The Ultimate Manual For Separation of Duties

By splitting up workloads and giving more than one person control over processes, separation of duties (SoD) ensures that multiple people share responsibilities in a series of checks and balances, reducing the chances of errors or fraud.

Implementing separation of duties for a security team takes some time, but it’ll make the process of managing the organization’s network safer.

What is Separation of Duties Anyway?

In the world of finance and accounting, separation of duties is a common practice. By separating those in the organization who handle receipts from those who make the bank deposits from those who pay the bills, for instance, the organization reduces the chances of fraud.

If one person controlled all of those aspects of the organization’s financial side, they could misappropriate or steal funds, altering the accounting records to hide their bad actions, and it would be difficult for someone outside the accounting department to catch the fraud.

SoD in Security

Within an IT department, separation of duties (also called segregation of duties) refers to the network security of the organization. Implementation of SoD in terms of security deals with both fraud and hacker attacks.

  • Fraud: Detecting fraud through the implementation of SoD involves enacting policies that find conflicts of interest or unchecked errors before those problems could place the network at risk.
  • Attacks: By implementing SoD control features, the organization’s security department should be able to detect potential theft of information or security breaches before they happen.

In basic terms, SoD involves implementing a series of checks and balances that ensure the security team can keep the organization’s network and data safe from both internal and external attacks.

How Separation of Duties Works

When developing a separation of duties plan, the organization’s security team will come up with a list of tasks and duties the plan should address. The team then determines how to split up the duties properly to create the desired level of checks and balances.

Some of the most important aspects of creating an SoD plan include the following:

  • Data Management: Security team members should rank data in terms of its sensitivity levels. Data deemed to have the highest levels of sensitivity should receive the greatest protection under the SoD plan. Commonly available data doesn’t need protection.
  • Data Ownership: Should some of the organization’s members only need access to sensitive data occasionally, the SoD plan should spell out who can grant them access to this data and how at least two members of the security team will track the use of the sensitive data.
  • Modifying the Network: Any modification of the network processes should need approval from at least two team members, whether that involves changing network permissions, downloading software, or making adjustments to the network firewall.
  • Monitoring System Logs: Within the SoD plan, no single person should have the ability to review and edit system logs without oversight from another team member.
  • New Accounts: When new employees join the organization, checks and balances in the creation of new accounts will catch errors or fraudulent activity that would give a new employee unnecessary network permissions.

Common Mistakes in Creating an SoD Plan

The biggest mistake organizations make in terms of trying to create a separation of duties plan is not discussing the roles and oversight thoroughly enough as a team. Without clear role assignment and oversight, some aspects of network security may not have the proper level of checks and balances, creating exploitable holes in the system.

Additionally, it’s important for the security team to run detailed tests on the plan before implementing it. The testing process should catch areas where only one person has control of a certain aspect of the network, as well as places where the definition of the members’ roles is lacking necessary detail.

Even if your organization hires a third-party group to oversee your separation of duties plan, you should have a few people who review the work of this third-party group on a regular basis.

Example 1: Defeating Inside Attacks

Team members have access to the network every day, allowing them to do their jobs and keep the organization working smoothly. Although you trust your team members, a cyberattack that originates from inside the organization is always a possibility.

Implementing a proper SoD plan will help you greatly reduce the possibility of this type of attack. With checks and balances in place, other team members should be able to spot clues that reveal the possibility of an inside attack.

Thwarting Planned Inside Attacks

Within an SoD plan, at least two team members should always have oversight of the system. Should an employee attempt to upload malicious software or malware to harm or bring down the network, for example, having more than one person in charge of searching for malware increases the chances of catching it before it does damage.

Should one of the security team members be initiating the attack, having a second person involved in checking for attacks will thwart the first person.

As an added benefit, any employee considering starting an inside attack may choose not to because of the strong separation of duties plan in place. The employee knows they will not be able to avoid detection, so they won’t try the attack.

Thwarting Inadvertent Inside Attacks

Some inside attacks are inadvertent. The right SoD plan should catch these potential errors before they happen too.

Suppose a team member who has oversight for downloading apps and software unknowingly downloads malware or another type of malicious software. Under the SoD, a second team member would also be able to oversee the software downloads, hopefully spotting the dangerous software in case the first person misses it.

Without an SoD plan, if only the first person has oversight regarding downloading of apps, the malware may end up on the network without detection. The team member probably didn’t mean to download the dangerous software, but the result is the same as if the attack occurred on purpose.

Example 2: Protection of Data

Preventing data breaches is a key role of any organization’s security team. A data breach could lead to significant financial loss for the organization, either through the loss of customer trust or through financial judgments against the organization.

Governmental oversight requires protecting sensitive data for customers and employees. If hackers steal credit card information or Social Security numbers, your organization could end up receiving significant financial penalties.

Ensuring data protection through the implementation of a separation of duties plan involves a few different practices.

Viewing Sensitive Data

The security team needs to ensure that only those members of the organization who need to see sensitive personal data for customer relations have access to this data.

