This is a subject that has come up a number of times lately and I think it needs to be addressed as there is apparently a lot of confusion about segregation of duties.
Let us first define segregation of duties. When duties are properly segregated, no one individual is able to complete a task without the assistance of one or more individuals. Segregation of duties grew out of the finance and accounting areas where it is important to have as many individuals involved as possible to minimize the likelihood of fraud. This is the first important lesson of segregation of duties, it does not eliminate the possibility of fraud, it only minimizes the possibility. If a group of individuals decide to work together to commit fraud, segregation of duties will not stop such activity. However, the group will have to work together which is where the deterrent factor comes in as it is more difficult to hide a fraud with a group of people involved.
What people have been complaining about most when I talk to them about segregation of duties is that they will have to increase head count. In today’s tight economy, increasing headcount is typically not an option and even in good times, increasing headcount is not always desirable. While there are situations where headcount does have to increase to get proper segregation of duties, I would say that in 90%+ of cases that I have been involved with this is just not true. In fact, in a number of cases, headcount actually got reduced.
As I stated earlier in the definition, what segregation of duties involves is making sure that processes that involve people are structured such that no one individual can complete the task. In the PCI compliance realm, there are a number of areas requiring segregation of duties. The majority of which are related to change control. The reason change control needs segregation of duties is to minimize human error. The idea is that, if more people are involved, the less likely that human error will be introduced and therefore security will be maintained.
So, in a change control environment with proper segregation of duties you have the following simplified process.
- Person ‘A’ makes a change to something (program, device, etc.) based on the requirements specified in Change Request ‘1’.
- Person ‘A’ conducts unit testing of the change to make sure that the change is operating as expected.
- Person ‘B’ reviews the change and conducts integrated testing of the change to make sure that the change is operating as expected with the complete system. Typically this testing is in an environment that replicates production. If testing is not successful, ‘B’ documents the failure and sends the request back to ‘A’ for further work and testing.
- If testing is successful, Person ’B’ meets with Manager ‘C’ and provides ‘C’ with the results of testing. If testing was successful, ‘C’ approves the change to go into production and an implementation schedule is agreed to for the implementation of the change. If ‘C’ believes that the change is not what was documented in Change Request ‘1’, then ‘C’ will reject the proposed change and send the request back to ‘A’ for further work.
- If approved, Person ‘B’ moves the change from test to production.
As you can see in my simple example, there are only three people involved in the change process – two staff and a manager. The staff could switch off the change initiator and change tester roles, but the manager is always going to be the approver. In larger organizations, there may be more steps and more people involved in each step, but the idea is the same – minimize the potential of introducing human error into the process. The idea being that, with more people involved in the review of the process and the results, the less likely that an error will occur.
Does human error still occur? You bet, all of the time. Why?
- Because the people involved are human and errors occur.
- People do not have the experience to perform their role in the process.
- People get lax in their role in the process.
- The process is not followed to the letter.
- Testing plans and testing as a whole are skipped or short cut.
In today’s hurry up environment, people expedite processes by not following all of the steps in the belief that it does not affect the outcome. While not as critical as flying a plane, the commercial aviation industry has proven over the last 70 years that procedures have a major impact on minimizing human error.
However, if people are left in roles for too long, job stagnation can become a serious problem. However, job stagnation can be simply addressed by rotating people’s responsibilities. Such an approach not only keeps people fresh, but has the added benefit of cross training them for other tasks. A lot of organizations I work with rotate their quality assurance people back to roles as change initiators or as production operations personnel to keep them fresh.
Hopefully I have pointed out that it does not take a mass of people to maintain segregation of duties. It just requires a creative approach to ensuring that you have the most people possible to ensure that no one person is carrying the entire load or all of the responsibility.