Security Basics mailing list archives
RE: Segregation of duties trivia
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 14 Nov 2006 13:00:35 -0800
I'd recommend against giving these other roles the access to live data (DBA) or security configurations (Sec Admin) that go with these restricted roles. David Gillett, CISSP
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Faheem SIDDIQUI Sent: Sunday, November 12, 2006 7:04 PM To: security-basics () securityfocus com Subject: Segregation of duties trivia Hi All... I am preparing a "Segregation of Duties' Matrix within my IS function (Is there a better way to hit at the non-compliance point of 'lack of segregation of duties within the organisation', by external auditors?) I found a very basic chart at ISACA website: http://www.isaca.org/Content/ContentGroups/Certification3/CRM_ Segregation_of_Duties.pdf <http://www.isaca.org/Content/ContentGroups/Certification3/CRM _Segregation_of_Duties.pdf> According to this chart, some of the things in the Control Matrix are obvious but some aren't so. For example: The chart suggests that A DB Admin cannot be an Application Programmer neither can he be a Sys Admin or Network Admin..Why? Or a security administrator can be a Help Desk support personnel but cannot be a Systems Analyst or a Systems/Application programmer. I was wondering, what's the potential control weakness in these two points?? What's the best way of documenting this 'Segregation of Duties' procedure for satisfying External Auditors? -------------------------------------------------------------- ------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus -------------------------------------------------------------- -------------
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- VPN relied upon for method of encryption nospam (Nov 03)
- A question about Access controls Faheem SIDDIQUI (Nov 06)
- Re: A question about Access controls Kern (Nov 10)
- Segregation of duties trivia Faheem SIDDIQUI (Nov 14)
- RE: Segregation of duties trivia David Gillett (Nov 15)
- Re: A question about Access controls Faheem SIDDIQUI (Nov 14)
- Re: A question about Access controls Kern (Nov 10)
- A question about Access controls Faheem SIDDIQUI (Nov 06)