Segregation of Duties Policy

Version: 1.00Issue Date: 3/16/2015

This Segregation of Duties Policy ensures that possible privilege abuse by single individuals is reduced.

1.0 Overview

This Segregation of Duties Policy will help ensure that abuse by a single individual cannot occur by limiting single user privileges where a conflict of interest or profit opportunity may exist.

2.0 Purpose

This Segregation of Duties Policy requires that multiple employees be required to perform duties where opportunity for profit or abuse could occur by one individual if that individual had the ability to perform specific tasks.

3.0 Scope

This Segregation of Duties Policy applies to all IT duties in the organization where a conflict of interest or profit opportunity may exist. For example, changes to production systems by developers is not allowed. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Requirements

  • Requests for new software must be approved by management.
  • Requests to modify software developed by the organization must be approved by management and be part of a project.
  • Transfers of money require the approval of at least two employees.
  • Changes to master files cannot be made by IT personnel without approval from management.
  • Transactions cannot be originated or authorized by IT personnel without management approval.
  • Personnel access controls - The following are required
    • The Account Management Policy must be followed.
    • Identity of the user and allowed access must be confirmed before an account is issued, a password is modified, or a password is issued.
    • Passwords may not be changed without the account owner's permission except by administrators and only in the case of an emergency. If a password is modified by administrators, the account owner must be notified as soon as possible.
    • When administrators reset passwords, it is required that the account owner must change the password at the time of the first login.
  • Accounts used for special functions such as support including upgrading software or installing software must have the following controls applied.
    • All actions must be logged and monitored by the system administrator.
    • The account must be disabled except when required for the support function.
  • If an administrator or user suspects a system is compromised, it must be reported immediately to a security officer and management according to the Incident Response Policy.
  • All suspected security compromises must be investigated to their full conclusion according to the Incident Response Policy and mitigating action must be taken.
  • If a system is determined to have been compromised, the system administrator and the security officer must jointly decide whether all accounts on the server must have their passwords reset.
  • All default passwords must be changed when a system is installed.
  • Each system must require a login according to the Account Management Policy.
  • The system must be locked out after the specified number of failed login attempts according to the Password Policy.
  • Inactive sessions should be locked requiring a password to get back in within a specified period of inactivity according to the Password Policy.
  • A logon banner must be displayed on all organizational systems according to the Logon Banner Policy.
  • Any publically available systems, which have a continuous logged in state, not requiring a login, must have limited access and be appropriately monitored.

5.0 Required Application Development Practices

  • Software developers are not allowed to make changes to production servers and are only allowed to make changes on development servers. This must be enforced by logical access controls as a minimum and physical access controls may be used to enforce this requirement. Only the developers may test or change code on the development servers.
  • Once management has approved code for testing, system administrators will transfer code to the QA environment for customer testing. The system administrators will log the transfer of code. Only designated test personnel or end users may test code on test servers.
  • Management must approve the transfer of code from the testing or QA environment to the production environment and system administrators will transfer the code and log the transfer. Only system administrators of the production environment and authorized end users are allowed to access the production environment.
  • Software version control and development collaboration tools must be used during the software development process to ensure that work is not overwritten by other developers and that the version of the software is properly tracked and documented.
  • The roles and responsibilities required for the approval and transfer of code from test or quality assurance environments to production environments must be clearly defined. The role of programmers, database administrators, security administrators, end users, systems administrators, and quality assurance personnel must be defined in the process.
  • Passwords for aany application or other accounts including database access accounts may not be stored in easily reversible form or in clear text.
  • At least one control must exist for preventing the reading of password files without authentication.
  • If a user must be able to take over the functions of another user, it must be possible to do that without one user knowing the password of another user.
  • Passwords may not be coded into the software.
  • The application should not allow passwords to be displayed or printed.

6.0 Responsibilities

A combination of management, auditors, and/or information officers must ensure that changes to data are performed by following the correct processes and are properly authorized. A combination of management, auditors, and administrators must ensure that unauthorized software is not installed or that software is not modified without proper authorization.

The account manager or security administrator is responsible to adhering to and enforcing the Personnel access controls in the requirements section, above.

System administrators will control the enabling and disabling of accounts on systems they administer. They will monitor the system for possible security incidents and report suspicions to their management and security officer.

7.0 Enforcement

Since following the Segregation of Duties Policy is important for the security and welfare of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

8.0 Other Policies

  • Account Management Policy
  • Incident Response Policy
  • Account Management Policy
  • Password Policy
  • Logon Banner Policy

9.0 Additional Requirements

  • Roles and responsibilities for control and changes to software must be created such that no single person can add, modify, or delete critical or important information without authorization.
  • Standards must be created which enforce appropriate segregation of duties between the various IT roles regarding software changes, system changes, and administrative duties.
  • Roles, responsibilities, and standards must be periodically reviewed to identify any needed changes or conflicting duties. Updates to standards, roles, and responsibilities must be made as appropriate.
  • Logical controls combined with physical controls should be used to enforce separation of duties.
  • Provision is allowed for duties to still be performed with separation of duties in force when some personnel are not avalailable such as on leave.
  • When it is not possible to enforce separation of duties, other controls such as logging and review of activities are used to be sure there is no abuse of privileges.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________