2 cissp ® Official Study Guide Eighth Edition

702
Chapter 16 
■
Managing Security Operations
properly segregated, no single employee will have the ability to commit fraud or make a 
mistake and have the ability to cover it up. It’s similar to separation of duties in that duties 
are separated, and it’s also similar to a principle of least privilege in that privileges are 
limited. 
A segregation of duties policy is highly relevant for any company that must abide by the 
Sarbanes–Oxley Act (SOX) of 2002 because SOX specifi cally requires it. However, it is 
also possible to apply segregation of duties policies in any IT environment. 
SOX applies to all public companies that have registered equity or debt 
securities with the Securities and Exchange Commission (SEC). The United 
States (U.S.) government passed it in response to several high-profile finan-
cial scandals that resulted in the loss of billions of shareholder dollars.
One of the most common implementations of segregation of duties policies is ensuring 
that security duties are separate from other duties within an organization. In other words, 
personnel responsible for auditing, monitoring, and reviewing security do not have other 
operational duties related to what they are auditing, monitoring, and reviewing. Whenever 
security duties are combined with other operational duties, individuals can use their secu-
rity privileges to cover up activities related to their operational duties. 
Figure 16.1 is a basic segregation of duties control matrix comparing different roles and 
tasks within an organization. The areas marked with an X indicate potential confl icts to 
avoid. For example, consider an application programmer and a security administrator. 
The programmer can make unauthorized modifi cations to an application, but auditing or 
reviews by a security administrator would detect the unauthorized modifi cations. However, 
if a single person had the duties (and the privileges) of both jobs, this person could modify 
the application and then cover up the modifi cations to prevent detection. 
F I g u r e 16 .1
A segregation of duties control matrix
Roles/Tasks
Potential Areas of Conflict
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Application Programmer
Security Administrator
Database Administrator
Database Server Administrator
Budget Analyst
Accounts Receivable
Accounts Payable
Deploy Patches
Verify Patches
Application Programmer
Security Administrator
Database Administrator
Database Ser
ver
Administrator
Budget Analyst
Accounts Receivable
Accounts Payable
Deploy Patches
Verify Patches

Applying Security Operations Concepts 
703
The roles and tasks within a segregation of duties control matrix are not 
standards used by all organizations. Instead, an organization tailors it to fit 
the roles and responsibilities used within the organization. A matrix such 
as the one shown in Figure 16.1 provides a guide to help identify potential 
conflicts.
Ideally, personnel will never be assigned to two roles with a confl ict of interest. 
However, if extenuating circumstances require doing so, it’s possible to implement compen-
sating controls to mitigate the risks.

Download 19,3 Mb.

Do'stlaringiz bilan baham: