Towards a framework for segregation of duties
Download
1 / 27

Towards a Framework for Segregation of Duties - PowerPoint PPT Presentation


  • 72 Views
  • Uploaded on

University of Waterloo Centre for Information Systems Assurance 5th Symposium on Information Systems Assurance. Towards a Framework for Segregation of Duties. Akhilesh Chandra, The University of Akron Megan Beard, Deloitte & Touche USA LLP Toronto, Canada: October 11-13, 2007.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Towards a Framework for Segregation of Duties' - tasha-frye


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Towards a framework for segregation of duties

University of Waterloo Centre for Information Systems Assurance

5th Symposium on Information Systems Assurance

Towards a Framework for Segregation of Duties

Akhilesh Chandra, The University of Akron

Megan Beard, Deloitte & Touche USA LLP

Toronto, Canada: October 11-13, 2007



  • SOD is a common element across Assurance

    • control frameworks (e.g., COSO, COBIT, ERM etc.), and

    • corporate governance (e.g., SOX) frameworks

  • Revisiting SOD stems also from the features of the current business model:

    • Integrated business processes,

    • Extended, collaborative supply chain



To protect information resources, an effective SOD model should:

  • Balance security and availability needs

  • Lend to automation for:

    • Design and implementation

    • Verification and assurance

    • Quickly adapting to changes

      These features should help to achieve the three goals of security and control: confidentiality, integrity, and availability



Role based so
Role based SO provide a stable and effective means to achieve these goals.


Role based sod
Role based SOD provide a stable and effective means to achieve these goals.

  • Access granted to information resources based on roles performed by users

  • Controls are tied and mapped to roles

  • A cross functional team evaluates existing roles and associated tasks to accommodate changes in business processes and practices


Steps
Steps… provide a stable and effective means to achieve these goals.

  • Identify a set of tasks necessary to complete a business function.

  • Map tasks to the application system functionality.

  • Group tasks by business cycles.

  • Within each cycle, define roles by the necessary function and access for each information resource.


Business function is decomposed into series of interrelated tasks

Business functions

Task1

Task2

Task3

Task4

Task5

Task6

Task7

Task8

Task9

Taskn

Sequential process


Identify tasks that need to be segregated based on risk-vulnerability analysis

SOD Evaluator


Tasks are grouped by business cycles risk-vulnerability analysis

Business functions

Task1

Task2

Task3

Task4

Task5

Task6

Task7

Task8

Task9

Taskn

Revenue cycle

Inventory cycle

Financial cycle


Roles are defined within each cycle risk-vulnerability analysis

Financial cycle

Task6

Task7

Task8

Task9

Role 1

Role 2


Illustration of role based SOD model – single application risk-vulnerability analysis

Roles

Users

assigned

Business

Cycles

Revenue

Cycle

Expenditure

Cycle

Financial

Cycle

Production

Cycle

HR

Cycle

Application

Systems

R/3


Illustration of role based SOD model – multiple applications

Roles

Users

assigned

Business

Cycles

Revenue

Cycle

Expenditure

Cycle

Financial

Cycle

Production

Cycle

HR

Cycle

Application

Systems

Legacy

R/3

11i


Roles applications

Roles

Roles

Inheritance

Users

assigned

Roles

Roles

Roles

Roles

Role hierarchy

Business

Cycles

Revenue

Cycle

Expenditure

Cycle

Financial

Cycle

Production

Cycle

HR

Cycle

Application

Systems

Legacy

R/3

11i


Some specific features
Some specific features applications

  • The model lends to automation.

  • Changes are made at the root level.

  • Hierarchical modeling of roles can allow inheritance of privileges based on business rules

  • Invariant to best-of-breed ERP business models


‘x’ indicates segregation of duties conflicts. applications

Adapted from ISACA Guidelines


Few examples
Few examples applications


Expenditure cycle applications

Related Accounts: Operating Expense, Payables, Accrued Expense, Prepaid Expense


Revenue Cycle applications

Related Accounts: Sales, Receivables, Allowance for Doubtful Accounts


Fixed Assets applications

Related Accounts :Property, Depreciation Expense


A primary challenge
A Primary challenge… applications

  • is the time intensive nature of implementing role based access controls.

  • But this is the investment on preventive controls that is more cost effective than the alternative (corrective or detective)


Comparison with alternative models
Comparison with alternative models applications

  • Discretionary controls

    • On a need-to-know basis

    • Users can potentially transfer privileges to others

    • Enhanced risk when users have ability to set their own access privileges


  • Mandatory controls applications

    • Access based on distinct level of authorization

    • Control problems in security data with lower level classification

    • As security clearance broadens, users begin to gain access that may not correspond with their responsibilities


  • Role based applications

    • Role is a generic concept

    • More stable

    • Relatively invariant to frequent changes in business or systems


Implications
Implications applications

  • Reduced cost of regulatory compliance (e.g. section 404 of SOX)

    • Especially for SMEs that are relatively more burdened

  • Reduced cost of audit

  • Increased operational efficiency

  • Continuous monitoring (e.g., section 409 of SOX)


ad