to know’ basis.
Stella,
The last line in your post …”Access rights and permissions should be on a ‘need to know’ basis” can be a challenging ‘ask’ of any organization. Often, access rights are defined when employees move into the aforementioned “need to know” roles in an org. However, often, on the backend, access for employees transitioning out of the “need to know” role may not be revoked in a timely manner; especially if the access control requires manual intervention. Ideally, controls within SAP can be configured to define and revoke access to data and functionality simply based on roles assigned to an employee at any given time.
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
I think a key competency should be an in-depth knowledge of the subject matter. The person responsible for security of a given process should know the “in’s and out’s” of that process, the person should think like a thief and review all the loopholes there could be, and then ensure the design of the security of that particular process takes into account all these loop-holes and vulnerabilities.
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is a process that ensures that one person alone is not responsible for starting and completing a critical business process. It ensures that more than one person is required to complete a business process.
This is
commonly used because it helps in preventing people from making manipulation that would otherwise be unseen or go unnoticed. It makes it more difficult to commit fraud as it would require the coordinated efforts of two or more people for that to happen For instance a person that requested a change in a program cannot be the same person that approves it. A Software developers should not be a system administrator.
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
The most difficult component of SAP to understand is access to the system. As per this week’s reading, there is general access to the system itself and a multiple of roles with varying levels of access. The business processes and the organizational structure need to be understood as well to implement the appropriate role based access. However there could be more controls in place, more restriction over access based on how large the organization is
What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
The person responsible for security in a company needs to have attention to detail. They should be able to understand the ins and outs of each process in order to know where segregation of duty should be implemented. The attention to details should make that person have a critical thinking, and think like an attacker, which will allow him to more easily detect loopholes in a process and then put in place controls to mitigate the risks associated with those vulnerabilities.
I agree Mahugnon. Attention to detail is very important for this job function. Security in systems are often layered, and taking the time to understand everything that is going on with a user is crucial. This isn’t something that can be casually looked at. A deep dive into the system and access is often required.
Absolutely. That is exactly why I believe attention to detail is a big skills that an IT Auditor must have. Like you said, controls are layered and one little missed vulnerability could open the door for malicious activities. Attackers are always improving their skills so it is important tho maintain a tight security and make sure the controls can control as much of the information asset as it can, leaving a really small amount of residual risk. Attention to detail is the key to finding holes in controls.
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
Other best practices include a proper on boarding process. There need to be a solid work flow between HR nad IT, as It is important to have the appropriate level of access for new hires, change of positions, terminations, and also important to renew users access after a certain period as changes happen quickly in an organization.
Many times employees leave a firm and their ccess to the company’s uystems are not removed, which could be a threat, or they change position but their access level is not changed.
Lease privilege is very important, vibrant point. Employees need to have access to perform their duties, nothing more not less. This is important because many times it is forgotten or overlook when employees leave the company or change position. Their profile is not terminate or update to match their absence or functions. Some situation will be employees going on leaves. Do you deactivate their profile or leave it active? Can their access the system form outside the company?
It is just okay to make changes or update employees profiles as needed or required for controls purposes.
1. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
One best practice I can think of is in Identity and Access Management. I have seen many times that security in this area no matter how well built, is always lapse in some form or the other.
Access rights and permissions as a general rule should be role based and/or on a ‘need to know’ basis. Most companies get this right as they grant access to new employees by “mirroring” access granted to another employee in the same position (Role based access).
Also, identity management especially in terms of terminated users should be well monitored. I once worked at a financial organization that was always merging with/acquiring other big companies, and ultimately employees have access on one domain and after the merger, they get access on another domain. The problem with this was that communication between HR and the different ITS team were broken, so when employees leave, they might get deactivated from one (the global) domain, but the access on another domain is still active. (Different IAM teams are responsible for different domains) The logical explanation this company always gave the external auditors was that without access to the Global domain, you cant do anything on the Company’s infrastructure-even with the other local domain active.
But ultimately, it’s still a lapse in security and communication. Identity and access management has always been a major issue with large/merged companies. There should be active communication between HR and the IAM team
Hi, Folake,
Thanks for sharing your thoughts, I agree the access should be management by employees understand the importance of proper access and how to perform it. Also, it is true, the access of systems should be segregated based on functions and departments, so it will be easier to monitor and if there is issue, the solution will be more effective and efficient.
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is where one duty or function is separated for at least two separate individuals to process. That means, at least two individuals are responsible for separate parts of any task or function for completion. This is a form of internal control that helps minimize if mitigate error and fraud. SoD helps with error and fraud by providing oversight and review of duties and functions. The odd is that it could stall a business/IT process.
