Separation of duties is a means to prevent fraud or other behaviors that could harm an organization by preventing any one individual to have complete access to all controls that protect something of value. Just as no single staff member should handle all aspects of an organization’s finances without any controls, it is important to look at valuable data in the same way. SANS put together separation of duties guidelines for some of the most common areas to address within an internal IT dept.
One area that is sometimes forgotten is the separation of duties with IT vendors. Just as a builder’s work is reviewed by an inspector, IT implementations can benefit from another set of eyes. As auditors who do not resell products, we often see implementations that have not been completely configured to take advantage of all of the new functionality of the products(s), configurations that don’t meet cybersecurity best practices or compliance requirements, and in some cases even products so poorly implemented that they are not providing any value at all. While the reasons vary, they are not usually malicious. It often comes down to a lack of understanding by the implementer. They may have been trained in functionality, but not specifically in cybersecurity or compliance standards.
Having an outside auditor periodically perform testing or assessment of your environment provides a number of benefits:
- A second set of eyes on configurations insures that solutions are optimized
- Trained cybersecurity and compliance resources can confirm that best practices and compliance requirements are being met
- Internal staff can often benefit from the knowledge gained by outside assessments, and apply the practices to other areas within the network
- Having one entity assess and another recommend solutions for remediation avoids the risk of an unethical vendor overselling solutions that you may not truly need
While it’s convenient to source multiple goods and services from a single vendor to have one point of contact and leverage your buying power, if they suggest an outside firm for testing or assessment, they are truly looking out for your best interest.