Now, as this relates specifically to security, the individual responsible for designing and implement security cannot be the same person as the person responsible for testing security, conducting security audits as well as monitoring and reporting on security. For these reasons, the reporting relationship of the individual responsible for information security should not be to the Chief Information Officer as is traditionally the case.
Separation of duties is a common policy when people are handling money so that fraud requires collusion of two or more parties. This greatly reduces the likelihood of crime. Information should be handled in the same way.
Separation of duties as it related to information systems is not just a possible Sarbanes-Oxley issue but is a requirement for PCI compliance as well. It is therefore imperative that an organisation structure be design such that no individual acting alone can compromise security controls. There are five primary options for achieving separation of duties in the information security space. This list is in order of acceptability based on my experience.
- Option 1: Have the individual responsible for information security report to CSO (chief security officer) who takes care of information security and physical security and the CSO reports directly to CEO.
- Option 2: Have the individual responsible for information security report to Chairman of the Audit Committee.
- Option 3: Use a third party to monitor security, surprise security audits and security testing and they report to the Board of Directors or the Chairman of the Audit Committee.
- Option 4: Have individual responsible for information security report to the board of directors.
- Option 5: Have the individual responsible for information security report to internal audit as long as internal audit does not report to the executive in charge of finances like the CFO.
The issue of separation of duties is growing in importance. A lack of clear and concise responsibilities for the CSO and CISO has fuelled confusion.
It is imperative that there be separation between operations, development and testing of security and all controls to reduce the risk of unauthorised activity or access to operational systems or data. Responsibilities must be assigned to individuals in such a way as to mandate checks and balances within the system and minimise e the opportunity for unauthorised access and fraud.
Remember, control techniques surrounding separation of duties are subject to review by external auditors. Auditors have in the past listed this concern as a material deficiency on the audit report when they determine the risks are great enough. It is just a matter of time before this is done as it relates to IT security.
For this reasons as well as objectivity, why not have a discussion about separation of duties as it relates to IT security with your external auditors? It can save you a lot of aggravation, cost and political infighting by getting what they view as necessary in your particular case.
Kevin G. Coleman was the former chief strategist of Netscape. Now he is a Senior Fellow and International Strategic Management Consultant with the Technolytics Institute, an executive think-tank.