Examples:
Bank reconciliation and Payment: bank deposit and bank reconciliation are duties that must be separated.
Vendor maintenance and posting invoice: creating a vendor in the system and posting/paying vendor invoices should be separated.
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
The most fuzzy or difficult to understand component would be access controls. Some functions are interrelated and misunderstood. If you cannot clearly define departmental role and individual role, there could be overlapping of functions and exposure of data to department and individuals where the segregation of duties would be compromised. How has access to what is very important as the initiation of any security breach is the opportunity.
In short, the component of a system that is most fuzzy or creates confusion is granting access to the system and granting access based on duties and functionalities. Example, least privilege.
Everybody employed can log unto the system, how much can marketing do? How much can collection do? If salesmen must collect, what can they access outside of sale? If you limit sale unnecessarily, they will not function well. If you grant more then they need, a recipe for error r fraud is prepared.
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
Two competencies person responsible in a company for security need to have to be successful are:
Relationship management – the person must be a people person. There are lots of things that cannot be discovered on a timely basis, if not discovered at all. Based of the relationship with individuals and departments, the security of the system could come easily.
Attention to detail – things do not come openly, nor do they come clearly. The person must be able to read some unspoken and unwritten details. Sometime asking probing asking question will greatly help resolve issues.
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced, or would you recommend for managing system users and their related security access?
I would recommend for managing system users and their related security access a vibrant on-boarding and off-boarding process. For audit purpose, a periodic review of employee profile should be instituted to insure least privilege of employees or users’ access.
1. Segregation of duties partition the roles of a company environment. The point of segregating duties is to: put experts in their respective positions and prevent fraudulent activity. For example, roles that should be separate are the responsibilities of CFO and CEO. The two are integral to communicating with shareholders but are mediums for different types of information. Other roles that should be separate are Accounts Payable and Order fulfillment. A person with both the aforementioned responsibilities could create fraudulent customers and make payments to themselves indirectly through a false entity.
Good answer Robert. I really like, “put experts in their respective positions and prevent fraudulent activity.” I think that is an element to segregation of duties that is key. You can have segregation of duties, but if one of the people isn’t trained properly to understand what their job role is, then theft can still occur. If Bob is merely approving all the PO’s and not really understanding what he is checking for, then segregation of duties fails!
2. Perhaps not fuzzy, but complex is the overall framework the ERP uses to integrate different business aspects. On the ERP are a variety of modules used by marketing, sales, finance, reporting, executives, etc… The complexity within this framework can range from simple to very complex with the more business functions the entity needs to consider. Each user must have well defined accesses to the ERP to ensure optimized usage and prevent misuse. The fuzziness can come from how well these privileges are defined and the scale at which the ERP is used.
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties (SoD) is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task. In information security, data owner and system administrator should not be the same person. A Data Owner has administrative control and has been officially designated as accountable for a specific information asset dataset. This is usually the senior most officer in a division. A system administrator or Data Custodian is a person who has technical control over an information asset dataset. Usually, this person has the administrator/admin, or root account or equivalent level of access. This is a critical role and it must be executed in accordance with the access guidelines developed by the Data Owner.
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
Security problems exist in every facet of an ERP system. These facets can be classified into three categories: network layer, presentation layer, and application layer, which includes business processes, internal interfaces, and database. The presentation layer refers to the graphical user interface, browsers, and PCs. Since the transmission of GUI packets is impossible to restrict, ERP experts cannot secure the system by limiting user access to GUI. The better way to provide security may be to place a CITRIX server between the user and the ERP system.
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
Security policy and administrator: ERP experts have to provide such a way that explicit and well-defined security policies can be easily defined and maintained. The security policies will offer the rules for the access of subject to object, and these are the constraints put on the administrators when they are granting/denying permissions to the users. User authentication: to verify whether the user is the same person as he claims.
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
Enterprise Resource Planning is the technology that drives the reformation in the realm of economics and impacts people’s lifestyle indirectly. ERP system now is going towards a system with more coordination/collaboration, higher heterogeneity and integrity, more intelligent, operating on the level of knowledge, and even wireless-enabled. The security issue within ERP has been there for a long time, but most of the solutions assume that an ERP system is a closed environment. Given current trends, where the ERP is more likely to be an open system, these solutions are insufficient to provide the security.
