Segregation of Duties
The following analysis is the work of the author and expresses the author’s personal interpretation of a public law. Opinions and conclusions in this analysis are those of the author and are not derived or associated with any other person of business entity.
For the Financial Services Industry, regulated under GLBA:
Federal Statute:
Segregation of Duties is mentioned in the Code of Federal Regulations (12 CFR Part 30, Appendix B, also known as the Interagency Guidelines Establishing Information Security Standards), which are the primary regulations to which we are bound under GLBA Sec. 501b (15 USC Sec. 6801).
The Interagency Guidelines, jointly released by all the federal banking regulators including the Fed and the OCC, state the following:
“Each bank shall: Design its information security program to control the identified risks . . . Each bank must consider whether the following security measures are appropriate for the bank and, if so, adopt those measures the bank concludes are appropriate: (e.) Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information”
Therefore, based on management estimation of risk surrounding a lack of segregation of duties controls to protect customer confidential information, we might be held accountable for failing to enforce segregation of duties under certain circumstances.
What those circumstances are is subject to interpretation, as guided by a standard of due care espoused in external standards and reasonableness.
External Standards:
FFIEC: The FFIEC IT Examination Handbook, Information Security Booklet 2006 contains the following:
Governance: The Booklet calls for “appropriate segregation of duties between individuals or organizational groups” responsible for the governance of the information security program.
Application Access: Effective application access control can enforce both segregation of duties and dual control. (pg. 48)
Appendix A: Examination Procedures: A. Authentication & Access Controls; Access Rights Administration: Evaluate the adequacy of policies and procedures for authentication and access controls to manage effectively the risks to the financial institution. Review processes that assign rights and privileges and ensure that they take into account and provide for adequate segregation of duties.
Cobit: Cobit Application Controls (AC) 1. Source Data Preparation and Authorization: “Ensure that source documents are prepared by authorized and qualified personnel following established procedures, taking into account adequate segregation of duties regarding the origination and approval of these documents.
ISO 27002 10.1.3 Segregation of Duties: Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from it authorization. The possibility of collusion should be considered in designing the controls.