At least two members of the security team need to be able to review which people have access to sensitive data and to make adjustments to permissions as needed.

Without an SoD plan in place and without clear oversight from security team members about who receives access to this data, the likelihood of an employee having unnecessary access to sensitive data goes up. This error would increase the potential for the data to fall into the wrong hands through fraud or hacking.

Tracking Those Who Access Sensitive Data

The separation of duties plan should set up a tracking process for monitoring which employees gain access to which types of sensitive customer data. Should a data breach occur, being able to track who accessed the sensitive data can help the security team discover the source of the breach.

The SoD plan should implement checks and balances so that at least two people work together to track down the information. With oversight from multiple people, there’s no chance of the same person who caused the data breach also being the only person who is investigating the breach.

Example 3: Splitting Network Oversight Duties

If an attack occurs where hackers steal the login credentials of a member of the security team, your organization’s SoD plan can limit the amount of damage the hackers can accomplish before you discover the intrusion.

Without an SoD plan in place, members of the security team may have access to the network without any checks and balances from other team members.

If the hackers are able to steal the credentials of one of these powerful team members, they could take full advantage of their newfound access, doing significant damage to the network and stealing significant amounts of sensitive data.

By splitting up the duties of the security team among several different people, no single team member has unchecked power over the network and the organization’s data. Consequently, the hackers would not be able to gain unchecked power either, unless they manage to steal credentials for multiple people.

Example 4: Implementing Technical Safeguards

A significant part of any organization’s security plan includes setting up firewalls, intrusion detection systems, and vulnerability scanning.

If one team member has control of all of these aspects of network protection, it’s possible that this person will miss something, leading to a breach.

Having a separation of duties plan in place that splits control and management of these safeguards ensures that multiple team members have a role in managing and monitoring the network’s protective measures.

Whether a team member makes an error with the network’s management software on purpose or inadvertently, having checks and balances in place should allow the security team to catch the error before significant damage occurs.

How to Get Started With Separation of Duties

Here are some ideas to help an organization begin implementing an SoD plan.

Perform an Assessment of Risk

Before assigning responsibilities within the organization regarding security measures, it’s important to understand exactly where your organization’s vulnerabilities lie regarding security. You then can build the SoD plan around the risks.

Additionally, the risk assessment should define the potential security risks for each position on the security team. Define the duties for each position, and then determine what kinds of security risks those duties have.

Undertaking a detailed assessment of risk for your organization’s security measures should be a regular process. Depending on how quickly the organization is growing and changing, you may need a reassessment every three to six months. For an organization growing at a slower pace, an annual reassessment probably will be sufficient.

Hire a Third-Party Security Service

Third-party companies are available to handle the security concerns of an organization. These organizations can perform a variety of security functions including:

  • Performing a risk assessment
  • Developing a security plan
  • Running a security audit
  • Testing the security measures
  • Creating reports for the organization to review
  • Monitoring the safety of sensitive data
  • Watching for security breaches

Hiring an outside team to take care of the implementation of security measures for the organization fits the definition of separation of duties. No employee would have control over the security processes, reducing the chances of fraud.

The organization may want to have the third-party security service report to multiple people in the organization or to an audit committee to follow SoD practices. You don’t want one person in your organization to have access to all of the reports, determining which information they choose to share with the rest of the team.

Another reason to consider hiring a third-party service is to support a small security team. If the team members are able to handle certain aspects of the separation of duties plan, the third-party organization could cover any remaining areas outside your team’s bandwidth.

Determining the Success of an SoD Implementation

After creating a separation of duties plan, the security team can ask itself a few different questions to test the usefulness of the plan. If the answer to any of these questions is no, the plan will need some tweaking to make it something the organization can implement.

  • Does one person control sensitive data? Any sensitive customer or organizational data should have at least two people with the ability to track its usage. This ensures one person cannot move, delete, or copy the data without the knowledge of at least one other member of the security team.
  • Does one person handle security monitoring? At least two members of the security team should be able to monitor warnings about security breaches or digital attacks. If only one person monitors this information, they could allow hackers to go unchecked, either on purpose or inadvertently.
  • Does any employee have responsibilities that conflict? If one member of the security team has responsibilities for implementing the security plan and also testing the security plan, this could result in holes in the plan. The person implementing the plan may not see the need to run extensive tests, for example, or may decide to manipulate the plan or its testing to their own benefit.
  • Are subordinates monitoring the actions of supervisors? Unless your security department is extremely small, only consisting of a few people, subordinates should not receive responsibilities that would require them to monitor the actions of a supervisor. This could cause significant conflicts of interest.
  • Are non-security personnel involved? Again, unless you have a small security department, you may not want employees who rarely deal with security to have responsibilities under separation of duties. Non-security personnel may not understand exactly what kinds of problems they should watch for, and they may not have the time to appropriately dive into security issues, allowing potential breaches to occur.

Another option is hiring a third-party auditor to study your organization’s SoD setup to determine whether it is as safe as it could be.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira