In a Small Business, the Lack of Certain Separations of Duties Can Best Be Overcome by

Segregation of duties: Modest business all-time practices

Segregating duties can be tough in organisations that have few staff members and resources. Get duty segregation best practices for SMBs.

Mention It security to most people and they recollect of firewalls, intrusion detection systems, antivirus software, 2-factor authentication and many other highly marketed security products. While these certainly all accept a office in information assurance, so does the segregation of duties, a critical aspect of fraud prevention and detection. Even so, this vital security command is often disregarded, even though it is a primal chemical element of effective internal control within an organisation.

Most stop users are given far more privileges than they really need, oftentimes because it can be fourth dimension consuming or politically difficult to give each person the exact permissions needed.

When it comes to segregation of duties, small business best practices are especially of import. A lack of segregation of duties is a significant contributing factor in almost all occurrences of fraud, and is often plant to be a weakness during post-analysis of arrangement compromises. Segregation of duties means the steps in primal processes are divided among two or more people so no i private can act alone to subvert a process for his or her own gain or purposes. Clause ten.ane of ISO 27001 Annex A covers operational procedures and responsibilities, and control A.10.1.3, "Segregation of duties", states duties and areas of responsibility should exist segregated to reduce opportunities for unauthorised or unintentional modification or misuse of the arrangement's assets.

Whatsoever organisation that is ISO 27001 certified volition know that segregation of duties is an area that comes under close scrutiny during compliance reviews, and if any processes aren't well segregated, the auditors will and then conduct thorough integrity checks on any affected systems. Thus, it makes sense to consider segregation of duties from the outset. Standard management reviews of employees' piece of work can catch improper activities, but they'll never be as effective at preventing fraud and other malicious activities equally well-documented, -implemented, and -enforced duty segregation for in-house and contracted personnel..

At-take chances departments
The two departments at the greatest risk from fraud within an organisation are accounting and IT. Money is often the motivating forcefulness behind attempted fraud, and even trusted employees under financial pressure may rationalise away their fraudulent activities: "The company can afford it," "They don't pay me enough." or, "It's not doing anyone whatever personal harm," are a few such rationalisations. As more processes become paperless, less difficult prove is produced that employers could use to spot and testify fraud. As well, many off-the-shelf bookkeeping software and network management production suites exercise not make information technology easy to implement proper duty segregation; their customizable workflows often brand it easier for users to falsify bookkeeping records, brand illegal payments, and access and steal sensitive data.

Segregation of duties may exist easier to achieve in larger organisations with bigger budgets and more comprehensive staffing; for smaller companies with limited personnel and resources, information technology can nowadays a challenge. So let's look at some potential compensating controls and other solutions and best practices for organisations struggling with segregation of duties, minor business organisation in particular.

Pre-employment screening
Pre-employment screening is a fundamentally important chemical element of a personnel security regime. The role of pre-employment screening is to constitute that chore applicants and contractors are who they claim to be, verify their credentials and cheque that they run into any preconditions of employment. These checks besides establish whether applicants have curtained important information or misrepresented themselves, or if they present a possible security business.

As with all aspects of security, checks on employees should be a continuous process; not as a ane-off issue that simply occurs when somebody is hired. Once hired, employees can exploit their legitimate admission to the organisation's avails for a diverseness of purposes. Therefore, policies and procedures need to cover personnel security, non just at the point of hire, but as an ongoing action to manage the risk of existing staff and contractors who may be looking to exploit their legitimate access to your bounds, assets or data.

If staff know that personnel security doesn't stop in one case they've been hired, it will discourage all just the almost determined. Be enlightened that people and attitudes can change, either gradually or in response to detail events. Insider acts are often carried out by employees who had no malicious intent when joining the arrangement, but whose loyalties and motives changed since recruitment.

