richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/ISMS/Implementing Segregation of Duties ISACA.md

43 lines
2.7 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[Source](https://www.isaca.org/resources/isaca-journal/issues/2016/volume-3/implementing-segregation-of-duties-a-practical-experience-based-on-best-practices) [PDF download](https://www.isaca.org/-/media/files/isacadp/project/isaca/articles/journal/2016/volume-3/implementing-segregation-of-duties_joa_eng_0516.pdf)
Article in ISACA Journal
**Author:** Stefano Ferroni
**Date Published:** 19 May 2016
Retrieved: July 13, 2022
See also:
- [Roles and Responsibilities](Roles%20and%20Responsibilities.md)
- [a-5.3-Segregation-of-duties](../Standards/ISO27x/OST/27002/EN/a-5.3-Segregation-of-duties.md)
- [ISO_27002_2022_5.3_PE Segregation of duties](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.3_PE%20Segregation%20of%20duties.md)
The most widely adopted SoD model requires separation between authorization (AUT), custody (CUS), recording (REC) and verification (VER).
Ideally, these duties are performed by different persons (or parties).
![](SOD%20functions%20diagram.jpg)
This model is consistent with the COBIT 5 view of SoD issues (DSS06.03).
This can be hard, or even impossible to implement in practice.
Often, agents may perform different duties on the same assets as long as they are authorized by a second person. An example is an accounts payable team receiving invoices (REC) *and* creating payment orders (CUS) after authorization by the manager (AUT).
In the example where an online recording operation creates an automatic payment, such segregation is simply impossible to achieve.
An SOD framework should also make a distinction between management duties (e.g., granting and revoking rights, reporting, and managing exceptions) and governance duties (evaluating, directing and monitoring SoD rules and practices).
### Risk assessment
For risk assessment, a matrix can be constructed for every combination of conflicting duties, with associated risk scenario examples:
![](SOD%20risk%20scenario%20matrix.jpg)
### Scoping rules
- Asset Scoping: different duties may be performed by the same person (or team), as long as they do not involve the same asset (or set of assets).
- Process scoping: for any asset (or set of assets), processes that transform the status of that asset must be segregated.
### Role engineering
For defining role-based privileges, as used in Role-based Access Control (RBAC) top-down and bottom-up approaches are used. Top-down means identifying the necessary privileges from the job description, bottom-up means inferring roles by examining existing permissions on systems and applications (also known as role mining).
### Downloaded copy of document in Attachments folder
![](Implementing%20Segregation%20of%20Duties%20ISACA%20PDF.pdf)
Reference in a new issue View git blame Copy permalink