3. The key competencies for a person in a given system include risk assessment skills and the knowledge to ask the right questions. Much of the challenge in creating security within an organization can be identifying the potential vulnerabilities that aren’t immediately clear. Segregation of duties is obvious, but perhaps the business would be made more efficient by providing a user with multiple privileges. If a company opts to do this, a security personnel would be valuable in creating limitations for this user, while still enabling him to maximize their business process. Similar exists with risk assessment. An expert in identifying the severity of risks offers great value to an organization and its cost allocation. By maximizing where the company spends its security resources, the entity can defend itself to an acceptable extent while maximizing normal business function.
4. When pontificating on the efficiency of business, I like to think of the business in terms of the processes it needs to complete to deliver its services. Employees aside, there is a process and volume associated with an entity that would give it 100% efficiency. After considering how the business could best capitalize on its operations, I would consider how inserting employees one by one would help to build towards this efficiency without sacrificing so much risk. For example, not having an excess of employees would save the company in salary and not pollute a business process with complexities.
Therefore, I think it is appropriate to manage the amount and effectiveness of employees in the company and the give them access very specific to that role. The employees should communicate as effectively as possible with their limited application access. This would enable the business process to flow efficiently and deliver the highest quality operation.
1.What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of Duties (SoD) – A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets.
SoD is commonly used in large IT orgs so that no single person is in a position to introduce fraudulent or malicious code without detection. [CISA Review Manual – 26th Edition]
An example of segregation of duties is implementing a close-loop process for voucher approvals which requires separation of authority in the process. For example, expense vouchers must get the approval from the manager of an employee, and no employee can ever approve their own expense voucher, regardless
of job title.
Another example of SoD is restricting software developers from moving program code to production (live) systems. Typically, there are controls in place to prevent such movement of code. The controls usually entails some sort of segregation of duties which require change control records to process/authorize code
movements into production systems.
Great examples of SoD! I think there are some grey areas that management cannot easily find there is a SoD needed. Especially the work is complicated and covers in many different areas.
2.Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
I find the ‘Authorization Object’ to be ‘fuzzy’. I am not sure how this object works or fits into the SAP configuration. The lecture content explains that this object implements access restrictions within SAP… I am not sure how.
3.What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
Self-Assertiveness – aggressive, obtrusively energetic especially in pursuing particular goals. [1]
Punctilious – (1) Strictly attentive to detail, meticulous or fastidious, particularly to codes or conventions. (2) Precise or scrupulous [1]
The job responsibilities of a security person are vital; thus, the person who fills the job in this area must possess the aforementioned competencies.
References:
[1] https://www.merriam-webster.com/dictionary/self-assertive
4.All companies are dynamic entities with employees and others using systems coming and going all the time.
What best practices have you experienced or would you recommend for managing system users and their related security access?
One key control in place at my job is control C-11111 Software Access
Objective: Controls are in place to limit update capability for software to only authorized personnel.
Activity: Only authorized team members are granted access to software. Access to software is reviewed quarterly.
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
I would recommend that IT work closely with HR to make sure when a person job changes than their access changes. HR would have to notify ISM to change their access as soon as possible to avoid any hiccups. I would also make sure that they understand the different roles in the organization and the access assigned to each role.
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
A key competency a person responsible for security in a company would have to be an eye to detail and efficiency because so many things changes in security you must notice the small stuff and be detail oriented. Staffing changes a lot in an organization and you have to make sure they have the right access or no access if they are terminated in a timely manner.
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
The most difficult to understand would be access to the system because it’s hard to make sure people have the right access because an organization has so many different roles. ERP system has so many business processes that if a person has access to something they are not supposed to then it could be a huge security risk.
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties is the concept of no one person has sole control over a business process. This is a commonly used control because it’s pretty simple to implement. It’s like a basic control because it prevents one person from committing fraud. IT Audit should not report to the CIO of an organization. Database admin should only have DBA authority, not root or administrator.
What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation off Duties – is the restriction of access/power to any one individual. This helps lessen the opportunity to commit fraud. It is important in all companies whether you handle money or the shipping of products.
Two examples of IT roles that should be segregated are :
1; -> Restricting developers from having access to code in Production. Someone should have to review/move/update changes to PROD
2. -> Developers should only have select access to information required to do their job, they should have be able to create information in a table. If creating new information in a table is apart of their job, they should have to use .apis to control the data the is inserted/updated.
3 -> DBAs – usually have super user access should have a #2 to authenticate their actions
Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain?
