Separation of duties is a means to prevent fraud or other behaviors that could harm an organization by preventing any one individual to have complete access to all controls that protect something of value. Just as no single staff member should handle all aspects of an organization’s finances without any controls, it is important to look at valuable data in the same way. SANS put together separation of duties guidelines for some of the most common areas to address within an internal IT dept.
One area that is sometimes forgotten is the separation of duties with IT vendors. Just as a builder’s work is reviewed by an inspector, IT implementations can benefit from another set of eyes. As auditors who do not resell products, we often see implementations that have not been completely configured to take advantage of all of the new functionality of the products(s), configurations that don’t meet cybersecurity best practices or compliance requirements, and in some cases even products so poorly implemented that they are not providing any value at all. While the reasons vary, they are not usually malicious. It often comes down to a lack of understanding by the implementer. They may have been trained in functionality, but not specifically in cybersecurity or compliance standards.
Having an outside auditor periodically perform testing or assessment of your environment provides a number of benefits:
While it’s convenient to source multiple goods and services from a single vendor to have one point of contact and leverage your buying power, if they suggest an outside firm for testing or assessment, they are truly looking out for your best interest.