Segregation Of Duties (sod) And Data Security

By Author: Appsian
Total Articles: 115
Comment this article

In financial accounting systems, the Segregation of Duties is already well-known. Companies of all sizes are mindful that functions such as collecting checks and approving write-offs, depositing cash and reconciling bank statements, approving timesheets, custody of paychecks, and so on are not combined.
When regulations such as Sarbanes-Oxley (SOX) were implemented, the definition of Segregation of Duties (SoD) became more applicable to the IT organizations. For example, a very high percentage of SOX internal control problems arise from or depend on IT. This forced IT firms to emphasize the Segregation of Duties, especially security, across all IT functions.
Defining Segregation of Duties
There are two fundamental purposes for the Segregation of Duties as it relates to security. The first is the avoidance of conflicts of interest, wrongful deeds, fraudulent acts, and errors. The second is to recognize control deficiencies that involve breaches of confidentiality, theft of information, and circumvention of security controls. Right Segregation of Duties is intended to ensure that people do not have overlapping ...
... responsibilities under any circumstances.
For example, the person responsible for developing and enforcing security must not be the same person responsible for checking security, performing security audits, or tracking and security reporting. The information security in-charge should also not report to the CIO. The explanation for this is that the CIO has a vested interest in believing that there are no cybersecurity problems with the rest of the workers. Anything that the tester discovers has the ability to be swept under the rug and not dealt with as easily as it should be. The best practice in the industry is that a member of your company should not be the person checking your cybersecurity. They need to be a neutral and unbiased third party.
Here are a few ways to achieve the correct Segregation of Duties:
Have the person in charge of the information security report to the audit committee chairman.
Use a third party to track security and perform surprise security audits.
Have the CISO accountable to the Board of Directors for the information security report.
Segregation of Duties: The Significance
There must be a distinction between operations, implementation, and testing of security and all controls to minimize the possibility of unauthorized activity or access to operating systems or data. Responsibilities must be delegated to individuals in such a way that safeguards and balances within the system are mandated, and the chance for unauthorized access and fraud is reduced.
Conclusion
Control methods related to the Segregation of Duties are subject to scrutiny by external auditors. Inadequate Segregation of Duties is cited by auditors as a material deficiency when they conclude that the risks are too high. Before this is completed, it is just a matter of time as it relates to data security. Proper Segregation of Duties, when implemented, result in distinct responsibilities for employees and ensure adequate data security for organizations. They also help enterprises meet mandatory obligation liabilities imposed by data privacy regulation.

Appsian One of the leading ERP data security,compliance,implementation solutions provider that gives organizations to complete control and visibility over their ERP data.