I believe the the complexity of all the business processes (e.g. accounting, finance) and the many different tasks that need to be performed by different employees with varying level of security that the SAP ERP system was built to handle makes the system itself complex. I believe the complexity of the SAP ERP system could potentially leave many different points of attack /security risks.
What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
A person responsible for security in a company should have the following competencies in order to be successful in their position:
1-> Attention to detail, dependable, analytical skills (ability to access and resolve)
2-> They should be familiar with the business processes in order to be able to spot a security risk
The person should also stay up-to-date on the latest threats so they can recognize them in a timely manner.
All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
I believe it would be up to the employees/ consultants direct supervisor to alert HR as to when the employee is hired or leaves the company immediately. It is then up to HR to execute a process (created by IT) that efficiently updates the person’s security access which should include everything from swipe access to computer access. A report should also be ran on a weekly basis to be reviewed by Management to ensure that no one has fallen through the cracks.
1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of duties (SoD) is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task.
Regarding IT roles, the database management, system access management should be segregated to avoid an individual have master control over the whole system, which will result in high possibility of fraud.
2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain
The roles and functions for each module. There are many modules in ERP systems built for different business operations and functions, however there are some overlap between different modules, which makes it difficult to define which is the right module to focus on. Also, same or similar document need to be duplicated for different modules, when they have related functions, which might be confused.
3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?
The person who is responsible for the security should have a higher level overview and knowledge on security, so that this person can make proper decision considering the whole process. But still be detail-orientated over the decision, so it can be efficient and effective for the whole process.
4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?
There should be certain employees to have the overall control and management of the access of systems. Many users don’t have throughout idea on how to process properly, and there should be someone to help and avoid potential loss caused by unsecured use of system.
Hana,
I agree that many users don’t have throughout idea on how to process properly, and there should be someone to help and avoid potential loss caused by unsecured use of system. I think systems should be maintained and managed by only knowledgeable staff.. Moreover, the expertise of technology staff should be assessed and a recruitment and retention process should be in place for technology staff.
1 – Segregation of duties ensures that two activities that are dependent on each other or are part of a workflow cannot be completed by the same individual. This also reduces conflict of interest. A common example of this in the IT environment is separating the roles responsible for approving and provisioning user access. Another example is separating the ability to develop and migrate changes to production.
2- The most difficult part to understand in ERP from a security standpoint is user access. In SAP there are multiple roles that can be assigned to users. The SAP basis team should not only know how to provision these roles but also who to provision these roles to. Functional consultants and business process owners usually provide guidance on how to restrict access to authorized individuals only, by granting roles that are needed for the user’s job function.
3- The core competency needed for security personnel would be understanding of access controls and segregation of duties. Security folks need to have a thorough understanding of the risk to the enterprise if inappropriate access roles are granted to users in the company. They should also be competent in logging and monitoring of certain privileged roles.
4- Best practices to mitigate the risk of unauthorized access arising from employees leaving the company or changing roles within the company, include a good workflow process between HR and IT. This process in an ideal situation should be automated, the HR system should synchronize with the Identity and Access Management system or Active Directory multiple times a day and trigger the disablement of account in the identity management/Active Directory, when an individual is terminated in the HR system. Management should also perform periodic user access reviews to ensure that users only have roles that they need. This is a detective control and would catch unauthorized access after the fact, therefore it must be supplemented by the preventive control mentioned above.
Segregation of Duties (SOD) is a basic building block of sustainable risk management and internal controls for a business. The principle of SOD is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. Without this separation in key processes, fraud and error risks are far less manageable.
The risk management goal of SOD controls is to prevent unilateral actions from occurring in key processes where irreversible affects are beyond an organization’s tolerance for error or fraud. An example of SOD will be posting and approving journal entries.
Some best practices have I would recommend for managing system users and their related security access include:
• A risk assessment should be conducted and security policies should be based on
it
• User accounts should be managed and procedures should identify who may
modify equipment or system data
• Firewalls and antivirus software should be employed and monitored
• A disaster recovery plan should be developed and back-up procedures should be
conducted
• Trained professionals should plan, monitor, and enforce security
A security professional is usually responsible for protecting the computer network of an organization or government agency from threats. He or she creates, maintains, and controls security measures to make sure computer networks are regulated and monitored. A couple key skills and competencies needed to be successful in the position include:
Analytical
They must have strong analytical skills. They have to be able to study computer systems, assess any potential risks, and consider possible solutions.
Creativity
Creativity is critical for information security professionals. They must be able to anticipate attacks, always thinking one step ahead of a cyber threat. This kind of forward thinking takes creativity.