richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Vault restructure

Browse source
This commit is contained in:
Richard Kranendonk 2026-04-23 11:51:51 +02:00
parent d45797d121
commit ff77508bd1
1433 changed files with 415450 additions and 1201 deletions
Download patch file Download diff file Expand all files Collapse all files

43
Corpus/📚️ Literature notes/Implementing Segregation of Duties ISACA.md Normal file
View file

@ -0,0 +1,43 @@
[Source](https://www.isaca.org/resources/isaca-journal/issues/2016/volume-3/implementing-segregation-of-duties-a-practical-experience-based-on-best-practices) [PDF download](https://www.isaca.org/-/media/files/isacadp/project/isaca/articles/journal/2016/volume-3/implementing-segregation-of-duties_joa_eng_0516.pdf)
Article in ISACA Journal
**Author:** Stefano Ferroni
**Date Published:** 19 May 2016
Retrieved: July 13, 2022
See also:
- [Roles and Responsibilities](../🎇%20Sparks/Roles%20and%20Responsibilities.md)
- [a-5.3-Segregation-of-duties](../Standards/ISO27x/OST/27002/EN/a-5.3-Segregation-of-duties.md)
- [ISO_27002_2022_5.3_PE Segregation of duties](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.3_PE%20Segregation%20of%20duties.md)
The most widely adopted SoD model requires separation between authorization (AUT), custody (CUS), recording (REC) and verification (VER).
Ideally, these duties are performed by different persons (or parties).
![](SOD%20functions.jpg)
This model is consistent with the COBIT 5 view of SoD issues (DSS06.03).
This can be hard, or even impossible to implement in practice.
Often, agents may perform different duties on the same assets as long as they are authorized by a second person. An example is an accounts payable team receiving invoices (REC) *and* creating payment orders (CUS) after authorization by the manager (AUT).
In the example where an online recording operation creates an automatic payment, such segregation is simply impossible to achieve.
An SOD framework should also make a distinction between management duties (e.g., granting and revoking rights, reporting, and managing exceptions) and governance duties (evaluating, directing and monitoring SoD rules and practices).
### Risk assessment
For risk assessment, a matrix can be constructed for every combination of conflicting duties, with associated risk scenario examples:
![](SOD%20risk%20scenario%20matrix.jpg)
### Scoping rules
- Asset Scoping: different duties may be performed by the same person (or team), as long as they do not involve the same asset (or set of assets).
- Process scoping: for any asset (or set of assets), processes that transform the status of that asset must be segregated.
### Role engineering
For defining role-based privileges, as used in Role-based Access Control (RBAC) top-down and bottom-up approaches are used. Top-down means identifying the necessary privileges from the job description, bottom-up means inferring roles by examining existing permissions on systems and applications (also known as role mining).
### Downloaded copy of document in Attachments folder
![](ISACA%20Implementing%20Segregation%20of%20Duties%201.pdf)