Managers should know their staff well enough to recognise any changes in their habits and lifestyles that don't have a valid explanation, such as increasingly illogical, secretive and nervous behaviour, or new designer wearing apparel, an expensive new car or exotic holidays. Conversely, beware of employees who never have a solar day sick or take a holiday, in other words, people who are always at their desks. This devotion to their task could exist because they need to stay on elevation of their fraudulent activities to avoid detection.

Although managers tin't control employees' motivations for committing fraud, they tin can create an environment and establish procedures to reduce the number of opportunities to take advantage of their position within the company. Employers should let their employees know that checks, such every bit regular reviews of network logs and reconciliation of financial statements and records, are in place to prevent and find fraud.

Mandatory vacations
Where possible, implement assignment rotations for personnel and ensure employees are forced to take at least one two-week holiday a yr. A mandatory vacation policy is a must, as system abuse can come up to light if a cover worker notices irregularities in the vacationing person's piece of work. These types of practices will assistance in identifying long-standing undesirable activities.

While intendance should be taken to avoid creating an temper of distrust, the presence and active interest of senior managers is sometimes plenty to foreclose many employees from attempting to defraud the company. These senior individuals should be instructed on the importance of segregation of duties, and be charged with ensuring no ane private in their concern units has unchecked, unmonitored systems access. On the positive side, such malicious activeness should be easier to detect inside a smaller organisation, as its construction will mostly be flatter and tightly interconnected. Notwithstanding, out of necessity, certain individuals, such as the personnel officeholder, accounts manager and the head of IT, will often have far-reaching rights and powerful privileges in club to become their jobs done. Therefore, certain checks and balances demand to exist to ensure these privileges aren't abused.

Segregation examples
The person who opens the mail service shouldn't be preparing eolith slips and taking cheques to the bank. More one person should e'er be involved in these types of financial processes to reduce the risk of collusion and fraud. Other activities that can be easily separated include:

Mail receipt and distribution;
Application development and verification;
Application evolution and administration;
Network administration and log assay;
Database administration, and bank or user account administration;
Payments and payment authorisation.

Databases should be set upward to support chore and role segregation. Careful office creation should ensure only necessary privileges are granted to employees within each respective role to consummate their jobs. Convenience often replaces security when it comes to assigning access privileges, specially database privileges. Most stop users are given far more privileges than they actually need, often considering it can be time consuming or politically difficult to give each person the verbal permissions needed. Broad-brush database privileges tin exist misused by authorised only unethical employees. Implementing the principle of least privilege, which "gives the user no more privilege then is necessary to perform a task or job", is even more important in situations where it is difficult to establish a consummate separation of duties.

Mostly nobody other than a arrangement administrator will need access to every database and every application, and for administrators in that location should be additional measures, such equally server rooms requiring paired access with sign-in and sign-out procedures. Given the in-depth knowledge admins have of an arrangement'south IT operations team, they should have clearly defined operational task limitations and be held answerable for any unauthorised activities outside of those limitations.

Data security audits should exist carried out on a regular footing with a particular regard for identifying possible fraudulent activities. Malicious activity is usually covert, so existing controls should be checked to see how well they prevent and detect fraud. In the same manner that a company's accounts are audited by an contained firm of accountants every year, so too should the work of arrangement administrators; in fact, control A.6.1.8 of ISO 27001 requires an independent review of information security at planned intervals.

While non foolproof, duty segregation volition assist deter errors and irregularities by those developing, accessing or administering calculator and accounting systems. It also makes information gathering harder for attackers, every bit they need to obtain information from a greater number of people. The critical point is to understand and appreciate the fraud environment factors that impact your particular organization and implement mitigating controls where tasks can't be fully segregated and at that place is a lack of paper prove.

Near the writer:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more 15 years of experience in the IT manufacture. He is the founder and managing director of Fiber Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the volume IIS Security and has written numerous technical manufactures for leading It publications. Cobb serves as SearchSecurity.com's contributing skillful for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com'southward Security Schoolhouse lessons.